Getting Data In

Why is Windows universal forwarder always sending performance stats to the main index every 10 seconds?

randric
Engager

I am trying to forward the performance stats (CPU, Memory) from Windows Universal forwarder to Splunk Indexer on remote server (Linux 6.2.3). I am modifying the inputs.conf file in /etc/system/local,but whatever I do, as soon as I start the Windows Forwarder Server, Splunk Indexer gets performance stats every 10 seconds in the main index (instead of perfmon index I have created for this purpose).

inputs.conf looks like:

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

# Perfmon: Windows performance monitoring examples
[perfmon://LocalMainMemory]
interval = 60
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = perfmon

[perfmon://LocalPhysicalDisk]
interval = 60
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time
instances = *
disabled = 0
index = perfmon

[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
useEnglishOnly = 1
interval = 60
disabled = 0

Did anybody experience this issue? Any suggestions?

1 Solution

nk-1
Path Finder

I define the PerfMon stanzas in

C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf

not

C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf

View solution in original post

bmacias84
Champion

You should install you config under the $SPLUNK_HOME/etc/apps . If you want to find out why your configs are not work correctly. Run the following

$SPLUNK_HOME/etc/bin/splunk cmd btool --debug inputs list

This command will out put debug statement will out the final inputs.conf file as applied with your server/machine. It will include which file is override each stanza and settings.

0 Karma

nk-1
Path Finder

I define the PerfMon stanzas in

C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf

not

C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf

randric
Engager

Thank you sir - this fixed it. Did I miss this in documentation somewhere?

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...