When Splunk 6 came out nearly 3 years ago, multikv mode was introduced as an option for perfmon-based inputs. With this mode, more information can be packed into a single event, less packets can be sent over the wire, and relevant events can more efficiently be retrieved from storage at search time. Further, with use of stats you could even get away with sending events less frequently saving precious bandwidth/storage/license for more diverse sets of data. As a result of the volume of perfmon data collection by splunk_ta_windows, I only deploy the app as-is to key infrastructure servers in regions with excellent network connectivity. I have to deploy a customized version of splunk_ta_windows to other system/region types to saved on bandwidth,etc.
I'd really like to see consolidation onto multi-kv mode among permon counters in splunk_ta_windows. Without being able to collect an efficient level / consistent type globally, we are missing out on opportunities in use of premium apps such as ITSI, which I understand to be dependent on data models built off of inputs defined in Splunk TA Windows.
Is anyone else customizing splunk_ta_windows for similar reasons? And if so, has that customization negatively impacted your compatibility of outputs with premium apps?
Just released Splunk Add-on for Windows v5.0 has been updated with multikv as default, though Windows Infrastructure app doesn't have complete integration yet. Please read in detail add-on upgrade path as to not risk losing data.
Just released Splunk Add-on for Windows v5.0 has been updated with multikv as default, though Windows Infrastructure app doesn't have complete integration yet. Please read in detail add-on upgrade path as to not risk losing data.
Thank you for the follow up and for those who contributed. I realize making such changes can be paralyzing when you know they can disrupt if performed without preparation.
Here is a line by line comparison of changes between the current branch (v5.0) and a previous one (v4.8.4).
I share in your frustration in the lack of adoption of multikv mode across all Splunk Windows apps. This is something that should have been addressed years ago. I don't use the Splunk app for Windows Infrastructure because of this oversight. I can't fathom how this is still an issue after so many years.
The responsible PM for this area has noted your question. Thanks for the feedback!