All Apps and Add-ons

SAI - Windows entity does not show up

peterschloenske
Explorer

Hi,

in the App for Infrastructure this search returns results for 1x Linux and 1x Windows host. So I assume data is coming in as expected:

| mstats latest(_value) WHERE index=em_metrics metric_name=* BY host, entity_type

However, the windows host does not show up as entity in the investigate tab while the linux host does.

And it is missing here as well:
| inputlookup em_entities

Anyone has an idea what could be wrong here?

Cheers

0 Karma
1 Solution

dagarwal_splunk
Splunk Employee
Splunk Employee

Increase the "monitoring_calculation_window" for "perfmon" in collectors.conf to something like 300 and restart Splunk

View solution in original post

francoisternois
Path Finder

Hello Peter,
Can you share your inputs.conf ?
In my case, I just add _meta = os::Windows
Otherwise, it didn't show up...

0 Karma

peterschloenske
Explorer

The os:: is set in the inputs.conf, I did not change anything after using the install script.

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Increase the "monitoring_calculation_window" for "perfmon" in collectors.conf to something like 300 and restart Splunk

shandr
Path Finder
0 Karma

peterschloenske
Explorer

Unfortunately this did not help. I'm still receiving metrics for both hosts, but only the linux host appears in | inputlookup em_entities.

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Can you answer some questions:

  • Do you see Processor.* metrics for your Windows hosts?
  • For this search on windows host, what is latest timestamp with data? (last data was 1min , 2min or 3min ago when you run the search? 😞 | mstats avg(_value) WHERE metric_name=Processor.%_Idle_Time AND index=em_metrics AND host=mywindows* span=30s
  • What version of SAI do you have?
0 Karma

peterschloenske
Explorer

There are only Process.* metrics available so far.
The latest timestamp with data for this host is 1min ago.
I have SAI 2.0.3 in use.

Sidenote:
In another environment the similar problem occured and here the increase of "monitoring_calculation_window" did the trick. Could you explain what is exactly done with this value?

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

You need Processor.* metrics for Windows entity discovery. Are they disabled in your inputs.conf.

monitoring_calculation_window is how many seconds to look in past for the new entity. It was set to 90 sec. If there is some data lag of more than 90 sec, entity won't be discovered. Solution is to increase this number if not working for you.

0 Karma

peterschloenske
Explorer

Processor.* are not disabled in the inputs.conf
Maybe something needs to be configured in Windows.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...