All Apps and Add-ons

Where is the sourcetype "Perfmon:FreeDiskSpace" within the Splunk Add-on for Microsoft Windows?

markusspitzli2
Explorer

Hi.

We use Perfmon for our Windows Systems, but we are missing the sourcetype "Perfmon:FreeDiskSpace".
We downloaded the latest Windows TA App (4.8.3), where we have found the [Perfmon:FreeDiskSpace] definition within probs.conf. But there is no such section within the inputs.conf. We are confused, because there should be an input or a transform in any way.

Does anyone know where the sourcetype Perfmon:FreeDiskSpace comes from, how it is definied and where it can be enabled?

Thanks
Markus

0 Karma

dstaulcu
Builder

I think that is an errant entry in the splunk_ta_windows and that it has no effect. The sourcetype name listed in props.conf does not match either the WMI or PERFMON based input specifications in the app. The sourcetype for inputs associated with the perfmon input handler will, by default, have a sourcetype value starting with "perfmon" and ending with the "object" name.

I would enable the [perfmon://LogicalDisk] stanza in inputs.conf of the app. At which point, a search for sourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance=* would return the results you are looking for

Bonus:

There is a command line tool built into windows (usage: typeperf.exe -q) which lists available performance monitoring objects and their associated counters. On my windows 10 desktop, typeperf reports only single object having the word disk (LogicalDisk) and only one counter (% Free Space) having the words "free" and "space".

C:\Program Files\SplunkUniversalForwarder>typeperf -q | find /i "disk" | find /i "free" | find /i "space"
\LogicalDisk(*)\% Free Space

If the perfmon input type was "multikv" instead of "single" (Single is the default perfmon input type and what is currently used in Splunk_TA_windows) then the sourcetype value would instead be sourcetype="Perfmonk:LogicalDisk"

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...