All Apps and Add-ons

Splunk Universal Forwarder is not sending performance data.

antoniodelachic
New Member

Hello,

I'm evaluating Splunk as a central syslog analyzer. So I've installed a free licensed indexer on a Ubuntu virtual machine. The problem is that I've installed the Universal Forwarder on a couple of Windows Servers (W2k3 32bits and W2k8 64bits, both servers in Spanish) and both sends events data correctly to the indexer, but no performance information. I've checked that with a Wireshark capture.

Could you please help me with this issue? I don't know if I should enable something to check performance data.

Thank you very much in advance.

Best regards.

Antonio de la Chica.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Try downloading the app Splunk for Windows: http://apps.splunk.com/app/272/

It includes documentation about the entire setup: http://docs.splunk.com/Documentation/WindowsApp/latest/User/AbouttheSplunkAppforWindows

And the TA that you put on the forwarder to gather the performance data: http://apps.splunk.com/app/742/

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What's in your inputs.conf file regarding Perfmon inputs?

If you're using a localized version of Windows you may have to use localized names of Perfmon objects and counters as well.

0 Karma

antoniodelachic
New Member

I've installed the UF as local system user, and splunkd.exe and splunk-winevtlog.exe are running as SYSTEM procesess. I think splunk should collect WMI data and forward it to the indexer port 9997. I can't figure any problem in the indexer about a non domain user.

0 Karma

lukejadamec
Super Champion

You might have trouble collecting WMI data without the indexer running as a windows domain user, but you should be able to send perfmon data from the forwarder.

0 Karma

antoniodelachic
New Member

Because I've only installed de UF on the Windows Machine pointing to the Ubuntu box, that indexes the data. Is it right?.

0 Karma

lukejadamec
Super Champion

Right, the logs should be in splunk\var\logs\splunk\splunkd.log my mistake.
I have not encountered problems with w2k3 network, cpu, or memory logs.
Where are the input configurations located on your forwarders? Prior to 6.0 they would be in MSICreated\local

0 Karma

antoniodelachic
New Member

My server is a Windows Server 2003R2 Standard Edition.

Could you please indicate me if it is not supported or I've missed something?.

Thank you very much in advance.

0 Karma

antoniodelachic
New Member

Hello,

I haven't any directory named splunk\etc\apps\MSICreated\local, and logs are stored into D:\SplunkUniversalForwarder\var\log\splunk. I've checked the splukd.log, and there are two messages:

ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" wmain: Operating system major version 5, detected -- A minimum of 6 (VISTA/Server 2008) is required. Exitting.
ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-netmon.exe" splunk-netmon - Splunk network monitor is not available on this version of Windows.

0 Karma

lukejadamec
Super Champion

The input configuration will be located in the splunk\etc\apps\MSICreated\local folder.
Check the logs on the forwarders in the splunk\etc\system\logs\splunk\splunkd.log for errors.

0 Karma

antoniodelachic
New Member

Hello,
I've selected all the performance checkboxes when I installed the forwarder. No more actions.

Thank you.

0 Karma

lukejadamec
Super Champion

Are you sure the forwarders are configured to send performance information?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...