All Apps and Add-ons

Single Machine performance\Machine disk detail & Machine memory detail blank

cejkyle
Engager

Hello I believe i have installed the template correctly since lots of data is coming through but some of the most useful stuff like single machine performance is missing.
All the disk and memory and most of the processor dashboards are blank.
inputs.conf seem to contain the right info.

I have copied in some of my inputs.conf below
Logical disk in there and seems to contain all the counters but it's all blank in splunk under single machine performance\machine disk detail.
Same for memory and some of processor.

In machine processor detail, avg % processor time is populated but Avg. Processor Queue Length and % Processor Time by Process are blank.

xd_perfmon_index` sourcetype="PerfmonMk:Memory

There is no sourcetype called PerfmonMk:Memory

These appear to be the only source types in splunk
PerfmonMk:Processor
PerfmonMk:NetworkInterface
PerfmonMk:PageFile
PerfmonMk:ICASession
PerfmonMk:CitrixBrokerService
PerfmonMk:CitrixMonitor

i,m confused. please help. I really need this important info.
Many thanks for an otherwise very helpful tool.

C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-XD7-VDA\default\inputs.conf

[perfmon://LogicalDisk]
interval = 10
object = LogicalDisk
counters = % Free Space; % Disk Time; Current Disk Queue Length; Avg. Disk sec/Transfer
instances = *
index= xd_perfmon
disabled = 0
mode = multikv

perfmon://Processor]
interval = 10
object = Processor
counters = % Processor Time
instances = *
index = xd_perfmon
disabled = 0
mode = multikv

[perfmon://Processor]
interval = 10
object = Processor
counters = % Processor Time
instances = *
index = xd_perfmon
disabled = 0
mode = multikv

[perfmon://Memory]
interval = 10
object = Memory
counters = Available Bytes; Pages/sec
instances = *
index=xd_perfmon
disabled = 0
mode = multikv

0 Karma

cejkyle
Engager

Installed we have:
Uber agent
Uber Agent Log collector
Splunk Addons for AWS
Splunk App for AWS
Splunk DB Connect

When I ran xd_perfmon_index | stats count by sourcetype
this is what was returned.

PerfmonMk:CitrixBrokerService 852
PerfmonMk:CitrixMonitor 568
PerfmonMk:ICASession 6154
PerfmonMk:NetworkInterface 7944
PerfmonMk:PageFile 6099
PerfmonMk:Processor

So even though our input.conf lists things like
[perfmon://Memory]
interval = 10
object = Memory
counters = Available Bytes; Pages/sec
instances = *
index=xd_perfmon
disabled = 0
mode = multikv

these are not being reflected in XD7 Template.
Any idea why?
I will try run btool
Thanks

0 Karma

jconger
Splunk Employee
Splunk Employee

That is strange that the memory statistics are not showing up. Using btool will let us know if there is some other configuration overriding the inputs.conf configuration.

0 Karma

jconger
Splunk Employee
Splunk Employee

What sourcetypes do you see when you run the following search:

`xd_perfmon_index` | stats count by sourcetype

What other add-ons (if any) are installed on the same forwarder?

You can also use the btool command to determine if other configuration parameters are overriding your configurations. See the "Learn where configuration values come from" section here -> https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurat...

0 Karma

cejkyle
Engager

xd_perfmon_index | stats count by sourcetype

PerfmonMk:CitrixBrokerService 87570
PerfmonMk:CitrixMonitor 32851
PerfmonMk:ICASession 131772
PerfmonMk:NetworkInterface 468602
PerfmonMk:PageFile 365913
PerfmonMk:Processor

This is strange since it looks like stuff such as memory is missing even though its explicitly mentioned in the output.conf

Also some hosts are not coming through and being read by XD7
I have re installed the files on the affected machines and restarted the service and done everything i can think of to get them to work but they are completely missing.
However they show up in Uber agent on splunk cloud fine.
What could cause some hosts to not be seen by XD7 template?

I will try btool.
Thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...