- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: splunk TA WINDOWS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not able to retrieve mem_free_percent in search (index=* tag=oshost tag=performance tag=memory) after installing splunk_ta_windows. CPU and storage work fine though.
Please help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see, The input is you are looking for is the following: (from inputs.conf)
[WinHostMon://OperatingSystem]
interval = 600
disabled = 1
type = OperatingSystem
index = windows
Ensure you have changed the "disabled = 1" to "disabled =0" in your local/inputs.conf deployed to your servers.
This generates events like:
Type=OperatingSystem
OS="Microsoft Windows Server 2016 Standard"
Architecture="64-bit"
Version="10.0.14393"
BuildNumber="14393"
BuildType="Multiprocessor Free"
ServicePack=
SerialNumber="00377-60000-00000-AA934"
ComputerName="WIN-QEJ4U2U76E6"
InstallDate="20170508151743.000000+060"
LastBootUpTime="20170712200604.500000+060"
Locale="0809"
TotalPhysicalMemoryKB="2096692"
FreePhysicalMemoryKB="1281532"
TotalVirtualMemoryKB="2489908"
FreeVirtualMemoryKB="1653224"
Status="OK"
CodeSet="1252"
CountryCode="44"
SystemDevice="\Device\HarddiskVolume2"
SystemDrive="C:"
SystemDirectory="C:\Windows\system32"
Where Splunk will normalize the percentage of memory in the extracted field "mem_free_percent"
Guilhem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem on my citrix servers. mem_free_percent is sending correctly and then all of a sudden it disappears while CPU and storage are still being sent. After reinstallation of the universal forwarder, it was solved except for just one machine where it lost again the data after a few hours. Any idea?,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I much prefer using Telegraf now:
https://splunkbase.splunk.com/app/4271/
Which you can even deploy as a Splunk app via DS:
https://github.com/guilhemmarchand/TA-telegraf-windows64
So way better!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see, The input is you are looking for is the following: (from inputs.conf)
[WinHostMon://OperatingSystem]
interval = 600
disabled = 1
type = OperatingSystem
index = windows
Ensure you have changed the "disabled = 1" to "disabled =0" in your local/inputs.conf deployed to your servers.
This generates events like:
Type=OperatingSystem
OS="Microsoft Windows Server 2016 Standard"
Architecture="64-bit"
Version="10.0.14393"
BuildNumber="14393"
BuildType="Multiprocessor Free"
ServicePack=
SerialNumber="00377-60000-00000-AA934"
ComputerName="WIN-QEJ4U2U76E6"
InstallDate="20170508151743.000000+060"
LastBootUpTime="20170712200604.500000+060"
Locale="0809"
TotalPhysicalMemoryKB="2096692"
FreePhysicalMemoryKB="1281532"
TotalVirtualMemoryKB="2489908"
FreeVirtualMemoryKB="1653224"
Status="OK"
CodeSet="1252"
CountryCode="44"
SystemDevice="\Device\HarddiskVolume2"
SystemDrive="C:"
SystemDirectory="C:\Windows\system32"
Where Splunk will normalize the percentage of memory in the extracted field "mem_free_percent"
Guilhem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you , I did try that, i think it works now. for whatever reason ITSI keeps showing N/A at random though instead of the value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Guilhem,
Is mem_free_percent that the TA doles out - the RAM memory ? And is storage_free_percent the physical storage available AKA VIRTUAL AKA ROM ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would be keen to think that this is because the metric is not available frequently enough. Just like a single form would return N/A when no data is available between 2 updates of the form. Since this is input only runs every 10min, that's likely to be the explanation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have been surprised as well 😉
That's why I wrote this article:
https://www.octamis.com/octamis-blog/windows-performance-monitoring-tips-with-splunk/
Feel free to leave a comment if you liked.
Cheers,
Guilhem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer guilhem. I liked your article and that calculation will help me for a generic alert. However, without doing those steps , I was able to see mem_free_percent show up suddenly after adding operating system in the inputs.conf but its spotty. It liked showed up for an hour and then vanished for the rest of the day. Do you have any thoughts?
Reason I ask , is I need this for ITSI and ITSI base search does it by mem_Free_percent..which is a search I can't edit.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
