Splunk Insights for Infrastructure - adding window...

davidvazquezp · ‎02-10-2019

Hello everybody,

Im trying to configure an entity in Splunk Insights for Infrastructure. When I ran the script to add data in a Windows 10, it doesn´t get synchronized. I kept waiting during more than 5 minutes, and it doesn´t work.
I tryed it with another OS, in fact Debian, it worked. That only happen with Windows 10 and Windows Server 2016. No errors during installation, no errors during the Scripts is running. Also I tryed installing in Splunk Enterprise with Splunk for Infrastructure APP and it doens´t work, but I can receive data by splunk forwarder into the searcher and run SPL commands.

I don´t know whats happening here. I would like to monitoring it using Splunk Insights for Infrastructure also. Any idea?

Regards,

dagarwal_splunk · ‎02-11-2019

Can you try some things to debug this ?

On your Windows Machine, check if UF is actually sending data to SAI (Splunk App for Infrastructure):
${SPLUNK_HOME}/bin/splunk list forward-server

If yes, On your SAI Instance, run this search (check if SAI has the metrics data in the em_metrics index):
| mcatalog values("host") , values("_dims") as "dims" WHERE metric_name=processor.* AND index=em_metrics BY "host" | table host

davidvazquezp · ‎02-12-2019

Thanks for reply.

I checked if is actually sending data. After running that command, I see:
Active forwards:
x.x.x.x:9997
Configured but inactive forwards:
None.

In SAI, I tryed to find the em_metrics index, but I didnt reach it. The most similar was em_entity_manager but not information bringed.
I couldn´t run that query...
¿Any idea?

davidvazquezp · ‎02-12-2019

If I investigate Events, I see some which are from the Splunk Forwarder: splunkd, uf. Others don´t work...

dagarwal_splunk · ‎02-12-2019

Looks like you don't have "Add-on for Infrastructure" installed for Splunk App for Infra. Could you please confirm?

Follow documentation for both Windows and Linux monitoring:
https://docs.splunk.com/Documentation/InfraApp/1.2.2/Install/Install

davidvazquezp · ‎02-12-2019

I tryed both versions, I mean, Splunk Insights for Infrastructure: https://www.splunk.com/en_us/software/splunk-enterprise/infrastructure-insights.html
and Splunk Enterprise with SAI App... But Im now working with https://www.splunk.com/en_us/software/splunk-enterprise/infrastructure-insights.html

dagarwal_splunk · ‎02-13-2019

Can you try some commands on your SII instance using CLI?

${SPLUNK_HOME}/bin/splunk search '| mstats avg(_value) WHERE index=em_metrics AND metric_name=* by host, metric_name'

${SPLUNK_HOME}/bin/splunk search '| mstats avg(_value) WHERE index=em_metrics AND metric_name=* AND entity_type="Windows_Host" by host, metric_name'

davidvazquezp · ‎02-13-2019

both querys answer empty result...

dagarwal_splunk · ‎02-14-2019

Check perfmon stanza's in your UF's inputs.conf file. Can you provide one of the input stanza here?

dagarwal_splunk · ‎02-14-2019

Did you try this troubleshooting doc?
https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Cantfinddata#Are_you_using_forwa...

davidvazquezp · ‎02-18-2019

In my inputs.conf I have the following:

[default]
host= DESKTOP-UI28CEE

is something wrong here?

dagarwal_splunk · ‎02-21-2019

You have to check inputs.conf in UF's "\etc\apps\SplunkUniversalForwarder\local\inputs.conf". This file will have perfmon stanzas.

I think you should file "Splunk Support ticket" for quicker resolution.
Or try the troubleshooting doc mentioned above.

Splunk Insights for Infrastructure - adding windows data

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)