Hi Giuseppe,

I am thinking to keep the powershell script and scripted input as a last option if there is no native splunk capability. I have tried to enable perfmon counters and instances as wildcard and checked the logs using Splunk App for Infrastructure.

[perfmon://CPU]
counters = *
instances = *
interval = 60
object = Processor
mode = single
useEnglishOnly = true
sourcetype = PerfmonMetrics:CPU
index = em_metrics

But still I cannot find these application pools as metric names in the query

|mstats avg(_value) prestats=true WHERE environment="PROD" AND entity_type="Windows_Host" AND host=myhost AND metric_name=* AND  "index"="em_*" span=1m BY "host" 
|timechart avg(_value) as "Avg" agg=max limit=100 useother=false span=5m BY "metric_name".

Please let me know if there is any other native option.

Regards,

Vedhajanani

Hi @developmenttool,

as I said, see in Splunkbase, TA section, if there's a TA that takes the information you need (maybe the TA-Windows is sufficient).

then how to deploy results is an easy following problem, the main job is to extract data.

Ciao.

Giuseppe

Hi @gcusello ,

https://docs.splunk.com/Documentation/WindowsAddOn/8.0.0/User/Configuration

I cannot find any config which monitors the CPU and memory for worker processes 

So we should proceed with scripted input only right?

https://www.anexinet.com/blog/powershell-script-to-list-worker-processors-and-their-application-pool...

Please help me if you can suggest any better native add-on which does the same.

Regards,

Vedhajanani

Hi @developmenttool,

Sorry, I didn't used scripted inputs for this scope, only for others!

but if you well know the script to obtain your result, you can run it in Splunk inseriting the script input in inputs.conf.

To understand how to use scripted inputs, you can see documentation or copy and modify a scripted inputs in TA_Windows.

In this way the script output will be ingested in Splunk.

Then you have to parse the results to extract the structured informations.

I cannot help you in script development, I can help you in results parsing.

Ciao.

Giuseppe

Hii @gcusello ,

Yes. I have the working script and I can configure the scripted input as well. I would like to confirm if there is any splunk native add-on which does the same thing so that I can use the add-on itself instead of scripted input. If you confirm that there is no TA config for this, I will go with my scripted input itself.

Regards,

Vedhajanani

Hi @developmenttool,

I don't know it but I cannot exclude that it exists!

Anyway, if you have the script you can add it to the TA_Windows ot create your own TA.

Then you have to parse the output.

Ciao.

Giuseppe

Hi @gcusello ,

I am going with scripted inputs in my windows universal forwarder. This is my configuration in inputs:

[powershell://Processes-EX1]
disabled = false
script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\WPSMonitor.ps1"
index = myindex
schedule = * * * * *
sourcetype = stdout:wps:script

It is entering my script WPSMonitor.ps1 but it is throwing the below error:

ERROR Executing script=. "C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\WPSMonitor.ps1" for stanza=Processes-EX1 failed with exception=The term '“Handle=”' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again

I have used $filter = “Handle=” + $p.Id in my script.

Do you have any idea on this error?

Regards,

Vedhajanani

Hi @developmenttool,

Sorry, I'm not an expert in scripting!

only one dubt: the cron scheduling executes the script every minute, are you sure?

Ciao.

Giuseppe