Perfmon logging used to work for me by placing what should have been in perfmon.conf into inputs.conf. Here is an example inputs.conf to illustrate what I mean.
[monitor:///C:\logs\Splunk] disabled = false [perfmon://Processor Information] interval = 10 object = Processor Information counters = % Processor Time; instances = _Total disabled = 0
I've just looked and noticed that once the perfmon logs reach the Splunk indexer they are being attributed with $decideOnStartup for the host.
I have noted that for remote monitoring I should be using WMI however the documentation looks incredibly long winded and non-trivial.
Why is only the host unobtainable?
I hope there can be some answers - works 4.3!!!
Sorry I should have made this apparent. I am using an image with a Splunk Forwarder installed on it. Then when I want to build a new server the Forwarder will boot up and start passing on PerfMon logs giving the relevant host.
If I were to go down the WMI route, this requires for the service to be logged onto a domain account with certain privileges. Since the domain is going to be different on each server, every instance of Splunk on a new build is not going to be able to log in...
To be clear... are your forwarders running 4.3? You can set host to $decideOnStartup in inputs.conf starting with Splunk 5.0... it's not an option in 4.3 (so if you have it set on a 4.3 forwarder, you're setting it to the literal value $decideOnStartup).
Also, verify that you followed the instructions for installing a forwarder on a system image.
Okay, based on some of what I read above (specifying perfmon counters in inputs.conf for example) and another post it looks like you are indeed running Splunk 5... I note there was an issue fixed in 5.0.2 with $decideOnStartup for web-uploaded content. I wonder whether this might be another bug? Does the other data from your forwarders come across with the correct hostname?
I have tried upgrading. I've upped the Web and one of our forwarders to 5.0.2 and still not seeing any perfmon come under that host. So maybe this is a bug?
Two courses of action to go through:
Try statically adding the correct hostname in etc/system/local/inputs.conf as jonuwz suggests below on one of your forwarders to see if this resolves the problem.
Whether or not it does, file a bug report with Splunk at http://www.splunk.com/page/submit_issue.