Getting Data In

Perfmon and zero value data

Derek
Path Finder

Hi,

Does the Perfmon inputs record data when the value is zero?

It would seem that it doesn't and that differs from WMI inputs.

Example Perfmon Stanza:

[PERFMON:System]
counters = Processor Queue Length
disabled = 0
instances =
interval = 5
object = System
index = main

Thanks.

Tags (2)
1 Solution

vcarbona
Path Finder

I've been able to debug this using $SPLUNK_HOME\bin\splunk-perfmon.exe -showzero
You must first set your SPLUNK_HOME environment variable before executing the above command.
A GUI will popup and you simply select which counter you suspect is not working. Within 10 seconds you start seeing the counter values (CTRL-C to break out of it). If you omit the -showzero parameter and use that same counter nothing will print to the screen and you'll have your answer.

I noticed that the scripted input (in inputs.conf) shows it uses the $SPLUNK_HOME\bin\scripts\splunk_perfmon.path. I guess zero (0) values are suppressed because it saves disk. If you absolutely want those to NOT be suppressed, just update the splunk-perfmon.path file and add the -showzero parameter to it and restart. ie:

$SPLUNK_HOME\bin\splunk-perfmon.exe -noui -showzero

One more thing: When I say zero (0) values are suppressed, I mean absolute 0 NOT 0.125673 . The latter will be captured by splunk-perfmon.exe and forwarded out.

View solution in original post

bravon
Communicator
0 Karma

vcarbona
Path Finder

I've been able to debug this using $SPLUNK_HOME\bin\splunk-perfmon.exe -showzero
You must first set your SPLUNK_HOME environment variable before executing the above command.
A GUI will popup and you simply select which counter you suspect is not working. Within 10 seconds you start seeing the counter values (CTRL-C to break out of it). If you omit the -showzero parameter and use that same counter nothing will print to the screen and you'll have your answer.

I noticed that the scripted input (in inputs.conf) shows it uses the $SPLUNK_HOME\bin\scripts\splunk_perfmon.path. I guess zero (0) values are suppressed because it saves disk. If you absolutely want those to NOT be suppressed, just update the splunk-perfmon.path file and add the -showzero parameter to it and restart. ie:

$SPLUNK_HOME\bin\splunk-perfmon.exe -noui -showzero

One more thing: When I say zero (0) values are suppressed, I mean absolute 0 NOT 0.125673 . The latter will be captured by splunk-perfmon.exe and forwarded out.

Derek
Path Finder

Thanks for the followup. I believe they added that flag in a release since I initially fixed it. To be honest I had forgotten about it as we stuck with WMI instead of Perfmon.

0 Karma

Derek
Path Finder

I Contacted Support and they don't believe this is correct and have opened an issue with engineering

vdubgeek
New Member

Were you able to determine if this is correct or not? I'm seeing the same issue here with perf counters that return a value of 0.

0 Karma

_d_
Splunk Employee
Splunk Employee

I see that your "instances =" is empty. Which instance of that Object are you interested in? Try instances=*

0 Karma

Derek
Path Finder

For that particluar counter there are no instances. So since I'm getting entries when the value is not zero, I assume it's ignoring it...

0 Karma

_d_
Splunk Employee
Splunk Employee

..and I am assuming that the perfmon stanzas are enabled (ie. disabled=false), correct?
Do you see other non-zero values?

0 Karma

Derek
Path Finder

Yes. I see other non-zero data. Posted a sample stanza above.

0 Karma

_d_
Splunk Employee
Splunk Employee

Hi Derek, I am not sure whether perfmon will record value=0 data - although i would suspect that it does - but if you want to make sure fire up perfmon in your Windows machine, add those instances and see what the graph says.

0 Karma

Derek
Path Finder

When I load up perfmon, it shows the current value of 0 for some of the counters when they are zero and yet nothing in Splunk.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...