All Apps and Add-ons

SAI - Windows entity does not show up

peterschloenske
Explorer

Hi,

in the App for Infrastructure this search returns results for 1x Linux and 1x Windows host. So I assume data is coming in as expected:

| mstats latest(_value) WHERE index=em_metrics metric_name=* BY host, entity_type

However, the windows host does not show up as entity in the investigate tab while the linux host does.

And it is missing here as well:
| inputlookup em_entities

Anyone has an idea what could be wrong here?

Cheers

0 Karma
1 Solution

dagarwal_splunk
Splunk Employee
Splunk Employee

Increase the "monitoring_calculation_window" for "perfmon" in collectors.conf to something like 300 and restart Splunk

View solution in original post

francoisternois
Path Finder

Hello Peter,
Can you share your inputs.conf ?
In my case, I just add _meta = os::Windows
Otherwise, it didn't show up...

0 Karma

peterschloenske
Explorer

The os:: is set in the inputs.conf, I did not change anything after using the install script.

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Increase the "monitoring_calculation_window" for "perfmon" in collectors.conf to something like 300 and restart Splunk

shandr
Path Finder
0 Karma

peterschloenske
Explorer

Unfortunately this did not help. I'm still receiving metrics for both hosts, but only the linux host appears in | inputlookup em_entities.

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Can you answer some questions:

  • Do you see Processor.* metrics for your Windows hosts?
  • For this search on windows host, what is latest timestamp with data? (last data was 1min , 2min or 3min ago when you run the search? 😞 | mstats avg(_value) WHERE metric_name=Processor.%_Idle_Time AND index=em_metrics AND host=mywindows* span=30s
  • What version of SAI do you have?
0 Karma

peterschloenske
Explorer

There are only Process.* metrics available so far.
The latest timestamp with data for this host is 1min ago.
I have SAI 2.0.3 in use.

Sidenote:
In another environment the similar problem occured and here the increase of "monitoring_calculation_window" did the trick. Could you explain what is exactly done with this value?

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

You need Processor.* metrics for Windows entity discovery. Are they disabled in your inputs.conf.

monitoring_calculation_window is how many seconds to look in past for the new entity. It was set to 90 sec. If there is some data lag of more than 90 sec, entity won't be discovered. Solution is to increase this number if not working for you.

0 Karma

peterschloenske
Explorer

Processor.* are not disabled in the inputs.conf
Maybe something needs to be configured in Windows.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...