Splunk Search

Reporting on or displaying local PerfMon data

naydenk
Path Finder

Hello
I just setup a trial install of Splunk (running with an Enterprise license at the moment). My version is 4.2.5, build 113966. I have one universal forwarder that is functioning fine, as far as I can tell (it is forwarding data from Event Logs to the indexer) - the UF was installed with this command line:

msiexec.exe /i splunkforwarder-4.2.5-113966-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER="indexer_server:9997" DEPLOYMENT_SERVER="indexer_server:8089" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet

I created a couple of entries in the C:\Program Files\SplunkUniversalForwarder\etc\system\local\perfmon.conf file of the UF, as follows:

[Perfmon:LocalPhysicalDisk]
interval = 15
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time; Avg. Disk sec/Read; Avg. Disk sec/Write
instances = *
disabled = 0
index = ic_perfdatadb

[Perfmon:LocalMainMemory]
interval = 15
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = ic_perfdatadb

There are also a few entries (preconfigured) for WMI perfmon counter collection.

My problem... I see the WMI collection data (e.g. source=WMI:Memory) from host=indexer_server, I also see entries from Perfmon (e.g. source=Perfmon:Network Interface) from host=indexer_server. What I do NOT see are the perfmon entries from my UF... It almost looks like I have forgotten to enable something, however I DO see that the entries are being sent from the UF to the indexer - the index "ic_perfdatadb" was specifically created for these perf counters and I can see it growing constantly...

Thanks!

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Hmm, are you specifically querying for data in that index when you are looking for it, i.e., do your queries contain index=ic_perfdatadb, or else does your user's role include that index to be searched by default?

View solution in original post

naydenk
Path Finder

Now that you put it that way... 🙂 I did not know I could do that, nor did I know the admin user didn't have access to all by default... I added the new indexes I created to the role and now I see! Thank you!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

the admin has access, but it's just not queried by default.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Hmm, are you specifically querying for data in that index when you are looking for it, i.e., do your queries contain index=ic_perfdatadb, or else does your user's role include that index to be searched by default?

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>