My goal is to pull in some info from perfmon, specifically from the APP_POOL_WAS
object.
I read this page here: http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Real-timeWindowsperformancemonitoring
I went to Settings > Data inputs > Local performance monitoring and defined a new collection based on the object and counters I wanted.
Then, I added a stanza in the /etc/system/local/inputs.conf that described that data I wanted to be forwarded.
I then searched for collection=<thenameofmynewcollection>
and all I found were records from my indexer host, not the web server I want to monitor. However, I cannot find a stanza in any inputs.conf on the search head/indexer that reflects the change.
Is Data inputs just a screen to
modify the inputs.conf on the search
head??
Is there any way to get a
pretty interface like that for the
forwarder?
Why do you think my events are not be
forwarded from the web server? (sort
of a separate issue I guess)
Please help
The Web interface exists only on the splunk build, not on the Universal Forwarder.
see http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Typesofforwarders
However you can turn a regular splunk into :
- a HF heavy forwarder (it will parse the events, but forward the cooked data to another server) and the UI will be up.
- or a LWF light weight forwarder (it will not parse the events, like an universal forwarder) but the UI will be disabled.
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Deployaforwarder
I would recommend to use the LWF, and re-enable it in web.conf
[setting]
startwebserver =true
I see, my personal method when I have a large set of forwarder to setup.
- use a regular splunk UI to setup the inputs
- verify the inputs
- copy the config generated in the apps
- install/deploy the apps to the forwarders
- go home early
Why then does it say everywhere to use Splunk web rather then edit inputs.conf directly? For a universal forwarder the only option is to edit the files directly. I guess that is why I was confused. Seriously, this is on all the documentation about inputs.conf
"While you can add
performance monitor inputs manually, Splunk recommends that you use Splunk Web
to configure them, because it is easy to mistype the values for
Performance Monitor objects, counters and instances."
Thanks. I was some what aware of this. My take away was "just use the universal forwarder, don't worry about anything else"
I guess I was hoping there would be some feature on the search head to graphically maniuplate inputs.conf across forwarders.
Seems like it would make sense to have a Splunk app that could modify inputs.conf across a large number of forwarders. What do large deployments do? Git or Puppet or something I imagine?