Getting Data In

$decideOnStartup Remote Perfmon

matthewcanty
Communicator

Hi Everyone.

Perfmon logging used to work for me by placing what should have been in perfmon.conf into inputs.conf. Here is an example inputs.conf to illustrate what I mean.

[monitor:///C:\logs\Splunk]
disabled = false

[perfmon://Processor Information]
interval = 10
object = Processor Information
counters = % Processor Time;
instances = _Total
disabled = 0

I've just looked and noticed that once the perfmon logs reach the Splunk indexer they are being attributed with $decideOnStartup for the host.

I have noted that for remote monitoring I should be using WMI however the documentation looks incredibly long winded and non-trivial.

Why is only the host unobtainable?

I hope there can be some answers - works 4.3!!!

Matt

Additional Info:

Sorry I should have made this apparent. I am using an image with a Splunk Forwarder installed on it. Then when I want to build a new server the Forwarder will boot up and start passing on PerfMon logs giving the relevant host.

Also

If I were to go down the WMI route, this requires for the service to be logged onto a domain account with certain privileges. Since the domain is going to be different on each server, every instance of Splunk on a new build is not going to be able to log in...

0 Karma
1 Solution

jonuwz
Influencer

Found something here

Try putting

[default]
host = <string>

at the top of system\local\inputs.conf and restarting

View solution in original post

jeff
Contributor

To be clear... are your forwarders running 4.3? You can set host to $decideOnStartup in inputs.conf starting with Splunk 5.0... it's not an option in 4.3 (so if you have it set on a 4.3 forwarder, you're setting it to the literal value $decideOnStartup).

Also, verify that you followed the instructions for installing a forwarder on a system image.

edit
Okay, based on some of what I read above (specifying perfmon counters in inputs.conf for example) and another post it looks like you are indeed running Splunk 5... I note there was an issue fixed in 5.0.2 with $decideOnStartup for web-uploaded content. I wonder whether this might be another bug? Does the other data from your forwarders come across with the correct hostname?

jeff
Contributor

Two courses of action to go through:

  1. Try statically adding the correct hostname in etc/system/local/inputs.conf as jonuwz suggests below on one of your forwarders to see if this resolves the problem.

  2. Whether or not it does, file a bug report with Splunk at http://www.splunk.com/page/submit_issue.

0 Karma

matthewcanty
Communicator

I have tried upgrading. I've upped the Web and one of our forwarders to 5.0.2 and still not seeing any perfmon come under that host. So maybe this is a bug?

0 Karma

matthewcanty
Communicator

Hi. Yes other data arrives and is put under the correct host. I am using 5.0.1 web and forwarders. I will upgrade.

0 Karma

jonuwz
Influencer

Found something here

Try putting

[default]
host = <string>

at the top of system\local\inputs.conf and restarting

matthewcanty
Communicator

Updated my question with info as to why this is not possible.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...