All Apps and Add-ons

splunk app for windows infrastructure's performance monitoring shows no data for CPU metrics


I installed splunk app for windows infrastructure.

The windows->"event monitoring" shows system and application events .

But the windows->"performance monitoring" shows no data for CPU metrics, Memory Metrics, PhysicalDisk Metrics,etc.. It shows "Search is waiting for input.." perpetually.

How do i get splunk to pick up CPU metrics (and other perf metrics like memory,disk,etc.) from my windows 7 PC just like how it is currently picking up application and system events.

Path Finder


Here is a copy of the inputs.conf file located in C:\Program Files\Splunk\etc\deployment-apps\Splunk_TA_windows\local, this governs what gets and what does not get ingested.

disable=0 means the process is enabled and splunk will collect it from any server that has the universal forwarders installed

disabled=1 means the process is disabled...hope that helps

PS: the default unedited copy of the inputs.conf file can be found here: C:\Program Files\Splunk\etc\deployment-apps\Splunk_TA_windows\default

I would suggest you copy the inputs file in the \default directory to a safe location, make your edits and then copy it to the C:\Program Files\Splunk\etc\deployment-apps\Splunk_TA_windows\local . once change is made restart splunk

# Copyright (C) 2005-2016 Splunk Inc. All Rights Reserved.
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.

evt_dc_name =
evt_dns_name =

###### OS Logs ######
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog

disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog

disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog

####### OS Logs (Splunk 5.x only) ######
# If you are running Splunk 5.x remove the above OS log stanzas and uncomment these three.
#disabled = 1
#start_from = oldest
#current_only = 0
#checkpointInterval = 5
#index = wineventlog
#disabled = 1
#start_from = oldest
#current_only = 0
#evt_resolve_ad_obj = 1
#checkpointInterval = 5
#index = wineventlog
#disabled = 1
#start_from = oldest
#current_only = 0
#checkpointInterval = 5
#index = wineventlog

###### DHCP ######
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = 
sourcetype = DhcpSrvLog
index = windows

###### Windows Update Log ######
disabled = 1
sourcetype = WindowsUpdateLog
index = windows

###### Scripted Input (See also wmi.conf)
disabled = 0
## Run once per hour
interval = 7200
sourcetype = Script:ListeningPorts
index = windows

disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
index = windows

###### Host monitoring ######
interval = 1800
disabled = 0
type = Computer
index = windows

interval = 1800
disabled = 0
type = Process
index = windows

interval = 1800
disabled = 0
type = Processor
index = windows

interval = 1800
disabled = 0
type = Application
index = windows

interval = 1800
disabled = 0
type = NetworkAdapter
index = windows

interval = 1800
disabled = 0
type = Service
index = windows

interval = 1800
disabled = 0
type = OperatingSystem
index = windows

interval = 1800
disabled = 0
type = Disk
index = windows

interval = 1800
disabled = 1
type = Driver
index = windows

interval = 1800
disabled = 0
type = Roles
index = windows

###### Print monitoring ######
type = printer
interval = 1800
baseline = 1
disabled = 1
index = windows

type = driver
interval = 1800
baseline = 1
disabled = 1
index = windows

type = port
interval = 1800
baseline = 1
disabled = 1
index = windows

###### Network monitoring ######
direction = inbound
disabled = 0
index = windows

direction = outbound
disabled = 0
index = windows

###### Splunk 5.0+ Performance Counters ######
## CPU
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 300
object = Processor
index = perfmon

## Logical Disk
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 300
object = LogicalDisk
index = perfmon

## Physical Disk
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 300
object = PhysicalDisk
index = perfmon

## Memory
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
interval = 300
object = Memory
index = perfmon

## Network
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size  
disabled = 1
instances = *
interval = 300
object = Network Interface
index = perfmon

## Process
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0instances = *
interval = 300
object = Process
index = perfmon

## System
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 0
instances = *
interval = 300
object = System
index = perfmon

disabled = 1
monitorSubtree = 1

disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
index = windows

disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

disabled = 0
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

New Member

I'm new to Splunk and I have the same problem: I can see the Event Monitoring tasks but I can't see some of the parameters in Performance Monitoring and in other categories. Could please explain where to configure those parameters ? In inputs.conf in the directory local in .../etc/apps/... ? I saw some examples but there were not all the pointers.

Thanks for any help.

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...