Greetings,
We have several items set up for collecting windows perfmon data. The Splunk App for Windows app appears to only work with WMI out of the box.
Here are the ones we have configured:PERFMON=cpu,memory,network,diskspace
Example:
[PERFMON:LocalPhysicalDisk]
interval = 0
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time
instances = *
disabled = 0
Is there an easy way to adjust the Windows app? We would prefer to not use the WMI method if possible. I found a few posts saying it was possible, but nothing pointing me to the method to do this.
Thanks!
You may edit any part of the Windows app - the reason that it is not really discussed is because the Windows app is just like any other app. If you are the Splunk admin, you can go to Manager » Searches and reports and edit any of the searches in the Windows app. Under Manager » User interface » Views, you will find all of the dashboards in the Windows app. All of the macros are under Manager » Advanced search » Search macros and all of the eventtypes are in Manager » Event types.
You may find it helpful to click the checkbox for Show only objects created in this app context in each of these areas.
If you look in the Windows app for the eventtypes, searches, etc. that are using WMI, you can edit them with your own sourcetypes and other field names. Most of the eventtypes are based on sourcetypes; I would start by editing the eventtypes. This will probably make a lot of the dashboards and searches, which use the eventtypes, work properly.
I can't think of any shortcut way to do this...