All Apps and Add-ons

Universal Forwarder (Windows) dont forward performance data

wplank
Path Finder

Hey all,

i setup a universal forwarder on a Windows 7 System, logs get forwarded to the Splunk server, but no performance data.

How do i configure the universal forwarder to forward also Performance Data (CPU, RAM, ...)

Thanks for your help!

0 Karma

nembela
Explorer

Hi,

My solution is not to elegant, but it works.
I configured the performance monitoring on the Splunk indexer from web UI.
The I copied the required stanzas from the perfmon.conf of the indexer to the splunk forwarder: $SPLUNKFORWARDER_HOME/etc/systekm/local/perfmon.conf

For example:

[PERFMON:Available Memory]

counters = Available Bytes
disabled = 0

interval = 10

object = Memory

index = performance

We use different index for performance data because of the different archiving policy

I hope it helps you

0 Karma

sloshburch
Ultra Champion

Although this answer was never 'accepted', it sounds like the right path. Here's some additional information to support the same line of solution: How do I get basic performance data for my Windows systems?, Is it a best practice to use the Splunk Add-on for Microsoft Windows? and What are the best practices for installing Splunk on Windows endpoints?

0 Karma

malmoore
Splunk Employee
Splunk Employee

Ok, that's a step in the right direction.

Did you install the UF as the Local System user, or another user?

If you installed as the Local System user, WMI shouldn't be in the mix at all here. If you place the perfmon.conf that you have shown above in %SPLUNKFORWARDER_HOME%\etc\system\local, it should collect data for the attributes specified in that file.

Information on editing perfmon.conf is here: http://www.splunk.com/base/Documentation/latest/Data/Real-timeWindowsperformancemonitoring#Configure...

Let me know if this helps.

0 Karma

wplank
Path Finder

I disable the firewall, without success.. telnet seems to working now but still no data. Is there a tutorial how to setup a universal forwarder for windows (without wmi) to trace perfromance data?

0 Karma

malmoore
Splunk Employee
Splunk Employee

Yes, you absolutely can forward performance log data from a universal forwarder.

"No connection possible" is a problem. If you're unable to telnet to that port, then no data at all is getting across. You may be seeing log data from other forwarders.

Is Windows Firewall running? If so, make sure those ports are open, or add the Splunk services to the list of allowed programs. If you can, stop WF temporarily and try the connection again.

0 Karma

wplank
Path Finder

Is it even possible to track performance data from windows due the universal forwarder?

0 Karma

wplank
Path Finder

Hello,

i changed the interval setting to 5 without success.
Telnet to splunkserver port 9997 tells me "no connection possible".

But the Forwarder forwards Security Logs (for example).

0 Karma

malmoore
Splunk Employee
Splunk Employee

Hi wplank,

If I'm reading your perfmon.conf right, your interval is set to 0. Try setting it to something greater than 0.

Failing that, you might have a network connectivity issue. Can you telnet to the receiver's IP address and port from the machine running the UF?

0 Karma

wplank
Path Finder

Hey,
thanks for your suggestion.

I already added a perfmon.conf on the splunk forwarder /etc/system/local/ directory.
Settings:
[Perfmon:LocalPhysicalDisk]
interval = 0
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Wirte Time; % Disk Time
instances = *
disabled = 0
index = PerfMon

But nothing appears in the index (perfmon).

0 Karma