Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk-perfmon.exe not run

Mai_splunk
Explorer
‎07-08-2020 08:32 AM

I have a Splunk Deployment Server that pull the apps to UF. I have create an app WinPerfmon and inside of inputs.conf:

[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
interval = 10
object = LogicalDisk
useEnglishOnly=true

## Memory
[perfmon://Memory]
counters = Available MBytes
disabled = 0
interval = 10
object = Memory
useEnglishOnly=true

The app is created on UF but splunk-perfmon.exe is running one second and after is closed and not send any data to the indexer. 

In splunkd.log:

07-08-2020 16:57:32.423 +0200 DEBUG ExecProcessor - Running: "C:\Program Files\HomeOffSec\bin\splunk-perfmon.exe" on PipelineSet 0
07-08-2020 16:57:32.423 +0200 DEBUG ExecProcessor - PipelineSet 0: Created new ExecedCommandPipe for ""C:\Program Files\HomeOffSec\bin\splunk-perfmon.exe"", uniqueId=5
07-08-2020 16:57:32.423 +0200 DEBUG QueueManager - Failed to parse memory queueSize for path=perfmon and conf=inputs.
07-08-2020 16:57:32.423 +0200 DEBUG QueueManager - Failed to parse queueSize for path=perfmon and conf=inputs.
07-08-2020 16:57:32.423 +0200 DEBUG QueueManager - Memory queueSize for path=perfmonand conf=inputs and queueName=execProcessorInternalQ set to 512000.

I have other app WinEventlog and splunk-wineventlog.exe is working.

UF has been installed as Windows local admin user. 

Could any help me please? Should I do something else in Windows?

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2020 09:00 AM
Have you checked splunkd.log on the UF?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Mai_splunk
Explorer
‎07-08-2020 09:27 AM

Hi @richgalloway  

Yes i have checked it and have not found any error about perfmon.

07-08-2020 18:14:00.521 +0200 INFO SpecFiles - Found external scheme definition for stanza="perfmon://" from spec file="C:\Program Files\HomeOffSec\etc\system\README\inputs.conf.spec" with parameters="object, counters, instances, interval, mode, samplingInterval, stats, disabled, showZeroValue, useEnglishOnly, useWinApiProcStats, formatString, usePDHFmtNoCap100"

07-08-2020 18:14:01.402 +0200 INFO ModularInputs - Introspection setup completed for scheme "perfmon".

07-08-2020 18:14:01.838 +0200 INFO ExecProcessor - New scheduled exec process: "C:\Program Files\HomeOffSec\bin\splunk-perfmon.exe"

Thanks a lot.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-08-2020 08:50 AM

Hi @Mai_splunk ,

did you tried to deploy (eventually only in one server) the last version of Splunk_TA_Windows?

because I see some differences with you perfmon.

Ciao.

Giuseppe

0 Karma
Reply

Mai_splunk
Explorer
‎07-08-2020 09:23 AM

Hi @gcusello  yes, im working with the last version available in splunkbase 8.0.0

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-08-2020 11:48 PM

Hi @Mai_splunk ,

the inputs.conf in splunkbase is different from your:

your

[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
interval = 10
object = LogicalDisk
useEnglishOnly=true

[perfmon://Memory]
counters = Available MBytes
disabled = 0
interval = 10
object = Memory
useEnglishOnly=true

TA_Windows:

[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 1
instances = *
interval = 10
mode = multikv
object = LogicalDisk
useEnglishOnly=true

[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 1
interval = 10
mode = multikv
object = Memory
useEnglishOnly=true

I understand that you're taking less counters, but mode = multikv is missing.

Ciao.

Giuseppe

0 Karma
Reply

Mai_splunk
Explorer
‎07-09-2020 11:21 AM

Yes, because i want monitor only some counters and not all of them. The selected mode there is not a problem to ingest the data, but i tried both and the same problem, no data ingested.

Thanks! 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...