I'm looking for an App or configuration of the existing Windows App in Splunk for machine boot up time analysis. I think we can modify the forwarders with custom logs to help in this initiative. Anyone else looking or doing something similar to this?
First of all, when windows boot, splunk is down.
To get informations on your boot performance, create scripts that mimics those tools and configure them to write the results to a log file, then you can index then with splunk, once splunk it up and running.
make sure renderxml = true and then you probably want to do something like this:
host=somehost(s) index=yourindex source="WinEventLog:Microsoft-Windows-Diagnostics-Performance/Operational" sourcetype="XmlWinEventLog:Microsoft-Windows-Diagnostics-Performance/Operational" BootStartTime="*"
| eval BootTime_mins=round(BootTime/1000/60,2)
| eval BootUserProfileProcessingTime_mins=round(BootUserProfileProcessingTime/1000/60,2)
| eval BootDegradationDelta_mins=round(BootDegradationDelta/1000/60,2)
| eval MainPathBootTime_mins=round(MainPathBootTime/1000/60,2)
| eval BootPostBootTime_mins=round(BootPostBootTime/1000/60,2)
| eval UserLogonWaitDuration_mins=round(UserLogonWaitDuration/1000/60,2)
| stats avg(BootPostBootTime_mins) as Logon, avg(UserLogonWaitDuration_mins) as WaitingforUser, avg(MainPathBootTime_mins) as Startup BY host
Get as granular as you'd like with all the data points included in the XML, which is a lot, then make that a a stacked bar chart and get a nice visualization of one or more hosts for comparison. The 3 I've included in the stats are generally enough to give you a good idea without getting too complex.
@brooklynotss, how are you converting the XML into key value pairs? When I do this with renderxml = true, Splunk does not automatically recognize any of the fields.
Did you use the default sourcetype or rename it? If this is collected with the Splunk created TA then it should get field extractions out of the box when the TA is deployed on the Search Head. Alternatively, you can play with the [xmlkv][1]
and [xpath][2]
commands.
I installed the Splunk Add-on for Microsoft Windows and now the fields are resolving.
Thanks Burch!
For mainstream windows operating systems there is a new event log named "Microsoft-Windows-Diagnostics-Performance/Operational". Among events in that log are detailed data on startup performance. Looking through details of events in that log in Event Viewer you may notice there are more fields in the XML view of the event than in the Friendly view of the event. If you didn't know already, Splunk's EventLog handler does not pick up XML portions of windows events. In the mean time you could write a custom input for event log channels whose XML-based fields you urgently need.
Log Name: Microsoft-Windows-Diagnostics-Performance/Operational
Source: Microsoft-Windows-Diagnostics-Performance
Event ID: 100
Task Category: Boot Performance Monitoring
...
Description:
Windows has started up:
Boot Duration : 43235ms
IsDegradation : false
...
2
2014-05-27T22:59:59.791691500Z
2014-05-27T23:02:10.685210300Z
78
76
43235
20035
13
385
544
...strong text
First of all, when windows boot, splunk is down.
To get informations on your boot performance, create scripts that mimics those tools and configure them to write the results to a log file, then you can index then with splunk, once splunk it up and running.
Not sure that monitoring the msconfig boot log file only will give me the larger picture. We could do that but I'd like determine root cause of slow boot up perfomance caused by applications and group policy (for example) or other variables. Here is an example of a tool out there but I don't have the option of deploying this to an excessive amount of machines. http://www.autoitconsulting.com/site/performance/windows-performance-toolkit-simple-boot-logging/
Are you talking about analyzing the msconfig boot log file?