- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where is the sourcetype "Perfmon:FreeDiskSpace" within the Splunk Add-on for Microsoft Windows?
Hi.
We use Perfmon for our Windows Systems, but we are missing the sourcetype "Perfmon:FreeDiskSpace".
We downloaded the latest Windows TA App (4.8.3), where we have found the [Perfmon:FreeDiskSpace] definition within probs.conf. But there is no such section within the inputs.conf. We are confused, because there should be an input or a transform in any way.
Does anyone know where the sourcetype Perfmon:FreeDiskSpace comes from, how it is definied and where it can be enabled?
Thanks
Markus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that is an errant entry in the splunk_ta_windows and that it has no effect. The sourcetype name listed in props.conf does not match either the WMI or PERFMON based input specifications in the app. The sourcetype for inputs associated with the perfmon input handler will, by default, have a sourcetype value starting with "perfmon" and ending with the "object" name.
I would enable the [perfmon://LogicalDisk] stanza in inputs.conf of the app. At which point, a search for sourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance=* would return the results you are looking for
Bonus:
There is a command line tool built into windows (usage: typeperf.exe -q) which lists available performance monitoring objects and their associated counters. On my windows 10 desktop, typeperf reports only single object having the word disk (LogicalDisk) and only one counter (% Free Space) having the words "free" and "space".
C:\Program Files\SplunkUniversalForwarder>typeperf -q | find /i "disk" | find /i "free" | find /i "space"
\LogicalDisk(*)\% Free Space
If the perfmon input type was "multikv" instead of "single" (Single is the default perfmon input type and what is currently used in Splunk_TA_windows) then the sourcetype value would instead be sourcetype="Perfmonk:LogicalDisk"