Why are my inputs for Windows Network Performance ...

maffreitas · ‎03-08-2017

Hi all,

We're trying to get data from Windows network perfmon counters using the Splunk Universal Forwarder + Data Input without success.

For all other collectors (CPU, Memory, Disk, etc.) this resource works pretty well and the needed information are captured from Universal Forwarder to Splunk Enterprise.

-Universal Forwarder is on top of Windows Server 2008 R2 64 Bits including the Kernel-Mode Driver Framework version 1.11 update
-Splunk Enterprise 6.4.3
-Some different tentatives on inputs.conf:

[perfmon://Network Interface]
counters = *
disabled = 0
instances = *
interval = 60
object = Network Interface

[perfmon://Network Interface]
useEnglishOnly = true
showZeroValue = 1
counters = Bytes Received/sec;Bytes Sent/sec;
disabled = 0
index = main
instances = *;
interval = 60
object = Network Interface

[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec;Bytes Total/sec;Current Bandwidth;Offloaded Connections;Output Queue Length;Packets Outbound Discarded;Packets Outbound Errors;Packets Received Discarded;Packets Received Errors;Packets Received Non-Unicast/sec;Packets Received Unicast/sec;Packets Received Unknown;Packets Received/sec;Packets Sent Non-Unicast/sec;Packets Sent Unicast/sec;Packets Sent/sec;Packets/sec;TCP Active RSC Connections;TCP RSC Average Packet Size;TCP RSC Coalesced Packets/sec;TCP RSC Exceptions/sec;
disabled = 0
index = wfm_realtime
instances = *;
interval = 60
object = Network Interface

The apps are correctly created and deployed on ..\SplunkUniversalForwarder\etc\apps. No errors are showed on th esplunk logs, but no data are sent to Splunk.

Do you have any tips or workarounds?

Thank you in advance.

adonio · ‎03-08-2017

hi maffreitas,
Try this in your inputs.conf:
[perfmon://Network] counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size disabled = 1 instances = * interval = 10 object = Network Interface useEnglishOnly=true index = perfmon
Also, you can use the Splunk TA for Windows: https://splunkbase.splunk.com/app/742/
it has all the input pre-configured
Hope it helps

adonio · ‎03-08-2017

more orginized:
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size

disabled = 1
instances = *
interval = 10
object = Network Interface
useEnglishOnly=true
index = perfmon

maffreitas · ‎03-08-2017

Hi Adonio,

Let me check if I understood your suggestion:

[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 1
instances = *
interval = 10
object = Network Interface
useEnglishOnly=true
index = perfmon

Basically I have to change the stanza of the input and the index name, right?

adonio · ‎03-08-2017

correct, also, using prebuilt TA for Windows will help
if you dont have an index named perfmon, than just point to where you would like the data to be with index = otherwise it will sit in main (default index)

maffreitas · ‎03-13-2017

Hi Adonio, thank you for your feedback.

I think this is a bug on perfmon network ingestion... Trying to ingest Windows Perfmon Network Data we realized the ingestion just don’t work, even after following all required configuration steps. The most strange was that network ingestion is the only one which is not working. Others like memory, CPU and disk are working regularly.

After some exhaustive tests, we identified the problem: When a host is deployed on a server class, which has Network Perfmon app activated, Splunk creates a new entry at inputs.conf file referencing the following content:

            Object = Network

We noticed that the correct object at inputs.conf in order to have the ingestion working should be:

            Object = Network Interface

It is not feasible to perform the adjust at all inputs.conf manually, because we know it was not going to work, since the inputs.conf file is wrongly re-created every time a host is added to a server class.

Why are my inputs for Windows Network Performance Monitoring counters not working?

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...