Getting Data In

How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters?

1500372
Explorer

I've configured inputs.conf like below, but I can't see any data. (Other stanzas for [perfmon:// are all working perfectly.)

Splunk Version: Splunk Enterprise 6.2.1
Target Server: Windows 2008 R2 (I can see the Perfmon object and counters from perfmon.exe screen.)
I've double checked all strings to determine if the case sensitive problems.

[perfmon://RPC_HTTP_Proxy]
index=perfmon
object=RPC/HTTP Proxy
counters=\RPC/HTTP Requests per Second; Current Number of Unique Users; Number of Failed Back-End Connection Attempts per Second
interval=10
disabled=false
showZeroValue=true
useEnglishOnly=true

Please help me how to index above Perfmon counters properly.

0 Karma
1 Solution

1500372
Explorer

Upgrading Splunk Universal Forwarder over 6.4 solve the problem in my case.

View solution in original post

0 Karma

1500372
Explorer

Upgrading Splunk Universal Forwarder over 6.4 solve the problem in my case.

0 Karma

guillaumeange
New Member

Hello, i've the same problem with another custom perform.

My indexer don't have this perfmon. the counter of my custom perform is located on 2 servers using splunkforwarder.

any suggestions ?

0 Karma

niketn
Legend

Can you please check the system from where performance counters are being forwarded? Using start > run > perfmon, whether RPC_HTTP_PROXY is available counter on the machine or not.

If it is, and you have a non prod system with similar configuration see if you can install Splunk and use Add Data > Local Performance Monitor and check whether the same performance counter is listed in splunk or not.

You can also try keeping only above performance counter forwarding in inputs.conf and restart splunk. Validate the splunkd logs for above performance counter, whether there is any error logged or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

guillaumeange
New Member

i've found the solution thanks to wildcard in object.

Example inputs.conf :

## S4B Inbound Calls
[perfmon://S4BInbountCalls]
counters = - Current
object = LS:MediationServer.*Inbound Calls
instances = _Total
interval = 30
index = perfmon
disabled = 0
showZeroValue = 1
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...