All Apps and Add-ons

Splunk Universal Forwarder is not sending performance data.

antoniodelachic
New Member

Hello,

I'm evaluating Splunk as a central syslog analyzer. So I've installed a free licensed indexer on a Ubuntu virtual machine. The problem is that I've installed the Universal Forwarder on a couple of Windows Servers (W2k3 32bits and W2k8 64bits, both servers in Spanish) and both sends events data correctly to the indexer, but no performance information. I've checked that with a Wireshark capture.

Could you please help me with this issue? I don't know if I should enable something to check performance data.

Thank you very much in advance.

Best regards.

Antonio de la Chica.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Try downloading the app Splunk for Windows: http://apps.splunk.com/app/272/

It includes documentation about the entire setup: http://docs.splunk.com/Documentation/WindowsApp/latest/User/AbouttheSplunkAppforWindows

And the TA that you put on the forwarder to gather the performance data: http://apps.splunk.com/app/742/

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What's in your inputs.conf file regarding Perfmon inputs?

If you're using a localized version of Windows you may have to use localized names of Perfmon objects and counters as well.

0 Karma

antoniodelachic
New Member

I've installed the UF as local system user, and splunkd.exe and splunk-winevtlog.exe are running as SYSTEM procesess. I think splunk should collect WMI data and forward it to the indexer port 9997. I can't figure any problem in the indexer about a non domain user.

0 Karma

lukejadamec
Super Champion

You might have trouble collecting WMI data without the indexer running as a windows domain user, but you should be able to send perfmon data from the forwarder.

0 Karma

antoniodelachic
New Member

Because I've only installed de UF on the Windows Machine pointing to the Ubuntu box, that indexes the data. Is it right?.

0 Karma

lukejadamec
Super Champion

Right, the logs should be in splunk\var\logs\splunk\splunkd.log my mistake.
I have not encountered problems with w2k3 network, cpu, or memory logs.
Where are the input configurations located on your forwarders? Prior to 6.0 they would be in MSICreated\local

0 Karma

antoniodelachic
New Member

My server is a Windows Server 2003R2 Standard Edition.

Could you please indicate me if it is not supported or I've missed something?.

Thank you very much in advance.

0 Karma

antoniodelachic
New Member

Hello,

I haven't any directory named splunk\etc\apps\MSICreated\local, and logs are stored into D:\SplunkUniversalForwarder\var\log\splunk. I've checked the splukd.log, and there are two messages:

ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" wmain: Operating system major version 5, detected -- A minimum of 6 (VISTA/Server 2008) is required. Exitting.
ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-netmon.exe" splunk-netmon - Splunk network monitor is not available on this version of Windows.

0 Karma

lukejadamec
Super Champion

The input configuration will be located in the splunk\etc\apps\MSICreated\local folder.
Check the logs on the forwarders in the splunk\etc\system\logs\splunk\splunkd.log for errors.

0 Karma

antoniodelachic
New Member

Hello,
I've selected all the performance checkboxes when I installed the forwarder. No more actions.

Thank you.

0 Karma

lukejadamec
Super Champion

Are you sure the forwarders are configured to send performance information?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...