Assistance on mcollect command for perfmon

dsbruce · ‎01-09-2020

I am trying to pull windows_TA perfmon data to a metric index to give our users sample data so they can create metric dashboards for their data before we move all the data to metric. I know I am close with the search, but missing something. I am only trying to get one type of event to work. I am doing spool=false so I can see the data, but when I remove this command I do not see the data in the metrics workspace.

Here is the basic search: index=perfmon host=test01* sourcetype="PerfmonMk:System"
Here is the event data
Processor_Queue_Length = 0
System_Up_Time = 1639423.1988073
host = test01
source = PerfmonMk:System
sourcetype = PerfmonMk:System

Here is my mcollect search
index=perfmon host=test01* sourcetype="PerfmonMk:System"
| rename _time as metric_timestamp, System_Up_Time as _value
| eval metric_name="System_Up_Time"
| table metric_timestamp, metric_name, _value, host
| mcollect index=perfmon_metric spool=false file=db-$timestamp$_metrics.csv host

Here is what I see in the spool var/run/splunk/metrics.csv file:
The top line is generated automatically

metric_timestamp,metric_name,_value,host
1578588112.000,System_Up_Time,1642783.1900182,test01

Any assistance would be appreciated.

Assistance on mcollect command for perfmon

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...