Universal Forwarder inputs.conf perfmon stanza : W...

jbcharvetmatric · ‎10-29-2019

Initial case (working) :

In an UF add to an inputs.conf (depending of if your using an app, creating local conf or default one, etc.)

[perfmon://< any performance monitoring input>]
counters = *
< others parameters tested and correctly set>

=> All counters are forwarded.

Objective : I want to select a list of counters to limit my Splunk license usage, and to forward & index only the required ones.

Failed cases :

Counters selection fails when counters name contains "-" , worse : no counters are forwarded and/or indexed

=> No counters is forwarded.

counters = * #Host Queue - Instance State Msg Refs - Length;Host Queue - Length;Host Queue - Number of Instances;Host Queue - Suspended Msgs - Length

OR

counters = Host Queue - Instance State Msg Refs - Length;Host Queue - Length;Host Queue - Number of Instances;Host Queue - Suspended Msgs - Length

OR

counters = Host Queue \- Instance State Msg Refs \- Length;Host Queue \- Length;Host Queue \- Number of Instances;Host Queue \- Suspended Msgs \- Length

OR

counters = "Host Queue \- Instance State Msg Refs \- Length";"Host Queue \- Length";"Host Queue \- Number of Instances";"Host Queue \- Suspended Msgs \- Length"

OR

counters = "Host Queue - Instance State Msg Refs - Length";"Host Queue - Length";"Host Queue - Number of Instances";"Host Queue - Suspended Msgs - Length"

OR

counters = \"Host Queue \- Instance State Msg Refs \- Length\";\"Host Queue \- Length\";\"Host Queue \- Number of Instances\";\"Host Queue \- Suspended Msgs \- Length\"

EDIT : Add examples

If the names of the listened app counters I want were

"Host Queue Instance State Msg Refs Length;Host Queue Length;Host Queue Number of Instances;Host Queue Suspended Msgs Length"

instead of

"Host Queue - Instance State Msg Refs - Length;Host Queue - Length;Host Queue - Number of Instances;Host Queue - Suspended Msgs - Length"

The listed counters will be forwarded without any issue.

adonio · ‎10-31-2019

how do you set / pick your counters?
how do you determine the counter name?

this works for me just fine:

[perfmon://CPU]
counters = % Processor Time;% User Time;Interrupts/sec;% Idle Time
object = Processor
instances = 
disabled = 0
interval = 30
useEnglishOnly = true
index = perfmon

[perfmon://System]
counters = Processor Queue Length; Threads
object = System
instances = *
disabled = 0
interval = 30
useEnglishOnly = true
index = perfmon

[perfmon://LogicalDisk]
counters = % Free Space; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec
object = LogicalDisk
instances = *
disabled = 0
interval = 30
useEnglishOnly = true
index = perfmon

jbcharvetmatric · ‎11-01-2019

Thanks for the answer!

how do you set / pick your counters?

I've tried to select them as listed in "Failed cases" : with ";" to separate them. and tryed to play with "/" escape char to solve the issue with "-" char in counters names.

how do you determine the counter name? :

There names are provided by the tool I'm listening. I have manually double-check the counters names with the windows performance monitor (performance monitor/add counter/select the app I'm listening with the UF) and the tool documentation.

this works for me just fine:

It works because there is no "-" in the counter name.

Example 1 : if the name of the system counter " Processor Queue Length" were " Processor - Queue - Length" and you were trying to select it in counters list, you'll have the same issue than me 😉
Example 2 : if the names of the listened app counters I want were

"Host Queue Instance State Msg Refs Length;Host Queue Length;Host Queue Number of Instances;Host Queue Suspended Msgs Length"

instead of

"Host Queue - Instance State Msg Refs - Length;Host Queue - Length;Host Queue - Number of Instances;Host Queue - Suspended Msgs - Length"

My case will be working fine!