All Apps and Add-ons

splunk TA WINDOWS

splunkannm
New Member

Not able to retrieve mem_free_percent in search (index=* tag=oshost tag=performance tag=memory) after installing splunk_ta_windows. CPU and storage work fine though.

Please help!

0 Karma
1 Solution

guilmxm
SplunkTrust
SplunkTrust

I see, The input is you are looking for is the following: (from inputs.conf)

[WinHostMon://OperatingSystem]
interval = 600
disabled = 1
type = OperatingSystem
index = windows

Ensure you have changed the "disabled = 1" to "disabled =0" in your local/inputs.conf deployed to your servers.

This generates events like:

Type=OperatingSystem
OS="Microsoft Windows Server 2016 Standard"
Architecture="64-bit"
Version="10.0.14393"
BuildNumber="14393"
BuildType="Multiprocessor Free"
ServicePack=
SerialNumber="00377-60000-00000-AA934"
ComputerName="WIN-QEJ4U2U76E6"
InstallDate="20170508151743.000000+060"
LastBootUpTime="20170712200604.500000+060"
Locale="0809"
TotalPhysicalMemoryKB="2096692"
FreePhysicalMemoryKB="1281532"
TotalVirtualMemoryKB="2489908"
FreeVirtualMemoryKB="1653224"
Status="OK"
CodeSet="1252"
CountryCode="44"
SystemDevice="\Device\HarddiskVolume2"
SystemDrive="C:"
SystemDirectory="C:\Windows\system32"

Where Splunk will normalize the percentage of memory in the extracted field "mem_free_percent"

Guilhem

View solution in original post

dietercools
New Member

I have the same problem on my citrix servers. mem_free_percent is sending correctly and then all of a sudden it disappears while CPU and storage are still being sent. After reinstallation of the universal forwarder, it was solved except for just one machine where it lost again the data after a few hours. Any idea?,

0 Karma

guilmxm
SplunkTrust
SplunkTrust

I much prefer using Telegraf now:

https://splunkbase.splunk.com/app/4271/

Which you can even deploy as a Splunk app via DS:

https://github.com/guilhemmarchand/TA-telegraf-windows64

So way better!

0 Karma

guilmxm
SplunkTrust
SplunkTrust

I see, The input is you are looking for is the following: (from inputs.conf)

[WinHostMon://OperatingSystem]
interval = 600
disabled = 1
type = OperatingSystem
index = windows

Ensure you have changed the "disabled = 1" to "disabled =0" in your local/inputs.conf deployed to your servers.

This generates events like:

Type=OperatingSystem
OS="Microsoft Windows Server 2016 Standard"
Architecture="64-bit"
Version="10.0.14393"
BuildNumber="14393"
BuildType="Multiprocessor Free"
ServicePack=
SerialNumber="00377-60000-00000-AA934"
ComputerName="WIN-QEJ4U2U76E6"
InstallDate="20170508151743.000000+060"
LastBootUpTime="20170712200604.500000+060"
Locale="0809"
TotalPhysicalMemoryKB="2096692"
FreePhysicalMemoryKB="1281532"
TotalVirtualMemoryKB="2489908"
FreeVirtualMemoryKB="1653224"
Status="OK"
CodeSet="1252"
CountryCode="44"
SystemDevice="\Device\HarddiskVolume2"
SystemDrive="C:"
SystemDirectory="C:\Windows\system32"

Where Splunk will normalize the percentage of memory in the extracted field "mem_free_percent"

Guilhem

splunkannm
New Member

Thank you , I did try that, i think it works now. for whatever reason ITSI keeps showing N/A at random though instead of the value

0 Karma

splunkannm
New Member

Hey Guilhem,

Is mem_free_percent that the TA doles out - the RAM memory ? And is storage_free_percent the physical storage available AKA VIRTUAL AKA ROM ?

0 Karma

guilmxm
SplunkTrust
SplunkTrust

I would be keen to think that this is because the metric is not available frequently enough. Just like a single form would return N/A when no data is available between 2 updates of the form. Since this is input only runs every 10min, that's likely to be the explanation

0 Karma

guilmxm
SplunkTrust
SplunkTrust

Hi,

I have been surprised as well 😉

That's why I wrote this article:

https://www.octamis.com/octamis-blog/windows-performance-monitoring-tips-with-splunk/

Feel free to leave a comment if you liked.

Cheers,

Guilhem

0 Karma

splunkannm
New Member

Thanks for the answer guilhem. I liked your article and that calculation will help me for a generic alert. However, without doing those steps , I was able to see mem_free_percent show up suddenly after adding operating system in the inputs.conf but its spotty. It liked showed up for an hour and then vanished for the rest of the day. Do you have any thoughts?

Reason I ask , is I need this for ITSI and ITSI base search does it by mem_Free_percent..which is a search I can't edit.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...