Archive

How to get perfmon data into a metrics index?

New Member

Hello,

i have TA Windows 6.0.0 installed on my multisite cluster enviroment on but i cannot see any data incoming into my metrics index.
my operation system language is german. on a standalone splunk instance this works fine and i see the metrics incoming.

  • serach heads
  • universal forwarder (with deployment server)
  • serach head

inputs.conf:

[perfmon://CPU]
counters = *
instances = *
interval = 30
object = Prozessor
useEnglishOnly=false
index=perfmon
disabled = 0

[perfmon://Memory]
counters = *
interval = 30
object = Arbeitsspeicher
useEnglishOnly=false
index=perfmon
disabled = 0

[perfmon://Network]
counters = *
instances = *
interval = 30
object = Netzwerkschnittstelle
useEnglishOnly=false
index=perfmon
disabled = 0

[perfmon://Process]
counters = *
instances = *
interval = 300
object = Prozess
useEnglishOnly=false
index=perfmon
disabled = 0

[perfmon://PhysicalDisk]
counters = *
instances = *
interval = 300
object = Physikalischer Datenträger
useEnglishOnly=false
index=perfmon
disabled = 0

Tags (2)
0 Karma

New Member

I always get messages like this:

xxx has the following message: Metric value= is not valid for source=CPU, sourcetype=CPU, host=yyy, index=perfmon. Metric event data with an invalid metric value would not be indexed. Ensure the input metric data is not malformed.

0 Karma

Builder

A few things to check pop to mind -

1) Sounds like your mode isn't set to single in inputs.conf add this to your inputs.conf
mode = single
SplunkTAWindows requires single mode for the transforms.conf to convert to metrics.
2) Make sure you have counters and instances configured. They appear blank in your example
3) Ensure your perfmon index is declared as metrics.

Just a thought - you might want your indexes name to indicate the data type to avoid confusion later. By no means a requirement, but not all perfmon inputs convert to metrics under SplunkTAwindows 6.0.0 automatically. You can see which ones actually convert by default by reading transforms.conf in SplunkTAwindows towards the bottom.
index=perfmon_metrics instead of index=perfmon.

More about Perfmon mode
https://www.splunk.com/blog/2013/10/28/new-features-for-perfmon-in-splunk-6.html

0 Karma

New Member

on my single instance, it works without mode, but i will try

counters and instances are wildcard, which should work together with useEnglishOnly=false

index is declared as metrics

0 Karma

SplunkTrust
SplunkTrust

Perfmon data is not in the correct format for metrics indexes. You must use an events index.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

there are transforms for a metrics index... and on my single test instance it works just fine

0 Karma

SplunkTrust
SplunkTrust

@jkwiotek Please share the transforms you use for metrics.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

im using the original transforms from the ta-windows app

0 Karma

New Member

Search peer xxx has the following message: Metric value= is not valid for source=CPU, sourcetype=CPU, host=yyy, index=perfmon. Metric event data with an invalid metric value would not be indexed. Ensure the input metric data is not malformed.
10.8.2019, 13:37:05
Search peer xxx has the following message: Metric name is missing for source=CPU, sourcetype=CPU, host=yyy, index=perfmon. Metric event data without metric name is invalid and would not be indexed. Ensure the input metric data is not malformed.

0 Karma