Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Windows Perfmon Collection Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having some issues with collecting % Processor Time for processes. My inputs.conf is configured with the below stanza:
[perfmon://Process]
counters = % Processor Time; etc.
instances = *
disabled = 0
interval = 600
object = Process
sourcetype = Process
index = Test
The server has roughly 63 processes going at anytime and for most counters, I get that many instances returned when I search. However, for % Processor Time I cant seem to get back more than 18 instances. And if I bounce Splunk on the forwarder I get back a different number of instances every time.
Anyone else have this issue when trying to collect % Processor Time for Processes? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default, Splunk drops zero value perfmon data and so you get gaps in your data - this can be modified by using the ShowZeroValue option in the input stanza. This article explains this issue in more details
http://blogs.splunk.com/2013/10/28/new-features-for-perfmon-in-splunk-6/
I have found perfmon collecting from the 6.3.1 forwarder to be unstable and get data drops quite often when other counters are working ok through Splunk. I am assuming this is due to the amount of data being collected compared to other counters, but still seems strange (maybe a bug?) So you need to monitor this behaviour and make sure the data feed is stable.
I have modified my perfmon collection to use the new MK counters detailed in the same article and found they save a significant amount of space compared to the standard data format - this is especially the case for process data, where you may have hundreds of processes running concurrently. The events themselves are not easy to understand, but the data is automatically extracted to the relevant fields and so still easy enough to manipulate.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default, Splunk drops zero value perfmon data and so you get gaps in your data - this can be modified by using the ShowZeroValue option in the input stanza. This article explains this issue in more details
http://blogs.splunk.com/2013/10/28/new-features-for-perfmon-in-splunk-6/
I have found perfmon collecting from the 6.3.1 forwarder to be unstable and get data drops quite often when other counters are working ok through Splunk. I am assuming this is due to the amount of data being collected compared to other counters, but still seems strange (maybe a bug?) So you need to monitor this behaviour and make sure the data feed is stable.
I have modified my perfmon collection to use the new MK counters detailed in the same article and found they save a significant amount of space compared to the standard data format - this is especially the case for process data, where you may have hundreds of processes running concurrently. The events themselves are not easy to understand, but the data is automatically extracted to the relevant fields and so still easy enough to manipulate.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works great, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some testing, and probably listed, somewhere in the documentation. It appears that it will only report back on a process that has CPU usage during the pull. Memory and other things will always return as the system always reserve some memory for a process. Again, it makes since, for peace of mind I was still hoping it would return a value for every process. I could be wrong but this seems to be the explanation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you clarify what version of the Splunk Forwarder you are running and the type of Windows system on which it is running?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
O sorry, Its 6.4.3 and this is on a 2008 server, same issue on 2012 though.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
