Archive

Reporting on or displaying local PerfMon data

Path Finder

Hello
I just setup a trial install of Splunk (running with an Enterprise license at the moment). My version is 4.2.5, build 113966. I have one universal forwarder that is functioning fine, as far as I can tell (it is forwarding data from Event Logs to the indexer) - the UF was installed with this command line:

msiexec.exe /i splunkforwarder-4.2.5-113966-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER="indexer_server:9997" DEPLOYMENT_SERVER="indexer_server:8089" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet

I created a couple of entries in the C:\Program Files\SplunkUniversalForwarder\etc\system\local\perfmon.conf file of the UF, as follows:

[Perfmon:LocalPhysicalDisk]
interval = 15
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time; Avg. Disk sec/Read; Avg. Disk sec/Write
instances = *
disabled = 0
index = ic_perfdatadb

[Perfmon:LocalMainMemory]
interval = 15
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = ic_perfdatadb

There are also a few entries (preconfigured) for WMI perfmon counter collection.

My problem... I see the WMI collection data (e.g. source=WMI:Memory) from host=indexer_server, I also see entries from Perfmon (e.g. source=Perfmon:Network Interface) from host=indexer_server. What I do NOT see are the perfmon entries from my UF... It almost looks like I have forgotten to enable something, however I DO see that the entries are being sent from the UF to the indexer - the index "ic_perfdatadb" was specifically created for these perf counters and I can see it growing constantly...

Thanks!

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hmm, are you specifically querying for data in that index when you are looking for it, i.e., do your queries contain index=ic_perfdatadb, or else does your user's role include that index to be searched by default?

View solution in original post

Path Finder

Now that you put it that way... 🙂 I did not know I could do that, nor did I know the admin user didn't have access to all by default... I added the new indexes I created to the role and now I see! Thank you!

0 Karma

Splunk Employee
Splunk Employee

the admin has access, but it's just not queried by default.

0 Karma

Splunk Employee
Splunk Employee

Hmm, are you specifically querying for data in that index when you are looking for it, i.e., do your queries contain index=ic_perfdatadb, or else does your user's role include that index to be searched by default?

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!