Getting Data In

Splunk_TA_Windows 6.0.0 Metrics index?

daniel333
Builder

All,

I am currently a Splunk_TA_windows 4.8x customer and source="Perfmon:Process" is just destroying my disk space and license. I've been told metrics is the way to go for these values.

I am looking at upgrading to Splunk_TA_Windows 6.0.0 to take advantage of metrics. When reviewing the configs I am not sure where the metrics are actually stored. I feel like I should be able to trace this down inputs > props > transforms. But I missing something.

inputs.conf

## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 1
instances = *
interval = 10
mode = multikv
object = Process
useEnglishOnly=true

props.conf

###### Process ######
[Perfmon:Process]
EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null())
EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null())
EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())

FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src

TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"

transforms.conf

[value_for_perfmon_metrics_store]
REGEX = Value=\"?([^\"\r\n]*[^\"\s])
FORMAT = _value::$1
WRITE_META = true

As a Splunk for Windows 4.8 user I already have my perfmon data going into a standard index called index=perfmon. If I were to upgrade I THINK I am going to have to provision a new index called index=perfmon_metrics as a metrics index type then configure that on inputs.conf local copy?

How will my licensing be billed? Just for the metric points or the entire perfmon log?

0 Karma
1 Solution

daniel333
Builder

All,

Built out a lab and got it working. Looks like if you don't want to break your sourcetyping you can stay at 4.8/5.x and just break out your perfmon into metrics if you feel the urge.

1) So yes you need a separate index from the legacy perfmon index that came with older apps. In my example I called it index=metrics but please come up with something smarter
2) then you need to ensure the mode=single and multikv.

You need to add two configurations stanza's to your inputs.conf on your existing Splunk_TA_windows

inputs.conf

mode = single
index=metrics

Worked after restart with no additional tweaks!

My next challenge is figuring out how to calculate my licensing usage on metric data points.

View solution in original post

0 Karma

daniel333
Builder

All,

Built out a lab and got it working. Looks like if you don't want to break your sourcetyping you can stay at 4.8/5.x and just break out your perfmon into metrics if you feel the urge.

1) So yes you need a separate index from the legacy perfmon index that came with older apps. In my example I called it index=metrics but please come up with something smarter
2) then you need to ensure the mode=single and multikv.

You need to add two configurations stanza's to your inputs.conf on your existing Splunk_TA_windows

inputs.conf

mode = single
index=metrics

Worked after restart with no additional tweaks!

My next challenge is figuring out how to calculate my licensing usage on metric data points.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...