All Apps and Add-ons

Windows App Perfmon Data Input doesn't work

lrudolph
Path Finder

Hi,

I'm currently testing Splunk 6.0.1 on a Windows Server 2008 R2 (fresh install). I want to monitor that particular Windows-Server, so I downloaded the Windows App 5.0.2 and installed it via the GUI. Now during the initial setup of the app, I just clicked "Save" without modifications to any parameters. Under "Windows Perfmon Inputs", all options were listed under "enabled": Processor, Network Interface, Memory, PhysicalDisk, LogicalDisk, Process, System.

However, after saving the settings, the dashboard "Performance Monitoring" in the app showed no data. I troubleshooted a bit I found that under the settings page in the app, all Perfom-Inputs were gone except for "System". They weren't shown under "enabled" nor under "disabled".

I don't understand why this happens. I tried to configure the inputs manually in inputs.conf (didn't work) and also tried installing a separate Universal Forwarder with the Windows TA, but that instance also wasn't able to send Perfmon-data to the Splunk-Instance.

Anyone has an idea what's going on here?

Thanks,

Leo

0 Karma
1 Solution

lrudolph
Path Finder

OK it's finally working. It seems a restart of the whole server fixed everything. Now all Perfom-Inputs are being shown in the config and performance data is beeing indexed.

View solution in original post

0 Karma

lrudolph
Path Finder

OK it's finally working. It seems a restart of the whole server fixed everything. Now all Perfom-Inputs are being shown in the config and performance data is beeing indexed.

0 Karma

lrudolph
Path Finder

Sure. $SPLUNK_HOME/etc/apps/windows/default/inputs.conf:

###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog

###### Windows Update Log ######
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 1
sourcetype = WindowsUpdateLog

###### Event Gen #####
[script://.\bin\eventgen.bat]
disabled = true
interval = 300
passAuth = splunk-system-user
index = main
sourcetype = sharad-eventgen

$SPLUNK_HOME/.../windows/local/inputs.conf is empty.

0 Karma

skylasam_splunk
Splunk Employee
Splunk Employee

The performance monitoring dashboard not showing any data might be linked to the fact that lookups needed for the dashboard to function properly did not get created in time.
Could you send the contents of the following files currently-
$SPLUNK_HOME\etc\apps\windows\local\inputs.conf
$SPLUNK_HOME\etc\apps\windows\default\inputs.conf

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...