All Apps and Add-ons

SAI - Windows entity does not show up

peterschloenske
Explorer

Hi,

in the App for Infrastructure this search returns results for 1x Linux and 1x Windows host. So I assume data is coming in as expected:

| mstats latest(_value) WHERE index=em_metrics metric_name=* BY host, entity_type

However, the windows host does not show up as entity in the investigate tab while the linux host does.

And it is missing here as well:
| inputlookup em_entities

Anyone has an idea what could be wrong here?

Cheers

0 Karma
1 Solution

dagarwal_splunk
Splunk Employee
Splunk Employee

Increase the "monitoring_calculation_window" for "perfmon" in collectors.conf to something like 300 and restart Splunk

View solution in original post

francoisternois
Path Finder

Hello Peter,
Can you share your inputs.conf ?
In my case, I just add _meta = os::Windows
Otherwise, it didn't show up...

0 Karma

peterschloenske
Explorer

The os:: is set in the inputs.conf, I did not change anything after using the install script.

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Increase the "monitoring_calculation_window" for "perfmon" in collectors.conf to something like 300 and restart Splunk

shandr
Path Finder
0 Karma

peterschloenske
Explorer

Unfortunately this did not help. I'm still receiving metrics for both hosts, but only the linux host appears in | inputlookup em_entities.

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Can you answer some questions:

  • Do you see Processor.* metrics for your Windows hosts?
  • For this search on windows host, what is latest timestamp with data? (last data was 1min , 2min or 3min ago when you run the search? 😞 | mstats avg(_value) WHERE metric_name=Processor.%_Idle_Time AND index=em_metrics AND host=mywindows* span=30s
  • What version of SAI do you have?
0 Karma

peterschloenske
Explorer

There are only Process.* metrics available so far.
The latest timestamp with data for this host is 1min ago.
I have SAI 2.0.3 in use.

Sidenote:
In another environment the similar problem occured and here the increase of "monitoring_calculation_window" did the trick. Could you explain what is exactly done with this value?

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

You need Processor.* metrics for Windows entity discovery. Are they disabled in your inputs.conf.

monitoring_calculation_window is how many seconds to look in past for the new entity. It was set to 90 sec. If there is some data lag of more than 90 sec, entity won't be discovered. Solution is to increase this number if not working for you.

0 Karma

peterschloenske
Explorer

Processor.* are not disabled in the inputs.conf
Maybe something needs to be configured in Windows.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...