I have a Splunk Deployment Server that pull the apps to UF. I have create an app WinPerfmon and inside of inputs.conf:
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
interval = 10
object = LogicalDisk
useEnglishOnly=true
## Memory
[perfmon://Memory]
counters = Available MBytes
disabled = 0
interval = 10
object = Memory
useEnglishOnly=true
The app is created on UF but splunk-perfmon.exe is running one second and after is closed and not send any data to the indexer.
In splunkd.log:
07-08-2020 16:57:32.423 +0200 DEBUG ExecProcessor - Running: "C:\Program Files\HomeOffSec\bin\splunk-perfmon.exe" on PipelineSet 0
07-08-2020 16:57:32.423 +0200 DEBUG ExecProcessor - PipelineSet 0: Created new ExecedCommandPipe for ""C:\Program Files\HomeOffSec\bin\splunk-perfmon.exe"", uniqueId=5
07-08-2020 16:57:32.423 +0200 DEBUG QueueManager - Failed to parse memory queueSize for path=perfmon and conf=inputs.
07-08-2020 16:57:32.423 +0200 DEBUG QueueManager - Failed to parse queueSize for path=perfmon and conf=inputs.
07-08-2020 16:57:32.423 +0200 DEBUG QueueManager - Memory queueSize for path=perfmonand conf=inputs and queueName=execProcessorInternalQ set to 512000.
I have other app WinEventlog and splunk-wineventlog.exe is working.
UF has been installed as Windows local admin user.
Could any help me please? Should I do something else in Windows?
Yes i have checked it and have not found any error about perfmon.
07-08-2020 18:14:00.521 +0200 INFO SpecFiles - Found external scheme definition for stanza="perfmon://" from spec file="C:\Program Files\HomeOffSec\etc\system\README\inputs.conf.spec" with parameters="object, counters, instances, interval, mode, samplingInterval, stats, disabled, showZeroValue, useEnglishOnly, useWinApiProcStats, formatString, usePDHFmtNoCap100"
07-08-2020 18:14:01.402 +0200 INFO ModularInputs - Introspection setup completed for scheme "perfmon".
07-08-2020 18:14:01.838 +0200 INFO ExecProcessor - New scheduled exec process: "C:\Program Files\HomeOffSec\bin\splunk-perfmon.exe"
Thanks a lot.
Hi @Mai_splunk ,
did you tried to deploy (eventually only in one server) the last version of Splunk_TA_Windows?
because I see some differences with you perfmon.
Ciao.
Giuseppe
Hi @gcusello yes, im working with the last version available in splunkbase 8.0.0
Hi @Mai_splunk ,
the inputs.conf in splunkbase is different from your:
your
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
interval = 10
object = LogicalDisk
useEnglishOnly=true
[perfmon://Memory]
counters = Available MBytes
disabled = 0
interval = 10
object = Memory
useEnglishOnly=true
TA_Windows:
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 1
instances = *
interval = 10
mode = multikv
object = LogicalDisk
useEnglishOnly=true
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 1
interval = 10
mode = multikv
object = Memory
useEnglishOnly=true
I understand that you're taking less counters, but mode = multikv is missing.
Ciao.
Giuseppe
Yes, because i want monitor only some counters and not all of them. The selected mode there is not a problem to ingest the data, but i tried both and the same problem, no data ingested.
Thanks!