Deployment Architecture

Universal forwarder 5 - no perfmon data for exchange

darlonjeel
New Member

I updated our universal forwarders on our exchange servers (exchange 2010, sp2) to version 5 on Thursday. On Friday, I noticed I had no performance data on those servers in the Exchange App. After playing with it some Friday, this morning I downgraded those forwarders back to 4.3 and now the data is coming back in. Not sure why they were failing, but I was getting errors about the inputs.conf file in a few spots after I did the upgrade to 5.

0 Karma

I-Man
Communicator

Sometimes perfmon is broken on the server itself. I had to run "C:\Windows\System32> lodctr /R" on the server in order for perfmon logs to be collected.

0 Karma

bmonje
New Member

Hey
I am also a fairly newbie to Splunk but I have been working on this issue as well. Hidden in the documentation for this and the active directory app is that you need to redeploy the TAs to each server in order to get perfmon working. I just did it myself and now everything is working again!

0 Karma

Drainy
Champion

Be sure to read the release and upgrade notes before ever doing an update, as per the docs;
http://docs.splunk.com/Documentation/Splunk/5.0/Installation/Aboutupgradingto5.0READTHISFIRST

The Windows performance monitoring input is now modular
The performance monitoring inputs for Windows now use the new modular input type. When you upgrade, Splunk replaces the existing scripted input with the new modular input. During the migration, Splunk saves the existing perfmon.conf file and renames it to perfmon.conf.migrated. It then copies the inputs defined in that file and places them into inputs.conf under similarly-named stanzas. 

This has major impact for users who use the Splunk App for Microsoft Exchange and the Splunk App for Active Directory. Those apps use performance monitoring inputs extensively. If you use either of these apps, we suggest that you do not upgrade the apps until compatible versions are released. 

For additional information on what a modular input is, read "Modular inputs overview" in the Developing Views and Apps for Splunk Web Manual. 

darlonjeel
New Member

Thanks, that does make sense, but I wish the documentation in general was more clear.

I assumed wrongly that since the Splunk App for Exchange said it was compatible for splunk 5 on it's page, that this had been resolved.

I am new to Splunk, so I am learning about this stuff as I can.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...