Getting Data In

Windows performance counter question

Antioch
Path Finder

I'm using the windows app in my splunk instance and for the moment I'm only monitoring a handful of pc's and there perfmon data. What seems to be the issue is that the hosts field doesn't update to reflect the new pc's being added. I can see the data and review it, I just cant go to the performance tab and see it in real time, and the total number of hosts is not updated on the performance tab. I checked the manual and there's very little info on this. anyone have any ideas? The data for splunk is being saved in the default directory as I have not changed this.

Tags (2)
0 Karma
1 Solution

Antioch
Path Finder

Actually I have figured this out, It appears that local performance metrics are collected under different names then remote collection logs, and the windows app isn't setup to process these, it looks as though I need to alter the values in searches and reports so that it does. This is a bit short sighted by the app designers, as this appears to be the same with virtually all of the collection metrics within the splunk windows app.

View solution in original post

0 Karma

Antioch
Path Finder

Actually I have figured this out, It appears that local performance metrics are collected under different names then remote collection logs, and the windows app isn't setup to process these, it looks as though I need to alter the values in searches and reports so that it does. This is a bit short sighted by the app designers, as this appears to be the same with virtually all of the collection metrics within the splunk windows app.

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

alt textMuch of the data controls on the dashboards are generated by lookups that are generated in the background.

For whatever reason either the lookups are not geting updated or they are not getting updated fast enough for you. You can check on this by going to "Settings -> Lookup Management"

From here you can also manually regenerate the lookups.

There is some documentation about this as well located here:
http://docs.splunk.com/Documentation/WindowsApp/latest/User/Lookuptablereference

Antioch
Path Finder

No I left all the data going into the default index. it definitely has data as I can still go out and search for it, it just wont populate in this field.

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

So is there no data at all? The lookup generation needs some data in order for it to generate the lookups. Did you by any chance change anything from the defaults? For example, is your windows data coming into a different index?

0 Karma

Antioch
Path Finder

Well when I attempt to do the steps you outlined I just get an error saying no results. I had to wipe my splunk database for previous results for testing purposes, but now it appears to not identify any hosts at all

0 Karma

Antioch
Path Finder

I see, I will give that a shot. I ran into a license violation issue so Im waiting for that to clear up, hopefully I can get a reset license from support and I will give this a shot.

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

Yes, my point was that the dropdown on the dashboards is driven by these lookups. If the lookups and data are not generated, the dashboard will not show the data.

Did you rebuild thelookups? I will post a screen shot of what you should run.

0 Karma

Antioch
Path Finder

Well, the data itself is not the problem as I can go one of several places to view it, all this does is pull the most recent data for viewing as if I had searched for it specifically. What I want to be able to do is go under the performance tab in the windows app and see all hosts that I am monitoring data from show up, and have the hosts fields updated to reflect the correct total of hosts I am monitoring.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...