How is WinHostMon data gathered?

joeybagofdonuts · ‎10-14-2021

I'm trying to gather how many CPUs and Cores a server has but, it seems like on most VMs the CPUs and Cores reports as just 1 regardless of the actual number.

Here is the search I was running:

index=windows sourcetype=winhostmon source=processor
| table host cpu* Number*
| dedup host

And here is an section of the output:

host	cpu_architecture	cpu_cores	cpu_count	cpu_mhz	NumberOfCores	NumberOfProcessors
server1	x64	1	1	2397	1	1
server2	x64	1	1	2397	1	1
server3	x64	1	1	2497	1	1
server4	x64	1	1	2497	1	1
server5	x64	1	1	2397	1	1
server6	x64	1	1	2397	1	1
server7	x64	1	1	2497	1	1
server8	x64	1	1	3193	1	1
server9	x64	1	1	2594	1	1
server10	x64	1	1	2397	1	1
server11	x64	1	1	2397	1	1
server12	x64	1	1	2397	1	1
server13	x64	1	1	2497	1	1
server14	x64	1	1	2597	1	1
server15	x64	1	1	2497	1	1
server16	x64	1	1	2397	1	1
server17	x64	1	1	2397	1	1
server18	x64	1	1	2497	1	1
server19	x64	1	1	2597	1	1
server20	x64	1	1	2497	1	1
server21	x64	1	1	2397	1	1
server22	x64	1	1	2397	1	1
server23	x64	1	1	2497	1	1
server24	x64	1	1	2597	1	1
server25	x64	1	1	2397	1	1

This is what I have in my inputs.conf

[WinHostMon://Processor]

interval = 300

disabled = 0

type = Processor

What commands or data sources are used to gather this data? I want to view this data on the server itself and see if the server is reporting it to Splunk wrong(my assumption) or if there is a bug in winhostmon.

Thanks!

How is WinHostMon data gathered?

inputs.conf

sourcetype

universal forwarder

Windows

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?