Getting Data In

Why are my inputs for Windows Network Performance Monitoring counters not working?

maffreitas
Path Finder

Hi all,

We're trying to get data from Windows network perfmon counters using the Splunk Universal Forwarder + Data Input without success.

For all other collectors (CPU, Memory, Disk, etc.) this resource works pretty well and the needed information are captured from Universal Forwarder to Splunk Enterprise.

-Universal Forwarder is on top of Windows Server 2008 R2 64 Bits including the Kernel-Mode Driver Framework version 1.11 update
-Splunk Enterprise 6.4.3
-Some different tentatives on inputs.conf:

[perfmon://Network Interface]
counters = *
disabled = 0
instances = *
interval = 60
object = Network Interface

[perfmon://Network Interface]
useEnglishOnly = true
showZeroValue = 1
counters = Bytes Received/sec;Bytes Sent/sec;
disabled = 0
index = main
instances = *;
interval = 60
object = Network Interface

[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec;Bytes Total/sec;Current Bandwidth;Offloaded Connections;Output Queue Length;Packets Outbound Discarded;Packets Outbound Errors;Packets Received Discarded;Packets Received Errors;Packets Received Non-Unicast/sec;Packets Received Unicast/sec;Packets Received Unknown;Packets Received/sec;Packets Sent Non-Unicast/sec;Packets Sent Unicast/sec;Packets Sent/sec;Packets/sec;TCP Active RSC Connections;TCP RSC Average Packet Size;TCP RSC Coalesced Packets/sec;TCP RSC Exceptions/sec;
disabled = 0
index = wfm_realtime
instances = *;
interval = 60
object = Network Interface

The apps are correctly created and deployed on ..\SplunkUniversalForwarder\etc\apps. No errors are showed on th esplunk logs, but no data are sent to Splunk.

Do you have any tips or workarounds?

Thank you in advance.

0 Karma

adonio
Ultra Champion

hi maffreitas,
Try this in your inputs.conf:
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 1
instances = *
interval = 10
object = Network Interface
useEnglishOnly=true
index = perfmon

Also, you can use the Splunk TA for Windows: https://splunkbase.splunk.com/app/742/
it has all the input pre-configured
Hope it helps

0 Karma

adonio
Ultra Champion

more orginized:
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size

disabled = 1
instances = *
interval = 10
object = Network Interface
useEnglishOnly=true
index = perfmon

0 Karma

maffreitas
Path Finder

Hi Adonio,

Let me check if I understood your suggestion:

[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 1
instances = *
interval = 10
object = Network Interface
useEnglishOnly=true
index = perfmon

Basically I have to change the stanza of the input and the index name, right?

0 Karma

adonio
Ultra Champion

correct, also, using prebuilt TA for Windows will help
if you dont have an index named perfmon, than just point to where you would like the data to be with index = otherwise it will sit in main (default index)

0 Karma

maffreitas
Path Finder

Hi Adonio, thank you for your feedback.

I think this is a bug on perfmon network ingestion... Trying to ingest Windows Perfmon Network Data we realized the ingestion just don’t work, even after following all required configuration steps. The most strange was that network ingestion is the only one which is not working. Others like memory, CPU and disk are working regularly.

After some exhaustive tests, we identified the problem: When a host is deployed on a server class, which has Network Perfmon app activated, Splunk creates a new entry at inputs.conf file referencing the following content:

            Object = Network

We noticed that the correct object at inputs.conf in order to have the ingestion working should be:

            Object = Network Interface

It is not feasible to perform the adjust at all inputs.conf manually, because we know it was not going to work, since the inputs.conf file is wrongly re-created every time a host is added to a server class.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...