Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Reporting on or displaying local PerfMon data

naydenk
Path Finder
‎01-04-2012 12:24 PM

Hello
I just setup a trial install of Splunk (running with an Enterprise license at the moment). My version is 4.2.5, build 113966. I have one universal forwarder that is functioning fine, as far as I can tell (it is forwarding data from Event Logs to the indexer) - the UF was installed with this command line:

msiexec.exe /i splunkforwarder-4.2.5-113966-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER="indexer_server:9997" DEPLOYMENT_SERVER="indexer_server:8089" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet

I created a couple of entries in the C:\Program Files\SplunkUniversalForwarder\etc\system\local\perfmon.conf file of the UF, as follows:

[Perfmon:LocalPhysicalDisk]
interval = 15
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time; Avg. Disk sec/Read; Avg. Disk sec/Write
instances = *
disabled = 0
index = ic_perfdatadb

[Perfmon:LocalMainMemory]
interval = 15
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = ic_perfdatadb

There are also a few entries (preconfigured) for WMI perfmon counter collection.

My problem... I see the WMI collection data (e.g. source=WMI:Memory) from host=indexer_server, I also see entries from Perfmon (e.g. source=Perfmon:Network Interface) from host=indexer_server. What I do NOT see are the perfmon entries from my UF... It almost looks like I have forgotten to enable something, however I DO see that the entries are being sent from the UF to the indexer - the index "ic_perfdatadb" was specifically created for these perf counters and I can see it growing constantly...

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2012 12:39 PM

Hmm, are you specifically querying for data in that index when you are looking for it, i.e., do your queries contain index=ic_perfdatadb, or else does your user's role include that index to be searched by default?

View solution in original post

Reply
Solved! Jump to solution

naydenk
Path Finder
‎01-04-2012 01:01 PM

Now that you put it that way... 🙂 I did not know I could do that, nor did I know the admin user didn't have access to all by default... I added the new indexes I created to the role and now I see! Thank you!

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2012 01:39 PM

the admin has access, but it's just not queried by default.

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2012 12:39 PM

Hmm, are you specifically querying for data in that index when you are looking for it, i.e., do your queries contain index=ic_perfdatadb, or else does your user's role include that index to be searched by default?

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...