Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Object field on network perfmon data

doddsjr653
New Member
‎09-12-2013 11:17 PM

I'm running Splunk 5.0.4 along with the Windows app. I'm trying to figure out what is fiddling with the object field on all of my network perfmon data. The raw data of a typical event looks like so:

09/13/2013 01:56:26.169
collection=LocalNetwork
object="Network Interface"
counter="Bytes Sent/sec"
instance="Intel[R] PRO_1000 MT Network Connection"
Value=145267.89417928556

All of the fields are being indexed properly, as they show up in the field list on the left in the search app. However, for each event that has the [ character in the instance field, an additional value is being generated for the object field that contains the rest of the instance field data, plus the Value field line. Using the above event as an example, I see this as a value in the object field for that event:

R] PRO_1000 MT Network Connection" Value=145267.89417928556

This makes a terrible mess of windows_perfmon_details.csv, and I think it's causing a performance impact on the Windows app because of the thousands of extra perfmon instances it's detecting.

I've looked through transforms.conf and props.conf, and I don't think there's anything in there that could be causing this. I'm not exactly sure what to look for though. My OCD would appreciate any help offered to solve this.

Tags (2)
0 Karma
Reply

doddsjr653
New Member
‎09-15-2013 12:28 PM

Correct, each event has those two values for object.

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎09-15-2013 11:45 AM

Do you have "Network Interface" in quotes in your config, like you do in your original post?

I ask because I'm looking at the Splunk_TA_windows app right now and it doesn't have quotes around that string.

0 Karma
Reply

doddsjr653
New Member
‎09-18-2013 01:38 PM

I do not have quotes around Network Interface in my inputs.conf.

0 Karma
Reply

doddsjr653
New Member
‎09-15-2013 12:40 PM

The event data has the quotes, but I can't remember off the top of my head if the conf file has the quotes...I believe it does. I will check on that.

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎09-15-2013 11:40 AM

So, for each event with a "[" in the instance field, you're getting two values for object? One set to "Network Interface" and one set to "R] PRO_1000...."?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...