IT Operations Discussions
All the up-time. All the nines.

Splunk add-on for TA_windows generate a lot of perfmon data

Tankwell
Explorer

Hey all,
We have recently configured our new App for Microsoft Exchange, and we started to get a lot of perfmon data [about 20G a day from a given server]

We have wondered is a best practices about the polling frequency of perfmon counters like CPU, ThreadCount ?

We would like to turn down some of them in the inputs.conf in our forwarders, but we do not know if the Exchange app dashboards uses these values....

So 2 questions - 

  1.  Is there a bset practices using and polling perfmon data?
  2. Is there a way to know which perfmon counters The exchange app dashboards needs?

Thanks a lot  😊
Tankwell

Tags (1)
0 Karma

tscroggins
Motivator

@Tankwell 

Splunk App for Microsoft Exchange is a paid add-on. Best practices for performance monitoring in general may differ from best practices in this context. For example, the app expects perfmon events in single (more data, more expensive) rather than multikv (optimized data, less expensive) mode. Only Splunk can provide the reasoning behind this. I recommend contacting Splunk sales or support directly.

0 Karma

Tankwell
Explorer

We have also found a lot of winnetmon data....

Each packet was written as an event

Also we have renderxml attribute on windows event log inputs in order to save disk space....

 

Farthermore, we are looking for a way to keep a lot of events in the short term and only few of them in the long term.

For example, if we poll CPU information each 10 seconds, is there a way to save for a long term only 1 event per 5 minutes?

In general - is there a way to keep only few events from the index after a while?

 

 

 

 

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...