Getting Data In
Highlighted

Perfmon and zero value data

Path Finder

Hi,

Does the Perfmon inputs record data when the value is zero?

It would seem that it doesn't and that differs from WMI inputs.

Example Perfmon Stanza:

[PERFMON:System]
counters = Processor Queue Length
disabled = 0
instances =
interval = 5
object = System
index = main

Thanks.

Tags (2)
Highlighted

Re: Perfmon and zero value data

Splunk Employee
Splunk Employee

Hi Derek, I am not sure whether perfmon will record value=0 data - although i would suspect that it does - but if you want to make sure fire up perfmon in your Windows machine, add those instances and see what the graph says.

0 Karma
Highlighted

Re: Perfmon and zero value data

Path Finder

When I load up perfmon, it shows the current value of 0 for some of the counters when they are zero and yet nothing in Splunk.

0 Karma
Highlighted

Re: Perfmon and zero value data

Splunk Employee
Splunk Employee

..and I am assuming that the perfmon stanzas are enabled (ie. disabled=false), correct?
Do you see other non-zero values?

0 Karma
Highlighted

Re: Perfmon and zero value data

Path Finder

Yes. I see other non-zero data. Posted a sample stanza above.

0 Karma
Highlighted

Re: Perfmon and zero value data

Splunk Employee
Splunk Employee

I see that your "instances =" is empty. Which instance of that Object are you interested in? Try instances=*

0 Karma
Highlighted

Re: Perfmon and zero value data

Path Finder

For that particluar counter there are no instances. So since I'm getting entries when the value is not zero, I assume it's ignoring it...

0 Karma
Highlighted

Re: Perfmon and zero value data

Path Finder

I Contacted Support and they don't believe this is correct and have opened an issue with engineering

Highlighted

Re: Perfmon and zero value data

New Member

Were you able to determine if this is correct or not? I'm seeing the same issue here with perf counters that return a value of 0.

0 Karma
Highlighted

Re: Perfmon and zero value data

Path Finder

I've been able to debug this using $SPLUNK_HOME\bin\splunk-perfmon.exe -showzero
You must first set your SPLUNK_HOME environment variable before executing the above command.
A GUI will popup and you simply select which counter you suspect is not working. Within 10 seconds you start seeing the counter values (CTRL-C to break out of it). If you omit the -showzero parameter and use that same counter nothing will print to the screen and you'll have your answer.

I noticed that the scripted input (in inputs.conf) shows it uses the $SPLUNKHOME\bin\scripts\splunkperfmon.path. I guess zero (0) values are suppressed because it saves disk. If you absolutely want those to NOT be suppressed, just update the splunk-perfmon.path file and add the -showzero parameter to it and restart. ie:

$SPLUNK_HOME\bin\splunk-perfmon.exe -noui -showzero

One more thing: When I say zero (0) values are suppressed, I mean absolute 0 NOT 0.125673 . The latter will be captured by splunk-perfmon.exe and forwarded out.

View solution in original post