@qhmassc Try adding "entity_type::Windows_Host" to your _meta fields in "inputs.conf"
It should look like:
[perfmon://CPU Load]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time
instances = *
interval = 30
object = Processor
index = em_metrics
_meta = os::"Microsoft Windows" entity_type::Windows_Host
Similarly add other perfmon data you want to add using the sample inputs.conf file.
... View more
It seems that you don't have "inputs.conf" configured in the Universal Forwarder of Windows machine you are monitoring. You need to add all the performance counters you want to collect. Can you check?
See this for sample inputs.conf: https://answers.splunk.com/answers/699711/can-you-help-me-use-the-splunk-app-for-infrastruct.html#answer-699721
... View more
What version of SAI(Splunk App for Infra) are you using?
Do you have Splunk Add-on for Windows installed on the same instance as SAI? If yes, that may be the problem.
... View more
yes, SAI will be installed in the search head.
Index is set as "em_metrics" in UF's inputs.conf for "perfmon:*" metrics data as mentioned in the above links.
Just make sure you have Add-on for infra installed in your indexers. https://splunkbase.splunk.com/app/4217/
See the docs for more info http://docs.splunk.com/Documentation/InfraApp/1.2.2/Install/DistributedDeployment
... View more
You need to setup inputs.conf (add all metrics and logs data to collect) and outputs.conf (send data to SAI instance) on existing Splunk Universal Forwarders.
Here is useful link:
http://docs.splunk.com/Documentation/InfraApp/1.2.2/Admin/ManualInstallWindowsUF
Something similar to this :
https://answers.splunk.com/answers/699711/can-you-help-me-use-the-splunk-app-for-infrastruct.html#answer-699721
... View more
Please verify token in collectd.conf for with SII "Add Data" page script.
Make sure "LoadPlugin cpu" or "Hostname" not commented out in collectd.conf. Also, check that collectd is actually running.
If still not solved, try restarting collectd again and post collectd.log here.
... View more
instances = * ** OR **instances = _Total for CPU Load
Add dimensions in _meta field in inputs.conf:
Example:
_meta = os::"Microsoft Windows" location::seattle anykey::anyvalue
... View more
monitoring_machine will be indexers in your case.
you should be able to use this doc set up your outputs.conf
http://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Setuploadbalancingd
... View more
Splunk Insights for Infrastructure uses Splunk Universal Forwarder for Windows data collection. So, as long as Splunk UF is supported and you can run the powershell script to configure it, everything will work.
Here is the supported OS doc for UF:
http://docs.splunk.com/Documentation/Splunk/7.2.0/Installation/Systemrequirements#Windows_operating_systems
... View more
Check the (Settings -> Data Inputs -> HTTP Event Collector):
It should have HEC token like:
Name : "Any Name"
Token Value : < token used in collectd.conf setttings>
SourceType: "em_metrics"
Index: "em_metrics"
... View more
Make sure you are using "em_metrics" as both sourcetype and index.
Check your "/etc/collectd.conf" file on your RHEL7 server. See what is "Hostname <>" field in this file.
... View more
One thing:
"Splunk Add-on for Windows may not be not compatible with Splunk App for Infrastructure."
https://docs.splunk.com/Documentation/InfraApp/1.2.0/ReleaseNotes/Knownissues
If you have both "Add-on for Windows" and "App for Infrastructure" on the same Splunk instance, it might not work. Otherwise, it should work fine. Make sure you use "index=em_metrics" for perfmon data in your inputs.conf.
... View more
For monitoring using Splunk App for Infrastructure:
Redhat 6.7/6.8 servers are supported.
Windows 2008R2 not officially supported. But, it might still work.
... View more
Try these:
1. Check if you can ping server with Insights of Infrastructure installed from client.
2. Check if port 9997 on SII server is open.
3. Try "bin/splunk list forward-server" on the client to check any active/inactive forwards. [ If you don't have any admin account created, use user-seed.conf to create one. http://docs.splunk.com/Documentation/Splunk/7.2.0/Security/Secureyouradminaccount]
4. If still have issues, can you provide your inputs.conf on your client. ("$SPLUNK_HOME\etc\apps\SplunkUniversalForwarder\local\inputs.conf")
... View more
if you are an existing Splunk customer please file a support case so we can pick up some more details about your environment.
Have you tried these troubleshooting docs ?:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Troubleshooting/AdvancedWindowsTroubleshooting
http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Cantfinddata
... View more
I think hostname should not be a problem. You can change it using:
https://answers.splunk.com/answers/154999/how-can-i-change-the-default-hostname-in-splunk.html
Can I see your props and transforms.conf file located in etc\apps\splunk_app_infrastructure\default\ ?
ALso, Can you try this search:
| mstats count where host=* AND metric_name=* by index,host,metric_name
... View more
Could you try this CLI command and see if you have any active forwards?
Go to C:\Program Files\SplunkUniversalForwarder\bin and do
".\splunk list forward-server"
If you don't have any user account created. You can follow this to create an account:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Installation/StartSplunkforthefirsttime
"Create administrator credentials manually"
... View more
It seems you might have issue with your Windows system. If I google "ping localhost general failure", I can see many results with solutions to fix it. You might have to try that to fix it. Let me know if it still doesn't work.
... View more