All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Windows App with light forwarder

Eric_the_Red
New Member
‎07-13-2012 12:19 PM

Greetings,

We have several items set up for collecting windows perfmon data. The Splunk App for Windows app appears to only work with WMI out of the box.

Here are the ones we have configured:PERFMON=cpu,memory,network,diskspace

Example:
[PERFMON:LocalPhysicalDisk]
interval = 0
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time
instances = *
disabled = 0

Is there an easy way to adjust the Windows app? We would prefer to not use the WMI method if possible. I found a few posts saying it was possible, but nothing pointing me to the method to do this.

Thanks!

0 Karma
Reply

lguinn2
Legend
‎07-13-2012 06:12 PM

You may edit any part of the Windows app - the reason that it is not really discussed is because the Windows app is just like any other app. If you are the Splunk admin, you can go to Manager » Searches and reports and edit any of the searches in the Windows app. Under Manager » User interface » Views, you will find all of the dashboards in the Windows app. All of the macros are under Manager » Advanced search » Search macros and all of the eventtypes are in Manager » Event types.

You may find it helpful to click the checkbox for Show only objects created in this app context in each of these areas.

If you look in the Windows app for the eventtypes, searches, etc. that are using WMI, you can edit them with your own sourcetypes and other field names. Most of the eventtypes are based on sourcetypes; I would start by editing the eventtypes. This will probably make a lot of the dashboards and searches, which use the eventtypes, work properly.

I can't think of any shortcut way to do this...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...