Hello everybody,
Im trying to configure an entity in Splunk Insights for Infrastructure. When I ran the script to add data in a Windows 10, it doesn´t get synchronized. I kept waiting during more than 5 minutes, and it doesn´t work.
I tryed it with another OS, in fact Debian, it worked. That only happen with Windows 10 and Windows Server 2016. No errors during installation, no errors during the Scripts is running. Also I tryed installing in Splunk Enterprise with Splunk for Infrastructure APP and it doens´t work, but I can receive data by splunk forwarder into the searcher and run SPL commands.
I don´t know whats happening here. I would like to monitoring it using Splunk Insights for Infrastructure also. Any idea?
Regards,
Can you try some things to debug this ?
On your Windows Machine, check if UF is actually sending data to SAI (Splunk App for Infrastructure):
${SPLUNK_HOME}/bin/splunk list forward-server
If yes, On your SAI Instance, run this search (check if SAI has the metrics data in the em_metrics index):
| mcatalog values("host") , values("_dims") as "dims" WHERE metric_name=processor.* AND index=em_metrics BY "host" | table host
Thanks for reply.
I checked if is actually sending data. After running that command, I see:
Active forwards:
x.x.x.x:9997
Configured but inactive forwards:
None.
In SAI, I tryed to find the em_metrics index, but I didnt reach it. The most similar was em_entity_manager but not information bringed.
I couldn´t run that query...
¿Any idea?
If I investigate Events, I see some which are from the Splunk Forwarder: splunkd, uf. Others don´t work...
Looks like you don't have "Add-on for Infrastructure" installed for Splunk App for Infra. Could you please confirm?
Follow documentation for both Windows and Linux monitoring:
https://docs.splunk.com/Documentation/InfraApp/1.2.2/Install/Install
I tryed both versions, I mean, Splunk Insights for Infrastructure: https://www.splunk.com/en_us/software/splunk-enterprise/infrastructure-insights.html
and Splunk Enterprise with SAI App... But Im now working with https://www.splunk.com/en_us/software/splunk-enterprise/infrastructure-insights.html
Can you try some commands on your SII instance using CLI?
${SPLUNK_HOME}/bin/splunk search '| mstats avg(_value) WHERE index=em_metrics AND metric_name=* by host, metric_name'
${SPLUNK_HOME}/bin/splunk search '| mstats avg(_value) WHERE index=em_metrics AND metric_name=* AND entity_type="Windows_Host" by host, metric_name'
both querys answer empty result...
Check perfmon stanza's in your UF's inputs.conf file. Can you provide one of the input stanza here?
Did you try this troubleshooting doc?
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Cantfinddata#Are_you_using_forwa...
In my inputs.conf I have the following:
[default]
host= DESKTOP-UI28CEE
is something wrong here?
You have to check inputs.conf in UF's "\etc\apps\SplunkUniversalForwarder\local\inputs.conf". This file will have perfmon stanzas.
I think you should file "Splunk Support ticket" for quicker resolution.
Or try the troubleshooting doc mentioned above.