I'd like to add some details. We worked toghether with donhuanmatus on this issue. The real problem is that we have sporadical values for the counters when we collect them by Light Weight Forwarder (LWF). More precisely speaking we have very few values from a bunch of counter of the types he mentioned collected every 6 minutes. And for example we have only 5 or 10 sporadical values for them during the day. We collect our own counters that are 'average value' and 'value per second'. The good example of counters of that types are 'Physical Disk\Avg. Disk Queue Length' and ' Physical Disk\Disk Read Bytes/sec'. We also have a number of simple incremental counters that are successfully collected, so the problem is with the counters of that specific types.
When we started debugging the WQL used by LWF we faced that splunk-wmi returns zero all the time in spite non-zero values are shown in Performance Monitor. So we also tried to collect anything for Windows built-in counters like the ones mentioned above from 'Physical Disk' category and had no success.
malmoore wrote that WBEMTEST also did't return values for counters 'Avg. Disk Queue Length' and ' Physical Disk\Disk Read Bytes/sec', which gets me confused. So let me rephrase the question. Could someone experienced provide an example of WQL that collects counters 'Physical Disk\Avg. Disk Queue Length' and ' Physical Disk\Disk Read Bytes/sec' correctly. Having such example we can dig deper and make our own counters work.
Thanks, any help will be much appreciated!
... View more