Getting Data In

How to configure inputs.conf to index Windows Perfmon RPC/HTTP proxy counters?

1500372
Explorer

I've configured inputs.conf like below, but I can't see any data. (Other stanzas for [perfmon:// are all working perfectly.)

Splunk Version: Splunk Enterprise 6.2.1
Target Server: Windows 2008 R2 (I can see the Perfmon object and counters from perfmon.exe screen.)
I've double checked all strings to determine if the case sensitive problems.

[perfmon://RPC_HTTP_Proxy]
index=perfmon
object=RPC/HTTP Proxy
counters=\RPC/HTTP Requests per Second; Current Number of Unique Users; Number of Failed Back-End Connection Attempts per Second
interval=10
disabled=false
showZeroValue=true
useEnglishOnly=true

Please help me how to index above Perfmon counters properly.

0 Karma
1 Solution

1500372
Explorer

Upgrading Splunk Universal Forwarder over 6.4 solve the problem in my case.

View solution in original post

0 Karma

1500372
Explorer

Upgrading Splunk Universal Forwarder over 6.4 solve the problem in my case.

0 Karma

guillaumeange
New Member

Hello, i've the same problem with another custom perform.

My indexer don't have this perfmon. the counter of my custom perform is located on 2 servers using splunkforwarder.

any suggestions ?

0 Karma

niketn
Legend

Can you please check the system from where performance counters are being forwarded? Using start > run > perfmon, whether RPC_HTTP_PROXY is available counter on the machine or not.

If it is, and you have a non prod system with similar configuration see if you can install Splunk and use Add Data > Local Performance Monitor and check whether the same performance counter is listed in splunk or not.

You can also try keeping only above performance counter forwarding in inputs.conf and restart splunk. Validate the splunkd logs for above performance counter, whether there is any error logged or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

guillaumeange
New Member

i've found the solution thanks to wildcard in object.

Example inputs.conf :

## S4B Inbound Calls
[perfmon://S4BInbountCalls]
counters = - Current
object = LS:MediationServer.*Inbound Calls
instances = _Total
interval = 30
index = perfmon
disabled = 0
showZeroValue = 1
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...