I'm running a Splunk UF 6.6.8 on Windows Server 2012 and indexing perfmon data using the Splunk TA for Windows. Each time I'm restarting the service (due to server reboot for example), I'm getting the following Warnings in Splunk:
WARN IniFile - C:\Program Files\SplunkUniversalForwarder\etc\apps\search\local\inputs.conf, line 100: Cannot parse into key-value pair: Disk Writes/sec;
I'm getting casual perfmon data during runtime, however I can repeat this behavior with every service-restart, I don't even need to reboot the server. I also tried using mode = multikv, but this had no effect, so I assume it may not really be a parsing issue but something else.
Does someone know the reason behind this behavior and maybe a workaround or bugfix?
Only thing that jumps out at me is the capitalized "I" your "Avg. DIsk Bytes/Write" entry
I don't trust myself to accurately type counter names in perfmon based input specs. Instead I use a powershell script to select from a list of all possible perfmon objects and to return a sample inputs.conf file having their associated counters listed in spec format.
Yeah that capitalized "i" was a typo. I couldn't copy/paste the config since it lies in a military zone, so all I could do was write it manually. I also don't think this is a configuration issue, since I'm getting data from all counters.
However if the UF service is restarted, I get the stated warning in my _internal index and I don't know why. But only once during the restart.
Forgot to add the config-stanza
[perfmon://LogicalDisk] counters = % Disk Time; %Disk Write Time; % Disk Read Time; % Free Space; % Idle Time; Avg. Disk Bytes/Transfer; Avg. DIsk Bytes/Write; Avg. Disk Bytes/Read; Avg. Disk Queue Length; Avg. Disk Write Queue Length; Avg. Disk Read Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Write; Avg. Disk sec/Read; Disk Bytes/sec; Disk Transfers/sec; Disk Write Bytes/sec; Disk Read Bytes/sec; Disk Reads/sec; Disk Writes/sec; Free Megabytes; disabled = 0 instances = * interval = 300 object = LogicalDisk useEnglishOnly = true index = os showZeroValue = 1