All Apps and Add-ons

Splunk XenDesktop AddOn - Perfmon data does not get forwarded to indexer

Nicc2013
Engager

I am running Splunk 5.0.2 and Splunk for XenDesktop App v. 2.0 (Both currently the newest versions) Splunk Universal Forwarder 5.0.2 incl. XD AddOns is installed onto a Windows 7 x64 XenDesktop VDI.

I am getting VDI/XenDesktop data and eventlogs perfectly fine in my indexer, but perfmon data do not show under "Desktop Performance", and the index; XenDesktop_Perfmon does not receive any data.

Anybody with same issue and/or knows how to ensure perfmon data gets forwarded to the splunk xendesktop indexer?

Splunkd log is showing no error in regards to splunk-perfmon.exe;

3:56:42.383 +0100 INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -index xendesktop_perfmon
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - interval: 60000 ms
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" --driver-path "C:\Program Files\SplunkUniversalForwarder\bin"
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - interval: 10000000000 ms
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe" -index xendesktop_winevents
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - interval: 10000000000 ms
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - interval: run once
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - New scheduled exec process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command " &'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-XD-VDA\bin\powershell\GetClientDetails.ps1'" -index xendesktop
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - interval: 180000 ms
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - New scheduled exec process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command " &'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-XD-VDA\bin\powershell\GetICASessionStat.ps1'" -index xendesktop
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - interval: 180000 ms
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - New scheduled exec process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command " &'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-XD-VDA\bin\powershell\GetInstalledSoftware.ps1'" -index xendesktop_winevents
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - interval: 21600000 ms
02-28-2013 13:56:42.383 +0100 INFO ExecProcessor - New scheduled exec process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command " &'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-XD-VDA\bin\powershell\GetProcess.ps1'" -index xendesktop_winevents

Thanks

Tags (1)
0 Karma
1 Solution

cramasta
Builder

I'm not sure if they updated the Xendesktop app yet but version 5 uses modular inputs now for perfmon data. (no more perfmon.conf, its all configured in the inputs.conf)

make sure that the UF have the following setup in the defaults inputs.conf for the TA-XD-VDA app.

first disable this stanza inputs.conf

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 1
index = xendesktop_perfmon

then add this

[perfmon://AvailableMemory]
counters = Available Bytes
disabled = 0
interval = 180
object = Memory
index = xendesktop_perfmon

[perfmon://CPULoad]
counters = % Processor Time;
disabled = 0
instances = _Total
interval = 180
object = Processor
index = xendesktop_perfmon

[perfmon://LogicalDisk]
counters = Free Megabytes;% Free Space;Split IO/Sec;Disk Reads/Sec;Disk Writes/Sec;Disk Transfers/Sec;Disk Bytes/Sec;% Disk Time
disabled = 0
instances = *
interval = 180
object = LogicalDisk
index = xendesktop_perfmon

[perfmon://NetworkInterface]
counters = Bytes Received/sec;Bytes Sent/sec
disabled = 0
instances = *
interval = 180
object = Network Interface
index = xendesktop_perfmon

[perfmon://PhysicalDisk]
counters = Split IO/Sec;Disk Reads/Sec;Disk Writes/Sec;Disk Transfers/Sec;Disk Bytes/Sec
disabled = 0
instances = *
interval = 180
object = PhysicalDisk
index = xendesktop_perfmon

[perfmon://RunningProcesses]
counters = % Processor Time;Virtual Bytes;IO Write Operations/sec;IO Read Operations/sec;ID Process;Page Faults/Sec;Elapsed Time;
disabled = 0
instances = *
interval = 180
object = Process
index = xendesktop_perfmon

View solution in original post

Nicc2013
Engager

Thanks... Addtionally it shows that it did not work with this configuration only, because we were running with local language mui pack in our Windows 7. As soon as I forced the splunkforwarder service to run under an account that were hit by a english language pack, it start working.
The perfmon objects and counters did not match the english names, so splunkd log and splunk-perfmon.exe reported that it could not locate the objects 🙂

Furthermore the perfmon entries were case sensitive (Do not use PERFMON://) only small letters 🙂

0 Karma

cramasta
Builder

I'm not sure if they updated the Xendesktop app yet but version 5 uses modular inputs now for perfmon data. (no more perfmon.conf, its all configured in the inputs.conf)

make sure that the UF have the following setup in the defaults inputs.conf for the TA-XD-VDA app.

first disable this stanza inputs.conf

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 1
index = xendesktop_perfmon

then add this

[perfmon://AvailableMemory]
counters = Available Bytes
disabled = 0
interval = 180
object = Memory
index = xendesktop_perfmon

[perfmon://CPULoad]
counters = % Processor Time;
disabled = 0
instances = _Total
interval = 180
object = Processor
index = xendesktop_perfmon

[perfmon://LogicalDisk]
counters = Free Megabytes;% Free Space;Split IO/Sec;Disk Reads/Sec;Disk Writes/Sec;Disk Transfers/Sec;Disk Bytes/Sec;% Disk Time
disabled = 0
instances = *
interval = 180
object = LogicalDisk
index = xendesktop_perfmon

[perfmon://NetworkInterface]
counters = Bytes Received/sec;Bytes Sent/sec
disabled = 0
instances = *
interval = 180
object = Network Interface
index = xendesktop_perfmon

[perfmon://PhysicalDisk]
counters = Split IO/Sec;Disk Reads/Sec;Disk Writes/Sec;Disk Transfers/Sec;Disk Bytes/Sec
disabled = 0
instances = *
interval = 180
object = PhysicalDisk
index = xendesktop_perfmon

[perfmon://RunningProcesses]
counters = % Processor Time;Virtual Bytes;IO Write Operations/sec;IO Read Operations/sec;ID Process;Page Faults/Sec;Elapsed Time;
disabled = 0
instances = *
interval = 180
object = Process
index = xendesktop_perfmon

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...