All Apps and Add-ons

Windows Add-on Perfmon not working

rmanrique
Path Finder

I have configured the inputs.conf to monitor these points:

 

###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index=perfmon

## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time
disabled = 0
instances = *
interval = 10
mode = single
object = LogicalDisk
useEnglishOnly=true
index=perfmon

## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time
disabled = 0
instances = *
interval = 10
mode = single
object = PhysicalDisk
useEnglishOnly=true
index=perfmon

## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes
disabled = 0
interval = 10
mode = single
object = Memory
useEnglishOnly=true
index=perfmon

## Process
[perfmon://Process]
counters = % Processor Time; % User Time
disabled = 0
instances = *
interval = 10
mode = single
object = Process
useEnglishOnly=true
index=perfmon

## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 10
mode = single
object = Processor Information
useEnglishOnly=true
index=perfmon

## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec
disabled = 0
instances = *
interval = 10
mode = single
object = System
useEnglishOnly=true
index=perfmon

 

but I am only getting from "Perfmon:Process"

I don't have any error messages. I don't know why I am not receiving other data too.

I am indexing two windows servers and in both cases the same thing happens to me: I only receive data from "Perfmon:Process".

Labels (1)
0 Karma
1 Solution

rmanrique
Path Finder

When I installed the universal forwarder version 7.2.1.0 I was just able to capture the data like CPU, MEMORY, LOGICAL DISK, etc. But with the version 8.0.4 or 7.3.6, it doesn't allow me to capture the data, only Perfmon:Process.e

View solution in original post

0 Karma

jacobpevans
Motivator

The first thing I would try is to simplify. You properly copied from the default `inputs.conf`, but since you did that, you only need to keep the lines that you are changing. So, try this first:

###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
disabled = 0
index=perfmon

## Logical Disk
[perfmon://LogicalDisk]
disabled = 0
index=perfmon

## Physical Disk
[perfmon://PhysicalDisk]
disabled = 0
index=perfmon

## Memory
[perfmon://Memory]
disabled = 0
index=perfmon

## Process
[perfmon://Process]
disabled = 0
index=perfmon

## ProcessInformation
[perfmon://ProcessorInformation]
disabled = 0
index=perfmon

## System
[perfmon://System]
disabled = 0
index=perfmon

 

Restart your Splunk service. If you still don't see the other sourcetypes, we'll need to see your btool output. Navigate to `$SPLUNK_HOME\bin` and run this command:

    splunk cmd btool inputs list perfmon://CPU --debug

Reply to this with that output if you haven't figured it out by this point.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

rmanrique
Path Finder

When I installed the universal forwarder version 7.2.1.0 I was just able to capture the data like CPU, MEMORY, LOGICAL DISK, etc. But with the version 8.0.4 or 7.3.6, it doesn't allow me to capture the data, only Perfmon:Process.e

0 Karma

jacobpevans
Motivator

What later versions?

What is the output of btool from my original response?

What do you mean specifically by "it doesn't allow me"?

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

rmanrique
Path Finder

 

This is the output of the command you gave me:

/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf [perfmon://CPU]
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1
host = splunk.cyberline.com.pe
index = default
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf instances = *
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf interval = 10
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf mode = multikv
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf object = Processor
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf useEnglishOnly = true

 

* Regarding the universal forwarder.
What I meant to say is that when I installed version 8.0 of the UF, it does not catch me perfmon of CPU, Memory, Logical Disk, etc. Capture only perfmon: process.

Instead, when I installed version 7.2.1.0, it was only here that I was able to capture that data.

0 Karma

jacobpevans
Motivator

Your btool output specifically says that CPU is disabled

/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf disabled = 1

Since this is defined in Splunk_TA_windows/default/inputs.conf, I can only assume that you have not properly saved your file  Splunk_TA_windows/local/inputs.conf with a value of disabled = 0 for CPU (and likely the others).

Any stanza setting defined in local will always take precedence over default within the same app.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

rmanrique
Path Finder

That Btool command I ran on my instance which is Deployment server. My question is why should I create that configuration that you mention in my deployment-server.

If I create the local folder and specify the perfmon disable = 0 there, I will start receiving logs from that server, which I don't want to do.

In the UF I have the correct configuration, where I put disable = 0.

0 Karma

jacobpevans
Motivator

Can you run the btool command on the UF?

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

rmanrique
Path Finder

This is the result.

C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_8_0_0\local\inputs.conf   [perfmon://CPU]
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_8_0_0\default\inputs.conf counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_8_0_0\local\inputs.conf   disabled = 0
host = ADVANCE-PC
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_8_0_0\local\inputs.conf   index = windows
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_8_0_0\default\inputs.conf instances = *
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_8_0_0\default\inputs.conf interval = 10
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_8_0_0\local\inputs.conf   mode = single
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_8_0_0\default\inputs.conf object = Processor
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_8_0_0\default\inputs.conf useEnglishOnly = true

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...