Splunk IT Service Intelligence
Highlighted

Splunk Insights for Infrastructure - adding windows data

New Member

Hello everybody,

Im trying to configure an entity in Splunk Insights for Infrastructure. When I ran the script to add data in a Windows 10, it doesn´t get synchronized. I kept waiting during more than 5 minutes, and it doesn´t work.
I tryed it with another OS, in fact Debian, it worked. That only happen with Windows 10 and Windows Server 2016. No errors during installation, no errors during the Scripts is running. Also I tryed installing in Splunk Enterprise with Splunk for Infrastructure APP and it doens´t work, but I can receive data by splunk forwarder into the searcher and run SPL commands.

I don´t know whats happening here. I would like to monitoring it using Splunk Insights for Infrastructure also. Any idea?

Regards,

0 Karma
Highlighted

Re: Splunk Insights for Infrastructure - adding windows data

Splunk Employee
Splunk Employee

Can you try some things to debug this ?

On your Windows Machine, check if UF is actually sending data to SAI (Splunk App for Infrastructure):
${SPLUNK_HOME}/bin/splunk list forward-server

If yes, On your SAI Instance, run this search (check if SAI has the metrics data in the emmetrics index):
| mcatalog values("host") , values("
dims") as "dims" WHERE metricname=processor.* AND index=emmetrics BY "host" | table host

0 Karma
Highlighted

Re: Splunk Insights for Infrastructure - adding windows data

New Member

Thanks for reply.

I checked if is actually sending data. After running that command, I see:
Active forwards:
x.x.x.x:9997
Configured but inactive forwards:
None.

In SAI, I tryed to find the emmetrics index, but I didnt reach it. The most similar was ementity_manager but not information bringed.
I couldn´t run that query...
¿Any idea?

0 Karma
Highlighted

Re: Splunk Insights for Infrastructure - adding windows data

New Member

If I investigate Events, I see some which are from the Splunk Forwarder: splunkd, uf. Others don´t work...

0 Karma
Highlighted

Re: Splunk Insights for Infrastructure - adding windows data

Splunk Employee
Splunk Employee

Looks like you don't have "Add-on for Infrastructure" installed for Splunk App for Infra. Could you please confirm?

Follow documentation for both Windows and Linux monitoring:
https://docs.splunk.com/Documentation/InfraApp/1.2.2/Install/Install

0 Karma
Highlighted

Re: Splunk Insights for Infrastructure - adding windows data

New Member

I tryed both versions, I mean, Splunk Insights for Infrastructure: https://www.splunk.com/en_us/software/splunk-enterprise/infrastructure-insights.html
and Splunk Enterprise with SAI App... But Im now working with https://www.splunk.com/en_us/software/splunk-enterprise/infrastructure-insights.html

0 Karma
Highlighted

Re: Splunk Insights for Infrastructure - adding windows data

Splunk Employee
Splunk Employee

Can you try some commands on your SII instance using CLI?

${SPLUNKHOME}/bin/splunk search '| mstats avg(value) WHERE index=emmetrics AND metricname=* by host, metric_name'

${SPLUNKHOME}/bin/splunk search '| mstats avg(value) WHERE index=emmetrics AND metricname=* AND entitytype="WindowsHost" by host, metric_name'

0 Karma
Highlighted

Re: Splunk Insights for Infrastructure - adding windows data

New Member

both querys answer empty result...

0 Karma
Highlighted

Re: Splunk Insights for Infrastructure - adding windows data

Splunk Employee
Splunk Employee

Check perfmon stanza's in your UF's inputs.conf file. Can you provide one of the input stanza here?

0 Karma
Highlighted

Re: Splunk Insights for Infrastructure - adding windows data

Splunk Employee
Splunk Employee
0 Karma