All Apps and Add-ons

Why isnt splunk_ta_windows taking advantage of multikv mode in perfmon-based inputs?

dstaulcu
Builder

When Splunk 6 came out nearly 3 years ago, multikv mode was introduced as an option for perfmon-based inputs. With this mode, more information can be packed into a single event, less packets can be sent over the wire, and relevant events can more efficiently be retrieved from storage at search time. Further, with use of stats you could even get away with sending events less frequently saving precious bandwidth/storage/license for more diverse sets of data. As a result of the volume of perfmon data collection by splunk_ta_windows, I only deploy the app as-is to key infrastructure servers in regions with excellent network connectivity. I have to deploy a customized version of splunk_ta_windows to other system/region types to saved on bandwidth,etc.

I'd really like to see consolidation onto multi-kv mode among permon counters in splunk_ta_windows. Without being able to collect an efficient level / consistent type globally, we are missing out on opportunities in use of premium apps such as ITSI, which I understand to be dependent on data models built off of inputs defined in Splunk TA Windows.

Is anyone else customizing splunk_ta_windows for similar reasons? And if so, has that customization negatively impacted your compatibility of outputs with premium apps?

1 Solution

dbaldwin_splunk
Splunk Employee
Splunk Employee

Just released Splunk Add-on for Windows v5.0 has been updated with multikv as default, though Windows Infrastructure app doesn't have complete integration yet. Please read in detail add-on upgrade path as to not risk losing data.

View solution in original post

0 Karma

dbaldwin_splunk
Splunk Employee
Splunk Employee

Just released Splunk Add-on for Windows v5.0 has been updated with multikv as default, though Windows Infrastructure app doesn't have complete integration yet. Please read in detail add-on upgrade path as to not risk losing data.

0 Karma

dstaulcu
Builder

Thank you for the follow up and for those who contributed. I realize making such changes can be paralyzing when you know they can disrupt if performed without preparation.

Here is a line by line comparison of changes between the current branch (v5.0) and a previous one (v4.8.4).

  • I probably would have increased the interval of perfmon collection to 300s
  • I certainly appreciate all the extra failure code lookups!
0 Karma

fervin
Path Finder

I share in your frustration in the lack of adoption of multikv mode across all Splunk Windows apps. This is something that should have been addressed years ago. I don't use the Splunk app for Windows Infrastructure because of this oversight. I can't fathom how this is still an issue after so many years.

hrottenberg_spl
Splunk Employee
Splunk Employee

The responsible PM for this area has noted your question. Thanks for the feedback!

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...