Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

interval in input.conf not followed, Windows add-on

mykol_j
Communicator
‎11-09-2020 09:02 AM

Windows add-on 8.0.0, Splunk 8.0.4.

No matter the interval settings in inputs.conf, they seem to run at random times. For example on one host alone, the "service" checker ran 9 times in one hour. The setting in the stanza is for once a day (86400). I've tried setting it other values -- nothing seems to matter.

Also happening on all other inputs (sourcetype=WinHostMon) that have an interval setting.

Disk, for example (also set interval = 86400) is running 2-16 times for host in one hour.

I've searched for this, and heard the descriptions of the scripts "taking a long time to run" yadda, yadda... but come on, not all of them...and these aren't scripts (and we have arguably over powered hardware running this). This is generating a *lot* of entries for our small test group of only 200.

Thoughts?

Thanks.

Mike

Labels (2)
Labels
0 Karma
Reply

SinghK
Builder
‎11-10-2020 12:36 AM

It all looks ok. Unless there is something that's doing an overide. can you try using btool to check if inputs are all correct.

0 Karma
Reply

mykol_j
Communicator
‎11-10-2020 08:21 AM

Great suggestion on using btool...

However, it confirmed that all is good. I'm focusing on [WinHostMon://Disk] for my test case.

I definitely have:

[WinHostMon://Disk]
interval = 86400
disabled = 0
type = Disk

And definitely confirmed my system is showing data for my Name="C:" at exactly 2 hour intervals... but once in a while only waits an hour in between. Go figure.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2020 10:25 AM

What are the inputs.conf settings for the respective inputs and where are they set?  If you use universal forwarders then the settings must be on the UFs.  Be sure to restart Splunk after changing inputs.conf settings.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mykol_j
Communicator
‎11-09-2020 11:40 AM

[WinHostMon://Disk]
interval = 86400
disabled = 0
type = Disk

...straight out-of-the-box -- (except that I enabled it and changed the interval). In these cases it's being handed out by a deployment server to UFs. Yes, I know the inputs.conf is being applied because other changes are reflected. There's only one app being applied. Yes, it's in local.

Yes, I know to restart/reload it...   😕

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top