Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sending Perfmon data to metrics index

andreasz
Path Finder
‎01-05-2018 05:47 AM

I would like to collect my windows perfmon data into a metrics index. Is this feature planned for the near future?

The reason: I've had very good experience with the new metrics index. Great performance and very powerfull mstats command (no extra data model plus acceleration jobs)

Thanks for your help in advance,
Andreas

0 Karma
Reply

maciep
Champion
‎01-05-2018 08:33 AM

Updated to include example

not on 7.x yet, so i can't try...but can your format the data on the way in to be in the right format for a metrics index?

http://docs.splunk.com/Documentation/Splunk/7.0.1/Metrics/GetMetricsInOther

For example, to get the required indexed metric fields:

inputs.conf (uf):

[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time
disabled = 0
instances = *
interval = 60
object = Processor
useEnglishOnly=true
index = tester
sourcetype=perfmon:test

Props.conf (parsing layer):

[perfmon:test]
TRANSFORMS-metric = cpu_metric
TRANSFORMS-value = cpu_value

transforms.conf (parsing layer):

[cpu_metric]
REGEX = collection=(.+)[\s\S]*counter=(.+)[\s\S]*instance=(.+)
FORMAT = metric_name::$1.$3.$2
WRITE_META = true

[cpu_value]
REGEX = Value=(.+)
FORMAT = metric_value::$1
WRITE_META = true

This is sort of what I'm hoping to try when we upgrade, but I'm still worried about all of the indexed fields, but hopefully the metrics index file is more efficient/smaller than tsidx?

Reply

andreasz
Path Finder
‎01-05-2018 09:02 AM

To accomplish this, I would have to "hack" the splunk-perfmon.exe 😉

0 Karma
Reply

maciep
Champion
‎01-05-2018 09:31 AM

I didn't mean at the forwarder, but at parse time. So the data gets sent to your indexer/hf, and then you do some index-time extractions to get the fields you need. I was hoping to try something similar once we get upgrade to 7.x

Admittedly, I've never really looked into the parse/index time config for perfmon data, but I feel like this could be doable?

0 Karma
Reply

bsonposh
Communicator
‎01-05-2018 07:31 AM

I do believe they will enable this feature for v.next but the problem is one of cost. The currently implementation of perfmon data uses CSV which has a significantly lower data cost than metrics which is billed by each metric.

I believe the intent is to address this.

0 Karma
Reply

andreasz
Path Finder
‎01-05-2018 09:00 AM

Good point. I'm currently using the multikv mode and the data volume is really small

0 Karma
Reply

ddrillic
Ultra Champion
‎01-05-2018 06:23 AM

This can help - Monitor Windows performance

0 Karma
Reply

andreasz
Path Finder
‎01-05-2018 06:29 AM

@ddrillic: thanks for the answer, but I already know this document. I'm talking about the new Splunk 7 feature: metrics index.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...