Update in case anyone else ends up here...our issue was when Process PerfMon counters were enabled.
I opened a support case and Splunk had a JIRA; the issue is resolved in 8.0.2. So the fix is to update to 8.0.2+ UFs on Windows.
In comparing, here is where I see the changes:
in /etc/system/bin/perfmon.cmd:
echo ^
echo ^useWinApiProcStats^
echo ^false^
echo ^false^
echo ^
in inputs.conf.spec:
useWinApiProcStats =
* Whether or not the Performance Monitor input uses process kernel mode and
user mode times to calculate CPU usage for a process, rather than using
the standard Performance Data Helper (PDH) APIs to calculate those values.
* A problem was found in the PDH APIs that causes Performance Monitor inputs
to show maximum values of 100% usage for a process on multicore Windows
machines, even when the process uses more than 1 core at a time.
* When you configure this setting to "true", the input uses the
GetProcessTime() function in the core Windows API to calculate
CPU usage for a process, for the following Performance Monitor
counters, only:
** Processor Time
** User Time
** Privileged Time
* This means that, if a process uses 5 of 8 cores on an 8-core machine, that
the input should return a value of around 500, rather than the incorrect 100.
* When you configure the setting to "false", the input uses the standard
PDH APIs to calculate CPU usage for a process. On multicore systems, the
maximum value that PDH APIs return is 100, regardless of the number of
cores in the machine that the process uses.
* Performance monitor inputs use the PDH APIs for all other Performance
Monitor counters. Configuring this setting has no effect on those counters.
* NOTE: If the Windows machine uses a non-English system locale, and you
have set 'useWinApiProcStats' to "true" for a Performance Monitor input,
then you must also set 'useEnglishOnly' to "true" for that input.
* Default: false
... View more