Not able to retrieve mem_free_percent in search (index=* tag=oshost tag=performance tag=memory) after installing splunk_ta_windows. CPU and storage work fine though.
Please help!
I see, The input is you are looking for is the following: (from inputs.conf)
[WinHostMon://OperatingSystem]
interval = 600
disabled = 1
type = OperatingSystem
index = windows
Ensure you have changed the "disabled = 1" to "disabled =0" in your local/inputs.conf deployed to your servers.
This generates events like:
Type=OperatingSystem
OS="Microsoft Windows Server 2016 Standard"
Architecture="64-bit"
Version="10.0.14393"
BuildNumber="14393"
BuildType="Multiprocessor Free"
ServicePack=
SerialNumber="00377-60000-00000-AA934"
ComputerName="WIN-QEJ4U2U76E6"
InstallDate="20170508151743.000000+060"
LastBootUpTime="20170712200604.500000+060"
Locale="0809"
TotalPhysicalMemoryKB="2096692"
FreePhysicalMemoryKB="1281532"
TotalVirtualMemoryKB="2489908"
FreeVirtualMemoryKB="1653224"
Status="OK"
CodeSet="1252"
CountryCode="44"
SystemDevice="\Device\HarddiskVolume2"
SystemDrive="C:"
SystemDirectory="C:\Windows\system32"
Where Splunk will normalize the percentage of memory in the extracted field "mem_free_percent"
Guilhem
I have the same problem on my citrix servers. mem_free_percent is sending correctly and then all of a sudden it disappears while CPU and storage are still being sent. After reinstallation of the universal forwarder, it was solved except for just one machine where it lost again the data after a few hours. Any idea?,
I much prefer using Telegraf now:
https://splunkbase.splunk.com/app/4271/
Which you can even deploy as a Splunk app via DS:
https://github.com/guilhemmarchand/TA-telegraf-windows64
So way better!
I see, The input is you are looking for is the following: (from inputs.conf)
[WinHostMon://OperatingSystem]
interval = 600
disabled = 1
type = OperatingSystem
index = windows
Ensure you have changed the "disabled = 1" to "disabled =0" in your local/inputs.conf deployed to your servers.
This generates events like:
Type=OperatingSystem
OS="Microsoft Windows Server 2016 Standard"
Architecture="64-bit"
Version="10.0.14393"
BuildNumber="14393"
BuildType="Multiprocessor Free"
ServicePack=
SerialNumber="00377-60000-00000-AA934"
ComputerName="WIN-QEJ4U2U76E6"
InstallDate="20170508151743.000000+060"
LastBootUpTime="20170712200604.500000+060"
Locale="0809"
TotalPhysicalMemoryKB="2096692"
FreePhysicalMemoryKB="1281532"
TotalVirtualMemoryKB="2489908"
FreeVirtualMemoryKB="1653224"
Status="OK"
CodeSet="1252"
CountryCode="44"
SystemDevice="\Device\HarddiskVolume2"
SystemDrive="C:"
SystemDirectory="C:\Windows\system32"
Where Splunk will normalize the percentage of memory in the extracted field "mem_free_percent"
Guilhem
Thank you , I did try that, i think it works now. for whatever reason ITSI keeps showing N/A at random though instead of the value
Hey Guilhem,
Is mem_free_percent that the TA doles out - the RAM memory ? And is storage_free_percent the physical storage available AKA VIRTUAL AKA ROM ?
I would be keen to think that this is because the metric is not available frequently enough. Just like a single form would return N/A when no data is available between 2 updates of the form. Since this is input only runs every 10min, that's likely to be the explanation
Hi,
I have been surprised as well 😉
That's why I wrote this article:
https://www.octamis.com/octamis-blog/windows-performance-monitoring-tips-with-splunk/
Feel free to leave a comment if you liked.
Cheers,
Guilhem
Thanks for the answer guilhem. I liked your article and that calculation will help me for a generic alert. However, without doing those steps , I was able to see mem_free_percent show up suddenly after adding operating system in the inputs.conf but its spotty. It liked showed up for an hour and then vanished for the rest of the day. Do you have any thoughts?
Reason I ask , is I need this for ITSI and ITSI base search does it by mem_Free_percent..which is a search I can't edit.