All Apps and Add-ons
Highlighted

Why isnt splunk_ta_windows taking advantage of multikv mode in perfmon-based inputs?

Builder

When Splunk 6 came out nearly 3 years ago, multikv mode was introduced as an option for perfmon-based inputs. With this mode, more information can be packed into a single event, less packets can be sent over the wire, and relevant events can more efficiently be retrieved from storage at search time. Further, with use of stats you could even get away with sending events less frequently saving precious bandwidth/storage/license for more diverse sets of data. As a result of the volume of perfmon data collection by splunktawindows, I only deploy the app as-is to key infrastructure servers in regions with excellent network connectivity. I have to deploy a customized version of splunktawindows to other system/region types to saved on bandwidth,etc.

I'd really like to see consolidation onto multi-kv mode among permon counters in splunktawindows. Without being able to collect an efficient level / consistent type globally, we are missing out on opportunities in use of premium apps such as ITSI, which I understand to be dependent on data models built off of inputs defined in Splunk TA Windows.

Is anyone else customizing splunktawindows for similar reasons? And if so, has that customization negatively impacted your compatibility of outputs with premium apps?

Highlighted

Re: Why isnt splunk_ta_windows taking advantage of multikv mode in perfmon-based inputs?

Path Finder

The responsible PM for this area has noted your question. Thanks for the feedback!

0 Karma
Highlighted

Re: Why isnt splunk_ta_windows taking advantage of multikv mode in perfmon-based inputs?

Path Finder

I share in your frustration in the lack of adoption of multikv mode across all Splunk Windows apps. This is something that should have been addressed years ago. I don't use the Splunk app for Windows Infrastructure because of this oversight. I can't fathom how this is still an issue after so many years.

Highlighted

Re: Why isnt splunk_ta_windows taking advantage of multikv mode in perfmon-based inputs?

Just released Splunk Add-on for Windows v5.0 has been updated with multikv as default, though Windows Infrastructure app doesn't have complete integration yet. Please read in detail add-on upgrade path as to not risk losing data.

View solution in original post

0 Karma
Highlighted

Re: Why isnt splunk_ta_windows taking advantage of multikv mode in perfmon-based inputs?

Builder

Thank you for the follow up and for those who contributed. I realize making such changes can be paralyzing when you know they can disrupt if performed without preparation.

Here is a line by line comparison of changes between the current branch (v5.0) and a previous one (v4.8.4).

  • I probably would have increased the interval of perfmon collection to 300s
  • I certainly appreciate all the extra failure code lookups!
0 Karma