Getting Data In

Specific perfmon instance collection problem

neilamoran
Explorer

Hi. Fairly new to Splunk, so please bear with me if this is too stupid a question, but I've been looking through the docs and here on Answers and can't find anything similar.

I'm using a fairly simple design - one central Windows indexer, running 4.2.2, and several distributed Windows forwarders, also running Universal Forwarder 4.2.2.

I have a custom app to collect various bits and bobs, and this is pushed out using the deployment server. The problem is with the perfmon collection. My app's perfmon.conf has this:

[% Processor Time]
interval=1
object=Processor
counters=% Processor Time
instances=_Total
disabled=0
index=perfmon

However, all instances (my servers have 8 CPU cores) are being returned - but I don't want or need any data for the individual instances, just the total. I can change the instances line in the stanza, but it doesn't seem to have any effect. I've used

instances=0
instances=0;1
instances=0;_Total
instances="_Total"
instances=*

...but they all produce the same results. (I am restarting the forwarder manually after I make the changes so I'm reasonably certain the changes are being picked up from watching the conf file check messages at startup.)

Does anyone have any ideas why this might be? Or has anyone encountered the same issue? My indexer is Windows 2008 R2, and my forwarders are all Windows 2003 boxes.

25/7/11: Just seen this question http://splunk-base.splunk.com/answers/28012/unable-to-pull-perfmon-counter-for-processor-time-window... and now wondering if the issue is related to 4.2.2. I will try installing a 4.2.1 forwarder to compare, but I should note that I am seeing the same splunkd errors as the other questioner, and Google (and Splunk Answers) don't seem to have any other instances of this error message being asked about.

UPDATE: OK, have deployed a 4.2.1 UF to a Windows 2003 64bit box and _Total is the only instance collected. Removed the UF, redeployed 4.2.2 with the same configs, and hey, presto! All available instances begin to be collected. So this is definitely an issue with the 64 bit version of the 4.2.2 Windows UF - unfortunately I don't have any 32 bit boxes in this environment, so can't confirm if the problem is isolated to 64 bit Windows.

Tags (2)
1 Solution

neilamoran
Explorer

Have tested and can now confirm that this behaviour is fixed in 4.2.5.

Was also occurring with Total instance of counter Pipeline Instance Count, so I think the issue may have been with the _ character....

View solution in original post

neilamoran
Explorer

Have tested and can now confirm that this behaviour is fixed in 4.2.5.

Was also occurring with Total instance of counter Pipeline Instance Count, so I think the issue may have been with the _ character....

twinspop
Influencer

I opened a support case for this issue last week, but have yet to hear anything. 😞

0 Karma

eduardguloiu
Engager

Same here: [PERFMON:C-Free Disk Space] counters = Free Megabytes;% Free Space disabled = 0 instances=C: interval = 30 object = LogicalDisk

tried with instances = C: instances = 'C:'

all instances are gathered. splunkforwarder-4.2.3-105575-x64-release.msi

0 Karma

OL
Communicator

oops, I meant a bug 🙂

0 Karma

OL
Communicator

Same issue with Full Splunk 4.2.3 on Win 2008 R2 64bits.
I've just installed Splunk 4.2.0 on the same server and it is working fine. So definitely a but with 4.2.3.

0 Karma

OL
Communicator

Same issue with UF 4.2.3 😞 on Win 2008 R2 64bits

0 Karma

twinspop
Influencer

Same problem on 32bit Windows SUF 4.2.2. I put in _Total, but it runs as if I put in *.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...