All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows App Perfmon Data Input doesn't work

lrudolph
Path Finder
‎01-02-2014 11:26 AM

Hi,

I'm currently testing Splunk 6.0.1 on a Windows Server 2008 R2 (fresh install). I want to monitor that particular Windows-Server, so I downloaded the Windows App 5.0.2 and installed it via the GUI. Now during the initial setup of the app, I just clicked "Save" without modifications to any parameters. Under "Windows Perfmon Inputs", all options were listed under "enabled": Processor, Network Interface, Memory, PhysicalDisk, LogicalDisk, Process, System.

However, after saving the settings, the dashboard "Performance Monitoring" in the app showed no data. I troubleshooted a bit I found that under the settings page in the app, all Perfom-Inputs were gone except for "System". They weren't shown under "enabled" nor under "disabled".

I don't understand why this happens. I tried to configure the inputs manually in inputs.conf (didn't work) and also tried installing a separate Universal Forwarder with the Windows TA, but that instance also wasn't able to send Perfmon-data to the Splunk-Instance.

Anyone has an idea what's going on here?

Thanks,

Leo

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lrudolph
Path Finder
‎01-18-2014 01:40 PM

OK it's finally working. It seems a restart of the whole server fixed everything. Now all Perfom-Inputs are being shown in the config and performance data is beeing indexed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lrudolph
Path Finder
‎01-18-2014 01:40 PM

OK it's finally working. It seems a restart of the whole server fixed everything. Now all Perfom-Inputs are being shown in the config and performance data is beeing indexed.

0 Karma
Reply
Solved! Jump to solution

lrudolph
Path Finder
‎01-03-2014 08:24 AM

Sure. $SPLUNK_HOME/etc/apps/windows/default/inputs.conf:

###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog

###### Windows Update Log ######
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 1
sourcetype = WindowsUpdateLog

###### Event Gen #####
[script://.\bin\eventgen.bat]
disabled = true
interval = 300
passAuth = splunk-system-user
index = main
sourcetype = sharad-eventgen

$SPLUNK_HOME/.../windows/local/inputs.conf is empty.

0 Karma
Reply
Solved! Jump to solution

skylasam_splunk
Splunk Employee
Splunk Employee
‎01-02-2014 12:51 PM

The performance monitoring dashboard not showing any data might be linked to the fact that lookups needed for the dashboard to function properly did not get created in time.
Could you send the contents of the following files currently-
$SPLUNK_HOME\etc\apps\windows\local\inputs.conf
$SPLUNK_HOME\etc\apps\windows\default\inputs.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...