All Apps and Add-ons

What is the intended behavior when setting the "instances" option for perfmon data in inputs.conf?

Champion

In the inputs.conf spec for collecting perfmon data (https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf#Performance_Monitor ), there is an option called "instances". Reading the description of the option seems to suggest that it allows one to specify string patterns that will filter the reported perfmon data based on if the instance field from the host matches the string specified in the stanza. For example, if one wanted to capture perfmon data for all instances of svchost, I would assume this could be done by specifying a stanza like the following:

[perfmon://Process]
counters = Working Set;Virtual Bytes;% Processor Time;Handle Count;Thread Count;Elapsed Time;Creating Process ID;ID Process;
disabled = 0
index = perfmon
instances = svchost*
interval = 30
object = Process
mode = multikv
showZeroValue = 1

Setting up the stanza in this way does not result in all instances of svchost being reported with the prescribed configuration. Instead, the only thing reported back is the perfmon data for the top-level, parent svchost process, and its value for the "instance" field is set to the pattern in the stanza, e.g., "svchost*". None of the child svchost processes (whose instances should be svchost#1, svchost#2, etc.) are reported.

Is this the expected behavior?

I tested this with Splunk Forwarder 6.4.4, Splunk Add-on for Windows version 4.8.0 on Windows 10 64-bit.

Another user (@Yorokobi) reported seeing this on Windows Server 2012 R2.

1 Solution

SplunkTrust
SplunkTrust

Based on documentation (link below) for perfmon setting 'instances', I don't think it can be used as wild carded names of instances. You should provide full names of instances that you want the counter to be monitored for (semicolon separated) OR use '*' to monitor for all instances.

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf#Performance_Monitor

View solution in original post

SplunkTrust
SplunkTrust

Based on documentation (link below) for perfmon setting 'instances', I don't think it can be used as wild carded names of instances. You should provide full names of instances that you want the counter to be monitored for (semicolon separated) OR use '*' to monitor for all instances.

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf#Performance_Monitor

View solution in original post

Champion

@somesoni2, I will accept your feedback if you change it to an answer.

0 Karma

Champion

I don't disagree, but I am little surprised that it wouldn't support the wildcard except for the "ALL" case. Seems a bit odd compared to most other semantics in Splunk configuration files.

Thanks as always @somesoni2.

0 Karma

SplunkTrust
SplunkTrust

It occurred to me later (the wildcard only applying to instances = *) so I tried a semicolon-separated list of expected process names and this feature appears to work as expected.

0 Karma