i setup a universal forwarder on a Windows 7 System, logs get forwarded to the Splunk server, but no performance data.
How do i configure the universal forwarder to forward also Performance Data (CPU, RAM, ...)
Thanks for your help!
My solution is not to elegant, but it works.
I configured the performance monitoring on the Splunk indexer from web UI.
The I copied the required stanzas from the perfmon.conf of the indexer to the splunk forwarder: $SPLUNKFORWARDER_HOME/etc/systekm/local/perfmon.conf
counters = Available Bytes
disabled = 0
interval = 10
object = Memory
index = performance
We use different index for performance data because of the different archiving policy
I hope it helps you
Although this answer was never 'accepted', it sounds like the right path. Here's some additional information to support the same line of solution: How do I get basic performance data for my Windows systems?, Is it a best practice to use the Splunk Add-on for Microsoft Windows? and What are the best practices for installing Splunk on Windows endpoints?
Ok, that's a step in the right direction.
Did you install the UF as the Local System user, or another user?
If you installed as the Local System user, WMI shouldn't be in the mix at all here. If you place the perfmon.conf that you have shown above in %SPLUNKFORWARDER_HOME%\etc\system\local, it should collect data for the attributes specified in that file.
Information on editing perfmon.conf is here: http://www.splunk.com/base/Documentation/latest/Data/Real-timeWindowsperformancemonitoring#Configure...
Let me know if this helps.
I disable the firewall, without success.. telnet seems to working now but still no data. Is there a tutorial how to setup a universal forwarder for windows (without wmi) to trace perfromance data?
Yes, you absolutely can forward performance log data from a universal forwarder.
"No connection possible" is a problem. If you're unable to telnet to that port, then no data at all is getting across. You may be seeing log data from other forwarders.
Is Windows Firewall running? If so, make sure those ports are open, or add the Splunk services to the list of allowed programs. If you can, stop WF temporarily and try the connection again.
If I'm reading your perfmon.conf right, your interval is set to 0. Try setting it to something greater than 0.
Failing that, you might have a network connectivity issue. Can you telnet to the receiver's IP address and port from the machine running the UF?
thanks for your suggestion.
I already added a perfmon.conf on the splunk forwarder /etc/system/local/ directory.
interval = 0
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Wirte Time; % Disk Time
instances = *
disabled = 0
index = PerfMon
But nothing appears in the index (perfmon).