Does anyone have a sample inputs.conf for capturing Windows data such as CPU utilization, memory utilization and disk utilization? Just looking for the basics. I could not find any good baseline samples.
Thank you very much!
The default inputs.conf in the UF already contains Windows perfmon inputs. You just have to enable the inputs you want.
I extracted the file which is great. Maybe I am missing the Windows perfmon inputs in the default inputs.conf.
# Version 8.2.1
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file contains possible attributes and values you can use to
# configure inputs, distributed inputs and file system monitoring.
[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup
[blacklist:$SPLUNK_HOME/etc/auth]
[blacklist:$SPLUNK_HOME/etc/passwd]
[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal
[monitor://$SPLUNK_HOME/var/log/watchdog/watchdog.log*]
index = _internal
[monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log]
index = _telemetry
[monitor://$SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log*]
index = _telemetry
sourcetype = splunk_cloud_telemetry
[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version
[batch://$SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json]
move_policy = sinkhole
index = _introspection
sourcetype = search_telemetry
crcSalt = <SOURCE>
log_on_completion = 0
[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt = <SOURCE>
[batch://$SPLUNK_HOME/var/spool/splunk/tracker.log*]
index = _internal
sourcetype = splunkd_latency_tracker
move_policy = sinkhole
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt = <SOURCE>
time_before_close = 0
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_hec]
sourcetype = stash_hec
move_policy = sinkhole
crcSalt = <SOURCE>
[fschange:$SPLUNK_HOME/etc]
disabled = false
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
[udp]
connection_host=ip
[tcp]
acceptFrom=*
connection_host=dns
[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip
[script]
interval = 60.0
start_by_shell = true
[SSL]
# SSL settings
# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old Splunk
# versions (Splunk 5.x and earlier).
# To add support for Splunk 5.x set sslVersions to tls and add this to the
# end of cipherSuite:
# DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA
# and this, in case Diffie Hellman is not configured:
# AES256-SHA:AES128-SHA
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
allowSslRenegotiation = true
sslQuietShutdown = false
Any chance you could post the stanza? That would be much appreciated.
I downloaded the tgz for the UCF. I tried to extract the inputs.conf file but it returned that the inputs.conf file was not present. I then downloaded the splunk tgz and got that inputs.conf file from it.
Yes one responder was stating that I should extract the inputs.conf from the tgz which is not used for Windows, it's Linux.
I see where you are going in that why would the Linux inputs.conf file have windows perfmon stats. Now I see that the tgz approach was not practical.
I was just hoping to get a sample stanza that captured Windows perform stats. That's was and still is my goal.
As I said, in one of the replies here, I do not have admin rights. I did look at that spec as well.
Someone said that the inputs.conf file in the install comes with samples and they just need to be enabled. The spec definitely does not have that.
I was just hoping someone could paste the sample stanza. Seems like a simple option.
Yes, I read that you haven't admin access to that server, but I'm thinking if you have option to install/use any temporary virtual machine for testing etc.
Here is $SPLUNK_HOME\etc\system\default\inputs.conf from one windows workstation.
# Version 8.0.6
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file contains possible attributes and values you can use to
# configure inputs, distributed inputs and file system monitoring.
[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=
[blacklist:$SPLUNK_HOME\etc\auth]
[blacklist:$SPLUNK_HOME\etc\passwd]
[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal
[monitor://$SPLUNK_HOME\var\log\watchdog\watchdog.log*]
index = _internal
[monitor://$SPLUNK_HOME\var\log\splunk\license_usage_summary.log]
index = _telemetry
[monitor://$SPLUNK_HOME\var\log\splunk\splunk_instrumentation_cloud.log*]
index = _telemetry
sourcetype = splunk_cloud_telemetry
[monitor://$SPLUNK_HOME\etc\splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version
[batch://$SPLUNK_HOME\var\run\splunk\search_telemetry\*search_telemetry.json]
move_policy = sinkhole
index = _introspection
sourcetype = search_telemetry
crcSalt = <SOURCE>
log_on_completion = 0
[batch://$SPLUNK_HOME\var\spool\splunk]
move_policy = sinkhole
crcSalt = <SOURCE>
[batch://$SPLUNK_HOME\var\spool\splunk\...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt = <SOURCE>
[fschange:$SPLUNK_HOME\etc]
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
[udp]
connection_host=ip
[tcp]
acceptFrom=*
connection_host=dns
[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip
[script]
interval = 60.0
start_by_shell = false
[SSL]
# SSL settings
# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old Splunk
# versions (Splunk 5.x and earlier).
# To add support for Splunk 5.x set sslVersions to tls and add this to the
# end of cipherSuite:
# DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA
# and this, in case Diffie Hellman is not configured:
# AES256-SHA:AES128-SHA
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
allowSslRenegotiation = true
sslQuietShutdown = false
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 10000000
source = wmi
sourcetype = wmi
queue = winparsing
persistentQueueSize=200MB
# default single instance modular input restarts
[admon]
interval=60
baseline=0
[MonitorNoHandle]
interval=60
[WinEventLog]
interval=60
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=
[WinNetMon]
interval=60
[WinPrintMon]
interval=60
[WinRegMon]
interval=60
baseline=0
[perfmon]
interval=300
[powershell]
interval=60
[powershell2]
interval=60
As it's from 8.0.6 version it could be little bit different than 8.2.1, so you must check from documentation if there are still something weird.
r. Ismo
Thank you. So the OOTB inputs.conf really does not have the basic perfmon stuff I was looking for. Thank you for posting that and putting that to bed.
My search continues!!
There's not much to it.
[perfmon]
interval=300
Oh I thought it actually had sample counters. I was hoping to use it as a jumping off point.
Interesting. It looks like that file changed recently because my 8.1.2 file has a [perfmon] stanza, but yours doesn't.
Any chance you have a copy? I inherited this environment and don't have any place to install a universal forwarder. All the inputs.conf have been "cleaned".
You don't need to install the UF to get the file. Just download the .tgz file from splunk.com and extract the file from it.
Also, one should not change .conf files in default directories. Any "cleaning" should be done in the local directory.
maybe I am just clueless but I could not extract the file
Try this. Replace splunk-8.1.0-8c3d4d4c1386-Linux-x86_64.tgz with the name of your tarball. It will create a splunk/etc/system/default filepath in the current directory so be careful where you run it.
tar -zxf splunk-8.1.0-8c3d4d4c1386-Linux-x86_64.tgz splunk/etc/system/default/inputs.conf
I am on Windows so I don't even get a tar ball and I don't have admin rights anywhere to even run an install. And I checked out the inputs.conf in the default directory and my predecessors did modify them!!
Hi
I'm afraid that without Admin rights you couldn't fix the situation/install UF to windows. You need to find someone who can do it and after that you you could use deployment server to modify needed configurations to get files and events into splunk. Here is instructions how to install UF to Windows client. https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/InstallaWindowsuniversalforwarderfro...
Personally I prefer to create separate app/TA for deployment server configuration than give that information within UF installation. Just pure UF installation w/o DS parameters then add this TA/app for connect to DS and all needed configurations from DS than updating those locally in UF.
r. Ismo
If you have access to splunk.com then you have access to a tarball. Download the appropriate version and use 7-zip to extract the file.