All,
I am currently a Splunk_TA_windows 4.8x customer and source="Perfmon:Process" is just destroying my disk space and license. I've been told metrics is the way to go for these values.
I am looking at upgrading to Splunk_TA_Windows 6.0.0 to take advantage of metrics. When reviewing the configs I am not sure where the metrics are actually stored. I feel like I should be able to trace this down inputs > props > transforms. But I missing something.
## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 1
instances = *
interval = 10
mode = multikv
object = Process
useEnglishOnly=true
###### Process ######
[Perfmon:Process]
EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null())
EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null())
EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[value_for_perfmon_metrics_store]
REGEX = Value=\"?([^\"\r\n]*[^\"\s])
FORMAT = _value::$1
WRITE_META = true
As a Splunk for Windows 4.8 user I already have my perfmon data going into a standard index called index=perfmon. If I were to upgrade I THINK I am going to have to provision a new index called index=perfmon_metrics as a metrics index type then configure that on inputs.conf local copy?
How will my licensing be billed? Just for the metric points or the entire perfmon log?
All,
Built out a lab and got it working. Looks like if you don't want to break your sourcetyping you can stay at 4.8/5.x and just break out your perfmon into metrics if you feel the urge.
1) So yes you need a separate index from the legacy perfmon index that came with older apps. In my example I called it index=metrics but please come up with something smarter
2) then you need to ensure the mode=single and multikv.
You need to add two configurations stanza's to your inputs.conf on your existing Splunk_TA_windows
mode = single
index=metrics
Worked after restart with no additional tweaks!
My next challenge is figuring out how to calculate my licensing usage on metric data points.
All,
Built out a lab and got it working. Looks like if you don't want to break your sourcetyping you can stay at 4.8/5.x and just break out your perfmon into metrics if you feel the urge.
1) So yes you need a separate index from the legacy perfmon index that came with older apps. In my example I called it index=metrics but please come up with something smarter
2) then you need to ensure the mode=single and multikv.
You need to add two configurations stanza's to your inputs.conf on your existing Splunk_TA_windows
mode = single
index=metrics
Worked after restart with no additional tweaks!
My next challenge is figuring out how to calculate my licensing usage on metric data points.