I updated our universal forwarders on our exchange servers (exchange 2010, sp2) to version 5 on Thursday. On Friday, I noticed I had no performance data on those servers in the Exchange App. After playing with it some Friday, this morning I downgraded those forwarders back to 4.3 and now the data is coming back in. Not sure why they were failing, but I was getting errors about the inputs.conf file in a few spots after I did the upgrade to 5.
Sometimes perfmon is broken on the server itself. I had to run "C:\Windows\System32> lodctr /R" on the server in order for perfmon logs to be collected.
Hey
I am also a fairly newbie to Splunk but I have been working on this issue as well. Hidden in the documentation for this and the active directory app is that you need to redeploy the TAs to each server in order to get perfmon working. I just did it myself and now everything is working again!
Be sure to read the release and upgrade notes before ever doing an update, as per the docs;
http://docs.splunk.com/Documentation/Splunk/5.0/Installation/Aboutupgradingto5.0READTHISFIRST
The Windows performance monitoring input is now modular
The performance monitoring inputs for Windows now use the new modular input type. When you upgrade, Splunk replaces the existing scripted input with the new modular input. During the migration, Splunk saves the existing perfmon.conf file and renames it to perfmon.conf.migrated. It then copies the inputs defined in that file and places them into inputs.conf under similarly-named stanzas.
This has major impact for users who use the Splunk App for Microsoft Exchange and the Splunk App for Active Directory. Those apps use performance monitoring inputs extensively. If you use either of these apps, we suggest that you do not upgrade the apps until compatible versions are released.
For additional information on what a modular input is, read "Modular inputs overview" in the Developing Views and Apps for Splunk Web Manual.
Thanks, that does make sense, but I wish the documentation in general was more clear.
I assumed wrongly that since the Splunk App for Exchange said it was compatible for splunk 5 on it's page, that this had been resolved.
I am new to Splunk, so I am learning about this stuff as I can.