Does the Perfmon inputs record data when the value is zero?
It would seem that it doesn't and that differs from WMI inputs.
Example Perfmon Stanza:
counters = Processor Queue Length
disabled = 0
interval = 5
object = System
index = main
Hi Derek, I am not sure whether perfmon will record value=0 data - although i would suspect that it does - but if you want to make sure fire up perfmon in your Windows machine, add those instances and see what the graph says.
For that particluar counter there are no instances. So since I'm getting entries when the value is not zero, I assume it's ignoring it...
Were you able to determine if this is correct or not? I'm seeing the same issue here with perf counters that return a value of 0.
I've been able to debug this using $SPLUNK_HOME\bin\splunk-perfmon.exe -showzero
You must first set your SPLUNK_HOME environment variable before executing the above command.
A GUI will popup and you simply select which counter you suspect is not working. Within 10 seconds you start seeing the counter values (CTRL-C to break out of it). If you omit the -showzero parameter and use that same counter nothing will print to the screen and you'll have your answer.
I noticed that the scripted input (in inputs.conf) shows it uses the $SPLUNKHOME\bin\scripts\splunkperfmon.path. I guess zero (0) values are suppressed because it saves disk. If you absolutely want those to NOT be suppressed, just update the splunk-perfmon.path file and add the -showzero parameter to it and restart. ie:
$SPLUNK_HOME\bin\splunk-perfmon.exe -noui -showzero
One more thing: When I say zero (0) values are suppressed, I mean absolute 0 NOT 0.125673 . The latter will be captured by splunk-perfmon.exe and forwarded out.