Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows app on LInux Indexer

jameszh
New Member
‎05-06-2011 04:05 PM

Hi,

The following is my setup.

Indexer is running on Linux, and App "Splunk for Windows" installed on it. Universal Forwarder is installed on another Windows Server, forwarding everything to the indexer.

I can see windows event log, but in the Performance Management windows, all 5 pane are empty. Wondering if the app only works on Windows indexer, not linux indexer.

Thanks,
James

0 Karma
Reply

jameszh
New Member
‎05-09-2011 09:46 AM

This works, thanks MarioM!

0 Karma
Reply

MarioM
Motivator
‎05-09-2011 09:59 AM

and can you accept the answer.Thanks 😜

0 Karma
Reply

MarioM
Motivator
‎05-09-2011 09:57 AM

Be aware that MS WMI is very resource hungry.Then you might need to adapt the interval.

0 Karma
Reply

MarioM
Motivator
‎05-09-2011 07:57 AM

in your UF installation you need a wmi.conf for example in splunk\etc\system\local with the following:

   [WMI:CPUTime]
    ## Run every 5 minutes
    interval = 300
    wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
    disabled = false

    [WMI:FreeDiskSpace]
    interval = 10
    wql = SELECT Name,FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
    disabled = false

    [WMI:LocalPhysicalDisk]
    interval = 10
    wql = select Name,CurrentDiskQueueLength,DiskBytesPerSec,PercentDiskReadTime,PercentDiskWriteTime,PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
    disabled = false

    [WMI:LocalProcesses]
    ## Run every 5 minutes
    interval = 300
    wql = select Name,IDProcess,PrivateBytes,PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process
    disabled = false

    [WMI:LocalNetwork]
    ## Run every 5 minutes
    interval = 300
    wql = select Name,BytesReceivedPerSec,BytesSentPerSec,BytesTotalPerSec,CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface
    disabled = false

    [WMI:Memory]
    ## Run every 5 minutes
    interval = 300
    wql = select PagesPerSec,AvailableMBytes,CommittedBytes,PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory
    disabled = false
Reply

jameszh
New Member
‎05-09-2011 06:38 AM

It seems Universal Forwarder doesn't forward wmi, only eventlog + perfmon, I can't see WMI: source in the main splunk. How can I collect wmi data from windows in Linux?

Thanks,
James

0 Karma
Reply

MarioM
Motivator
‎05-08-2011 10:43 PM

Do you see any WMI:* source or sourcetype in your main splunk ?

You could search internal log for any issues:

index="_*" WMI*
Reply

jameszh
New Member
‎05-08-2011 03:05 PM

The Universal Forwarder in Windows is configured to forward wmi data to the indexer(receiving is enabled in indexer as well). What else needs to be done in indexer to show the performance data from windows?

Thanks,
James

0 Karma
Reply

MarioM
Motivator
‎05-08-2011 02:24 AM

The windows app does work on linux (i mean searches,reports,dashboard) and the performance management dashboard based it's searching over WMI data, so if you're not indexing WMI:* these will not load.

Also if using Perfmon:* it will not work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...