Splunk ITSI

Splunk Insights for Infrastructure - adding windows data

davidvazquezp
New Member

Hello everybody,

Im trying to configure an entity in Splunk Insights for Infrastructure. When I ran the script to add data in a Windows 10, it doesn´t get synchronized. I kept waiting during more than 5 minutes, and it doesn´t work.
I tryed it with another OS, in fact Debian, it worked. That only happen with Windows 10 and Windows Server 2016. No errors during installation, no errors during the Scripts is running. Also I tryed installing in Splunk Enterprise with Splunk for Infrastructure APP and it doens´t work, but I can receive data by splunk forwarder into the searcher and run SPL commands.

I don´t know whats happening here. I would like to monitoring it using Splunk Insights for Infrastructure also. Any idea?

Regards,

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Can you try some things to debug this ?

On your Windows Machine, check if UF is actually sending data to SAI (Splunk App for Infrastructure):
${SPLUNK_HOME}/bin/splunk list forward-server

If yes, On your SAI Instance, run this search (check if SAI has the metrics data in the em_metrics index):
| mcatalog values("host") , values("_dims") as "dims" WHERE metric_name=processor.* AND index=em_metrics BY "host" | table host

0 Karma

davidvazquezp
New Member

Thanks for reply.

I checked if is actually sending data. After running that command, I see:
Active forwards:
x.x.x.x:9997
Configured but inactive forwards:
None.

In SAI, I tryed to find the em_metrics index, but I didnt reach it. The most similar was em_entity_manager but not information bringed.
I couldn´t run that query...
¿Any idea?

0 Karma

davidvazquezp
New Member

If I investigate Events, I see some which are from the Splunk Forwarder: splunkd, uf. Others don´t work...

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Looks like you don't have "Add-on for Infrastructure" installed for Splunk App for Infra. Could you please confirm?

Follow documentation for both Windows and Linux monitoring:
https://docs.splunk.com/Documentation/InfraApp/1.2.2/Install/Install

0 Karma

davidvazquezp
New Member

I tryed both versions, I mean, Splunk Insights for Infrastructure: https://www.splunk.com/en_us/software/splunk-enterprise/infrastructure-insights.html
and Splunk Enterprise with SAI App... But Im now working with https://www.splunk.com/en_us/software/splunk-enterprise/infrastructure-insights.html

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Can you try some commands on your SII instance using CLI?

${SPLUNK_HOME}/bin/splunk search '| mstats avg(_value) WHERE index=em_metrics AND metric_name=* by host, metric_name'

${SPLUNK_HOME}/bin/splunk search '| mstats avg(_value) WHERE index=em_metrics AND metric_name=* AND entity_type="Windows_Host" by host, metric_name'

0 Karma

davidvazquezp
New Member

both querys answer empty result...

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Check perfmon stanza's in your UF's inputs.conf file. Can you provide one of the input stanza here?

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee
0 Karma

davidvazquezp
New Member

In my inputs.conf I have the following:

[default]
host= DESKTOP-UI28CEE

is something wrong here?

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

You have to check inputs.conf in UF's "\etc\apps\SplunkUniversalForwarder\local\inputs.conf". This file will have perfmon stanzas.

I think you should file "Splunk Support ticket" for quicker resolution.
Or try the troubleshooting doc mentioned above.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...