Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Perfmon and zero value data

Derek
Path Finder
‎10-12-2011 04:55 AM

Hi,

Does the Perfmon inputs record data when the value is zero?

It would seem that it doesn't and that differs from WMI inputs.

Example Perfmon Stanza:

[PERFMON:System]
counters = Processor Queue Length
disabled = 0
instances =
interval = 5
object = System
index = main

Thanks.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

vcarbona
Path Finder
‎12-20-2012 02:04 PM

I've been able to debug this using $SPLUNK_HOME\bin\splunk-perfmon.exe -showzero
You must first set your SPLUNK_HOME environment variable before executing the above command.
A GUI will popup and you simply select which counter you suspect is not working. Within 10 seconds you start seeing the counter values (CTRL-C to break out of it). If you omit the -showzero parameter and use that same counter nothing will print to the screen and you'll have your answer.

I noticed that the scripted input (in inputs.conf) shows it uses the $SPLUNK_HOME\bin\scripts\splunk_perfmon.path. I guess zero (0) values are suppressed because it saves disk. If you absolutely want those to NOT be suppressed, just update the splunk-perfmon.path file and add the -showzero parameter to it and restart. ie:

$SPLUNK_HOME\bin\splunk-perfmon.exe -noui -showzero

One more thing: When I say zero (0) values are suppressed, I mean absolute 0 NOT 0.125673 . The latter will be captured by splunk-perfmon.exe and forwarded out.

View solution in original post

Reply
Solved! Jump to solution

bravon
Communicator
‎12-08-2014 04:09 AM

showZeroValue = 1

http://blogs.splunk.com/2013/10/28/new-features-for-perfmon-in-splunk-6/

0 Karma
Reply
Solved! Jump to solution
Solution

vcarbona
Path Finder
‎12-20-2012 02:04 PM

I've been able to debug this using $SPLUNK_HOME\bin\splunk-perfmon.exe -showzero
You must first set your SPLUNK_HOME environment variable before executing the above command.
A GUI will popup and you simply select which counter you suspect is not working. Within 10 seconds you start seeing the counter values (CTRL-C to break out of it). If you omit the -showzero parameter and use that same counter nothing will print to the screen and you'll have your answer.

I noticed that the scripted input (in inputs.conf) shows it uses the $SPLUNK_HOME\bin\scripts\splunk_perfmon.path. I guess zero (0) values are suppressed because it saves disk. If you absolutely want those to NOT be suppressed, just update the splunk-perfmon.path file and add the -showzero parameter to it and restart. ie:

$SPLUNK_HOME\bin\splunk-perfmon.exe -noui -showzero

One more thing: When I say zero (0) values are suppressed, I mean absolute 0 NOT 0.125673 . The latter will be captured by splunk-perfmon.exe and forwarded out.

Reply
Solved! Jump to solution

Derek
Path Finder
‎12-21-2012 05:32 AM

Thanks for the followup. I believe they added that flag in a release since I initially fixed it. To be honest I had forgotten about it as we stuck with WMI instead of Perfmon.

0 Karma
Reply
Solved! Jump to solution

Derek
Path Finder
‎10-18-2011 04:32 AM

I Contacted Support and they don't believe this is correct and have opened an issue with engineering

Reply
Solved! Jump to solution

vdubgeek
New Member
‎06-25-2012 09:38 AM

Were you able to determine if this is correct or not? I'm seeing the same issue here with perf counters that return a value of 0.

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎10-12-2011 09:04 AM

I see that your "instances =" is empty. Which instance of that Object are you interested in? Try instances=*

0 Karma
Reply
Solved! Jump to solution

Derek
Path Finder
‎10-12-2011 09:46 AM

For that particluar counter there are no instances. So since I'm getting entries when the value is not zero, I assume it's ignoring it...

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎10-12-2011 08:54 AM

..and I am assuming that the perfmon stanzas are enabled (ie. disabled=false), correct?
Do you see other non-zero values?

0 Karma
Reply
Solved! Jump to solution

Derek
Path Finder
‎10-12-2011 08:57 AM

Yes. I see other non-zero data. Posted a sample stanza above.

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎10-12-2011 08:33 AM

Hi Derek, I am not sure whether perfmon will record value=0 data - although i would suspect that it does - but if you want to make sure fire up perfmon in your Windows machine, add those instances and see what the graph says.

0 Karma
Reply
Solved! Jump to solution

Derek
Path Finder
‎10-12-2011 08:48 AM

When I load up perfmon, it shows the current value of 0 for some of the counters when they are zero and yet nothing in Splunk.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...