Getting Data In

Splunk_TA_Windows 6.0.0 Metrics index?

daniel333
Builder

All,

I am currently a Splunk_TA_windows 4.8x customer and source="Perfmon:Process" is just destroying my disk space and license. I've been told metrics is the way to go for these values.

I am looking at upgrading to Splunk_TA_Windows 6.0.0 to take advantage of metrics. When reviewing the configs I am not sure where the metrics are actually stored. I feel like I should be able to trace this down inputs > props > transforms. But I missing something.

inputs.conf

## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 1
instances = *
interval = 10
mode = multikv
object = Process
useEnglishOnly=true

props.conf

###### Process ######
[Perfmon:Process]
EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null())
EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null())
EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())

FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src

TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"

transforms.conf

[value_for_perfmon_metrics_store]
REGEX = Value=\"?([^\"\r\n]*[^\"\s])
FORMAT = _value::$1
WRITE_META = true

As a Splunk for Windows 4.8 user I already have my perfmon data going into a standard index called index=perfmon. If I were to upgrade I THINK I am going to have to provision a new index called index=perfmon_metrics as a metrics index type then configure that on inputs.conf local copy?

How will my licensing be billed? Just for the metric points or the entire perfmon log?

0 Karma
1 Solution

daniel333
Builder

All,

Built out a lab and got it working. Looks like if you don't want to break your sourcetyping you can stay at 4.8/5.x and just break out your perfmon into metrics if you feel the urge.

1) So yes you need a separate index from the legacy perfmon index that came with older apps. In my example I called it index=metrics but please come up with something smarter
2) then you need to ensure the mode=single and multikv.

You need to add two configurations stanza's to your inputs.conf on your existing Splunk_TA_windows

inputs.conf

mode = single
index=metrics

Worked after restart with no additional tweaks!

My next challenge is figuring out how to calculate my licensing usage on metric data points.

View solution in original post

0 Karma

daniel333
Builder

All,

Built out a lab and got it working. Looks like if you don't want to break your sourcetyping you can stay at 4.8/5.x and just break out your perfmon into metrics if you feel the urge.

1) So yes you need a separate index from the legacy perfmon index that came with older apps. In my example I called it index=metrics but please come up with something smarter
2) then you need to ensure the mode=single and multikv.

You need to add two configurations stanza's to your inputs.conf on your existing Splunk_TA_windows

inputs.conf

mode = single
index=metrics

Worked after restart with no additional tweaks!

My next challenge is figuring out how to calculate my licensing usage on metric data points.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...