Getting Data In

How to collect perfmon data on .NET counters?

anewell
Path Finder

I am attempting to collect perfmon counters to track garbage collection in a .NET application. I can create the counter locally in the Windows perfmon GUI, so I believe the data ought to be exposed to the Splunk perfmon modular input. However, the inputs.conf stanza I've created does not work, and returns no errors.

[perfmon://NETGarbageCollection]
counters = NumberGen2Collections
disabled = false
instances = *
interval = 60
object = Win32_PerfFormattedData_NETFramework_NETCLRMemory
index = test

I have also tried running a WMI query directly from the splunk-wmi.exe helper executable (a technique I've used successfully before)

PS C:\Program Files\SplunkUniversalForwarder\bin> & .\splunk-wmi.exe -wql "SELECT * FROM Win32_PerfFormattedData_NETFram
ework_NETCLRMemory"

Clean shutdown completed.

PS C:\Program Files\SplunkUniversalForwarder\bin> & .\splunk-wmi.exe -wql "SELECT NumberGen2Collections FROM Win32_PerfF
ormattedData_NETFramework_NETCLRMemory"

Clean shutdown completed.

My developers are hoping to use the counter information to debug a problem in our production software, and so there is considerable interest in getting this working.

I am collecting perfmon on a Universal Forwarder which is otherwise working as expected. Indexer and forwarder are both running Splunk 6.0.3, OS is Windows server 2012, .NET is 4.5. I've been taking my perfmon counter names and object paths from this reference.

Thanks!

0 Karma
1 Solution

anewell
Path Finder

Found a workaround, in the form of a scripted input run on the forwarder. (The regex is to select IIS-related counters, which happen to be what I'm after)

The script outputs a table of each IIS process and it's "# Gen 2 Collections" perfmon counter:

#! powershell
$gc2 = get-counter -Counter "\.NET CLR Memory(w3wp*)\# Gen 2 Collections"
[regex]$regex = 'w3wp(\#\d)?'
$arrCounterPath = $gc2.CounterSamples | %{ $regex.match($_.Path) } | %{$_.value}
$output = @{}
for ($i=0; $i -lt $gc2.CounterSamples.count; $i++) {
        $output.add($arrCounterPath[$i], $gc2.CounterSamples[$i].CookedValue)
    }

#  tabular output is fine for splunk; run through "multikv" search command.
write-output $output

View solution in original post

Goldbeed
Engager

This is what I used to ingest the data

[perfmon://.NET CLR Memory]
counters = % Time in GC
disabled = 0
instances = *
interval = 10
object=.NET CLR Memory
useEnglishOnly=true,This is what I Used to gather the data into splunk.

[perfmon://.NET CLR Memory]
counters = % Time in GC
disabled = 0
instances = *
interval = 5
object=.NET CLR Memory
useEnglishOnly=true,This is what I used to gather the content for splunk

[perfmon://.NET CLR Memory]
counters = % Time in GC
disabled = 0
instances = *
interval = 5
object=.NET CLR Memory
useEnglishOnly=true

anewell
Path Finder

Found a workaround, in the form of a scripted input run on the forwarder. (The regex is to select IIS-related counters, which happen to be what I'm after)

The script outputs a table of each IIS process and it's "# Gen 2 Collections" perfmon counter:

#! powershell
$gc2 = get-counter -Counter "\.NET CLR Memory(w3wp*)\# Gen 2 Collections"
[regex]$regex = 'w3wp(\#\d)?'
$arrCounterPath = $gc2.CounterSamples | %{ $regex.match($_.Path) } | %{$_.value}
$output = @{}
for ($i=0; $i -lt $gc2.CounterSamples.count; $i++) {
        $output.add($arrCounterPath[$i], $gc2.CounterSamples[$i].CookedValue)
    }

#  tabular output is fine for splunk; run through "multikv" search command.
write-output $output

anewell
Path Finder
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...