Solved: How are Windows instance numbers for two processes...

petenetwork · ‎06-11-2018

I have several svchost.exe processes running on a Windows host. In Splunk in the Perfmon:Process sourcetype I have events of the following form (apologies for the United States of America date format, it is confusing as it is not in a logical ordering of units like ISO8601, but unfortunately this is the way events are stored in Splunk, the dates below are the 12 May, not 5 December as anyone might logically interpret them, I understand Splunk is used by people worldwide and to use a confusing date format is not helpful):

05/12/2018 15:20:41.325 +0000
collection=Process
object=Process
counter="Working Set - Private"
instance=svchost
Value=2404352

05/12/2018 15:20:41.325 +0000
collection=Process
object=Process
counter="Working Set - Private"
instance=svchost#1
Value=774144

05/12/2018 15:20:41.325 +0000
collection=Process
object=Process
counter="Working Set - Private"
instance=svchost#3
Value=10354688

Now svchost#3 is using too much memory. Elsewhere I have logs that record the PID of all the running processes but not the instance number. So what does the #3 refer to, how is it determined?

I've tried to guess, perhaps that number #3 is allocated in order of (as found in sourcetype=WinHostMon😞

ProcessId, or
StartTime (of the process), or
CommandLine

... or is it randomly assigned? Is there any way of mapping an instance number to a particular running process on a host?

MuS · ‎06-11-2018

Hi petenetwork,

Not a real answer that's why it is a comment 😉 The date can be fixed by using /en-GB/ in the URI of Splunk.

Regarding the #NumberHere issue, why do you think this is Splunk? Actually this in Windows logging this way, and to make it even worth, as you can read here https://blogs.technet.microsoft.com/askperf/2010/03/29/perfmon-identifying-processes-by-pid-instead-... , those numbers are not static. They can change dynamically, or at least back in the days it was like that ... if this is still the case, who knows ¯\_(ツ)_/¯

cheers, MuS

View solution in original post

DalJeanis · ‎06-13-2018

Have to agree that ISO date format (2018-05-12) is better because it cannot be misinterpreted. The word "logically" doesn't really come into it... MM/DD/YYYY and DD/MM/YYYY are mere competing cultural/historical standards that are both silly as well as ambiguous. medium-small-large or small-medium-large both make no sense in terms of modern usage.

petenetwork · ‎06-12-2018

I've discovered that the sourcetype=Perfmon:Process counter="ID Process" counter maps instance to ProcessID (Value), the command line of which can be looked up using sourcetype=WinHostMon.

MuS · ‎06-11-2018

Hi petenetwork,

Not a real answer that's why it is a comment 😉 The date can be fixed by using /en-GB/ in the URI of Splunk.

Regarding the #NumberHere issue, why do you think this is Splunk? Actually this in Windows logging this way, and to make it even worth, as you can read here https://blogs.technet.microsoft.com/askperf/2010/03/29/perfmon-identifying-processes-by-pid-instead-... , those numbers are not static. They can change dynamically, or at least back in the days it was like that ... if this is still the case, who knows ¯\_(ツ)_/¯

cheers, MuS

petenetwork · ‎06-11-2018

Thank you MuS, I believe that answers my question. I'd be happy to credit you with the answer if you wish to repost your comment as an answer.

MuS · ‎06-11-2018

done, Thanks 🙂

How are Windows instance numbers for two processes with the same name determined?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies