Hi,
I am trying to figure out how to configure Splunk TA for windows so that I can forward all machines' performance counters. So far, I have installed Splunk for Windows in two search heads and use deployment server to distribute Splunk TA to all UF. I enabled windowsupdate.log in Splunk_TA_windows\local\inputs.conf.
###### Windows Update Log ######
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
So, for sourcetype = windowsupdatelog, I can see all machines showed up in host. It is working as expected. But when I turned on Splunk 5.0+ Performance Counters, by set disabled = 0:
## CPUTime
[perfmon://CPUTime]
counters = % Processor Time;% User Time
disabled = 0
instances = _Total
interval = 10
object = Processor
## Disk
[perfmon://FreeDiskSpace]
counters = Free Megabytes;% Free Space
disabled = 0
instances = *
interval = 10
object = LogicalDisk
I verified the change has been deployed to all UFs. However, I can't find such info showed up in my search head by checking Windows Management dashboard (only SH itself has those infos like CPU metrics, memory metrics... in there). Did I miss something here? The online document for latest TA is broken (link in the old version http://docs.splunk.com/Documentation/WindowsApp/4.6.3TA/User/AbouttheSplunkTechnologyAdd-on(TA)forWindows).
Thanks!
... View more