Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Object field on network perfmon data

doddsjr653
New Member
‎09-12-2013 11:17 PM

I'm running Splunk 5.0.4 along with the Windows app. I'm trying to figure out what is fiddling with the object field on all of my network perfmon data. The raw data of a typical event looks like so:

09/13/2013 01:56:26.169
collection=LocalNetwork
object="Network Interface"
counter="Bytes Sent/sec"
instance="Intel[R] PRO_1000 MT Network Connection"
Value=145267.89417928556

All of the fields are being indexed properly, as they show up in the field list on the left in the search app. However, for each event that has the [ character in the instance field, an additional value is being generated for the object field that contains the rest of the instance field data, plus the Value field line. Using the above event as an example, I see this as a value in the object field for that event:

R] PRO_1000 MT Network Connection" Value=145267.89417928556

This makes a terrible mess of windows_perfmon_details.csv, and I think it's causing a performance impact on the Windows app because of the thousands of extra perfmon instances it's detecting.

I've looked through transforms.conf and props.conf, and I don't think there's anything in there that could be causing this. I'm not exactly sure what to look for though. My OCD would appreciate any help offered to solve this.

Tags (2)
0 Karma
Reply

doddsjr653
New Member
‎09-15-2013 12:28 PM

Correct, each event has those two values for object.

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎09-15-2013 11:45 AM

Do you have "Network Interface" in quotes in your config, like you do in your original post?

I ask because I'm looking at the Splunk_TA_windows app right now and it doesn't have quotes around that string.

0 Karma
Reply

doddsjr653
New Member
‎09-18-2013 01:38 PM

I do not have quotes around Network Interface in my inputs.conf.

0 Karma
Reply

doddsjr653
New Member
‎09-15-2013 12:40 PM

The event data has the quotes, but I can't remember off the top of my head if the conf file has the quotes...I believe it does. I will check on that.

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎09-15-2013 11:40 AM

So, for each event with a "[" in the instance field, you're getting two values for object? One set to "Network Interface" and one set to "R] PRO_1000...."?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...