Getting Data In

splunk-perfmon.exe exited with code -1

Champion

Hello,

I am trying to find out why I receive "ExecProcessor - Ran script: "$SPLUNK_HOME\bin\splunk-perfmon.exe" -index perfmon, took 46.88 milliseconds to run, 0 bytes read, exited with code -1".

I am layering the following apps: splunk_Windows_TA, TA-DNSServer-NT6,TA-DomainController-NT6.

Below is my btool output for inputs.conf in debug mode:


system [SSL]
system _rcvbuf = 1572864
system cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
Splunk_TA_ [WinEventLog:Application]
system _rcvbuf = 1572864
Splunk_TA_ checkpointInterval = 5
Splunk_TA_ current_only = 0
Splunk_TA_ disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
Splunk_TA_ index = winevents
Splunk_TA_ start_from = oldest
TA-DomainC [WinEventLog:DFS Replication]
system _rcvbuf = 1572864
TA-DomainC disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DomainC index = winevents
TA-DomainC queue = parsingQueue
TA-DomainC sourcetype = "WinEventLog:DFS Replication"
TA-DNSServ [WinEventLog:DNS Server]
system _rcvbuf = 1572864
TA-DNSServ disabled = false
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DNSServ index = winevents
TA-DNSServ queue = parsingQueue
TA-DNSServ sourcetype = WinEventLog:DNS-Server
TA-DomainC [WinEventLog:Directory Service]
system _rcvbuf = 1572864
TA-DomainC disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DomainC index = winevents
TA-DomainC queue = parsingQueue
TA-DomainC sourcetype = "WinEventLog:Directory Service"
TA-DomainC [WinEventLog:File Replication Service]
system _rcvbuf = 1572864
TA-DomainC disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DomainC index = winevents
TA-DomainC queue = parsingQueue
TA-DomainC sourcetype = "WinEventLog:File Replication Service"
system [WinEventLog:ForwardedEvents]
system _rcvbuf = 1572864
system checkpointInterval = 5
system current_only = 0
system disabled = 1
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
system start_from = oldest
system [WinEventLog:HardwareEvents]
system _rcvbuf = 1572864
system checkpointInterval = 5
system current_only = 0
system disabled = 1
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
system start_from = oldest
system [WinEventLog:Internet Explorer]
system _rcvbuf = 1572864
system checkpointInterval = 5
system current_only = 0
system disabled = 1
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
system start_from = oldest
TA-DomainC [WinEventLog:Key Management Service]
system _rcvbuf = 1572864
TA-DomainC disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DomainC index = winevents
TA-DomainC queue = parsingQueue
TA-DomainC sourcetype = "WinEventLog:Key Management Service"
Splunk_TA_ [WinEventLog:Security]
system _rcvbuf = 1572864
Splunk_TA_ checkpointInterval = 5
Splunk_TA_ current_only = 0
Splunk_TA_ disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
Splunk_TA_ evt_resolve_ad_obj = 1
system host = fozzie
Splunk_TA_ index = winevents
Splunk_TA_ start_from = oldest
system [WinEventLog:Setup]
system _rcvbuf = 1572864
system checkpointInterval = 5
system current_only = 0
system disabled = 1
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
system start_from = oldest
Splunk_TA_ [WinEventLog:System]
system _rcvbuf = 1572864
Splunk_TA_ checkpointInterval = 5
Splunk_TA_ current_only = 0
Splunk_TA_ disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
Splunk_TA_ index = winevents
Splunk_TA_ start_from = oldest
system [batch://C:\Program Files\splunk\var\spool\splunk]
system _rcvbuf = 1572864
system crcSalt =
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
system move_policy = sinkhole
system [batch://C:\Program Files\splunk\var\spool\splunk...stash_new]
system _rcvbuf = 1572864
system crcSalt =
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
system move_policy = sinkhole
system queue = stashparsing
system sourcetype = stash_new
system [fschange:C:\Program Files\splunk\etc]
system _rcvbuf = 1572864
system delayInMills = 100
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system filesPerDelay = 10
system followLinks = false
system fullEvent = false
system hashMaxSize = -1
system host = fozzie
system index = default
system pollPeriod = 600
system recurse = true
system sendEventMaxSize = -1
system signedaudit = true
Splunk_TA_ [fschange:C:\Windows\System32\drivers\etc]
system _rcvbuf = 1572864
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
Splunk_TA_ hashMaxSize = 1048576
system host = fozzie
Splunk_TA_ index = winevents
Splunk_TA_ pollPeriod = 30
system [monitor://C:\Program Files\splunk\etc\splunk.version]
system _TCP_ROUTING = *
system _rcvbuf = 1572864
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = _internal
system sourcetype = splunk_version
system [monitor://C:\Program Files\splunk\var\log\splunk]
system _rcvbuf = 1572864
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = _internal
Splunk_TA_ [monitor://C:\Windows\System32\DHCP]
system _rcvbuf = 1572864
Splunk_TA_ crcSalt =
Splunk_TA_ disabled = 1
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
Splunk_TA_ sourcetype = DhcpSrvLog
Splunk_TA_ whitelist = DhcpSrvLog*
TA-DNSServ [monitor://C:\Windows\System32\Dns\dns.log]
system _rcvbuf = 1572864
TA-DNSServ disabled = false
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DNSServ index = msad
TA-DNSServ sourcetype = MSAD:NT6:DNS
Splunk_TA_ [monitor://C:\Windows\WindowsUpdate.log]
system _rcvbuf = 1572864
Splunk_TA_ disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
Splunk_TA_ index = winevents
Splunk_TA_ sourcetype = WindowsUpdateLog
TA-DomainC [monitor://C:\Windows\debug\netlogon.log]
system _rcvbuf = 1572864
TA-DomainC disabled = false
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DomainC index = msad
TA-DomainC sourcetype = MSAD:NT6:Netlogon
Splunk_TA_ [perfmon://CPUTime]
Splunk_TA_ counters = % Processor Time;% User Time
Splunk_TA_ disabled = 1
system host = fozzie
system index = default
Splunk_TA_ instances = _Total
Splunk_TA_ interval = 10
Splunk_TA_ object = Processor
TA-DomainC [perfmon://DFS_Replicated_Folders]
TA-DomainC counters = *
TA-DomainC disabled = 0
system host = fozzie
TA-DomainC index = perfmon
TA-DomainC instances = *
TA-DomainC interval = 60
TA-DomainC object = DFS Replicated Folders
TA-DNSServ [perfmon://DNS]
TA-DNSServ counters = *
TA-DNSServ disabled = 0
system host = fozzie
system index = default
TA-DNSServ interval = 60
TA-DNSServ object = DNS
Splunk_TA_ [perfmon://FreeDiskSpace]
Splunk_TA_ counters = Free Megabytes;% Free Space
Splunk_TA_ disabled = 1
system host = fozzie
system index = default
Splunk_TA_ instances = *
Splunk_TA_ interval = 10
Splunk_TA_ object = LogicalDisk
Splunk_TA_ [perfmon://LocalNetwork]
Splunk_TA_ counters = *
Splunk_TA_ disabled = 0
system host = fozzie
Splunk_TA_ index = perfmon
Splunk_TA_ instances = *
Splunk_TA_ interval = 60
Splunk_TA_ object = Network Interface
Splunk_TA_ [perfmon://LogicalDisk]
Splunk_TA_ counters = *
Splunk_TA_ disabled = 0
system host = fozzie
Splunk_TA_ index = perfmon
Splunk_TA_ instances = *
Splunk_TA_ interval = 60
Splunk_TA_ object = LogicalDisk
Splunk_TA_ [perfmon://Memory]
Splunk_TA_ counters = *
Splunk_TA_ disabled = 0
system host = fozzie
Splunk_TA_ index = perfmon
Splunk_TA_ instances = *
Splunk_TA_ interval = 60
Splunk_TA_ object = Memory
TA-DomainC [perfmon://NTDS]
TA-DomainC counters = *
TA-DomainC disabled = 0
system host = fozzie
TA-DomainC index = perfmon
TA-DomainC interval = 60
TA-DomainC object = NTDS
Splunk_TA_ [perfmon://Processor]
Splunk_TA_ counters = *
Splunk_TA_ disabled = 0
system host = fozzie
Splunk_TA_ index = perfmon
Splunk_TA_ instances = _Total
Splunk_TA_ interval = 60
Splunk_TA_ object = Processor
system [script]
system _rcvbuf = 1572864
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
system interval = 60.0
TA-DomainC [script://C:\Program Files\splunk\bin\scripts\splunk-admon.path]
system _rcvbuf = 1572864
TA-DomainC disabled = false
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DomainC index = msad
TA-DomainC interval = 3600
system persistentQueueSize = 50MB
system queue = winparsing
system source = ActiveDirectory
system sourcetype = ActiveDirectory
################## Section in question ########################
Splunk_TA_ [script://C:\Program Files\splunk\bin\scripts\splunk-perfmon.path]
system _rcvbuf = 1572864
Splunk_TA_ disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
Splunk_TA_ index = perfmon
Splunk_TA_ interval = 60
Splunk_TA_ queue = winparsing
Splunk_TA_ source = PerformanceMonitor

############################################################
system [script://C:\Program Files\splunk\bin\scripts\splunk-regmon.path]
system _rcvbuf = 1572864
system disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
system interval = 10000000
system persistentQueueSize = 50MB
system queue = winparsing
system source = WinRegistry
system sourcetype = WinRegistry
system [script://C:\Program Files\splunk\bin\scripts\splunk-wmi.path]
system _rcvbuf = 1572864
system disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
system interval = 10000000
system persistentQueueSize = 200MB
system queue = winparsing
system source = wmi
system sourcetype = wmi
Splunk_TA_ [script://C:\Program Files\splunk\etc\apps\Splunk_TA_windows\bin\win_installed_apps.bat]
system _rcvbuf = 1572864
Splunk_TA_ disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
Splunk_TA_ index = winevents
Splunk_TA_ interval = 86400
Splunk_TA_ sourcetype = Script:InstalledApps
Splunk_TA_ [script://C:\Program Files\splunk\etc\apps\Splunk_TA_windows\bin\win_listening_ports.bat]
system _rcvbuf = 1572864
Splunk_TA_ disabled = 0
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
Splunk_TA_ index = winevents
Splunk_TA_ interval = 3600
Splunk_TA_ sourcetype = Script:ListeningPorts
TA-DNSServ [script://C:\Program Files\splunk\etc\apps\TA-DNSServer-NT6\bin\runpowershell.cmd dns-health.ps1]
system _rcvbuf = 1572864
TA-DNSServ disabled = false
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DNSServ index = msad
TA-DNSServ interval = 3600
TA-DNSServ source = Powershell
TA-DNSServ sourcetype = MSAD:NT6:DNS-Health
TA-DNSServ [script://C:\Program Files\splunk\etc\apps\TA-DNSServer-NT6\bin\runpowershell.cmd dns-zoneinfo.ps1]
system _rcvbuf = 1572864
TA-DNSServ disabled = false
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DNSServ index = msad
TA-DNSServ interval = 3600
TA-DNSServ source = Powershell
TA-DNSServ sourcetype = MSAD:NT6:DNS-Zone-Information
TA-DomainC [script://C:\Program Files\splunk\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd ad-health.ps1]
system _rcvbuf = 1572864
TA-DomainC disabled = false
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DomainC index = msad
TA-DomainC interval = 300
TA-DomainC source = Powershell
TA-DomainC sourcetype = MSAD:NT6:Health
TA-DomainC [script://C:\Program Files\splunk\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd ad-repl-stat.ps1]
system _rcvbuf = 1572864
TA-DomainC disabled = false
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DomainC index = msad
TA-DomainC interval = 300
TA-DomainC source = Powershell
TA-DomainC sourcetype = MSAD:NT6:Replication
TA-DomainC [script://C:\Program Files\splunk\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd siteinfo.ps1]
system _rcvbuf = 1572864
TA-DomainC disabled = false
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
TA-DomainC index = msad
TA-DomainC interval = 3600
TA-DomainC source = Powershell
TA-DomainC sourcetype = MSAD:NT6:SiteInfo
system [splunktcp]
system _rcvbuf = 1572864
system acceptFrom = *
system connection_host = ip
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
system route = has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
system [tcp]
system _rcvbuf = 1572864
system acceptFrom = *
system connection_host = dns
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default
system [udp]
system _rcvbuf = 1572864
system connection_host = ip
Splunk_TA_ evt_dc_name =
Splunk_TA_ evt_dns_name =
system evt_resolve_ad_obj = 0
system host = fozzie
system index = default

0 Karma
1 Solution

Champion

This is a non-issue. I just removed stanza for splunk-perfmon.path and just used the perfmon inputs.

View solution in original post

0 Karma

Champion

This is a non-issue. I just removed stanza for splunk-perfmon.path and just used the perfmon inputs.

View solution in original post

0 Karma

Path Finder

I have this same problem and don't understand your answer?

0 Karma