Building for the Splunk Platform

Unable to get the data for perfmon:logical disk in splunk

sathyasubburaj
Explorer

Unable to get the data for perfmon:logical disk in splunk .Below is the configuration file . But still Logical disk data is not seen in indexer .Is there any other way to configure it.

[perfmon://CPU Load]
counters = % Processor Time;% User Time
instances = _Total
interval = 10
object = Processor

[perfmon://Available Memory]
counters = Available Bytes
interval = 10
object = Memory

[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
instances = _Total
interval = 3600
object = LogicalDisk

[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec
instances = *
interval = 10
object = Network Interface

Tags (1)
0 Karma

woodcock
Esteemed Legend

You need to add disabled=false to each stanza. Make sure that everything that you change is inside a NEW file in the local directory; do not change anything in the default directory.

0 Karma

sathyasubburaj
Explorer

Hi All ,

I have tried the above but still am not getting logical disk data .Shall i enable (disable=0 ) in wmi.conf to get the logical disk data ?whether both the function are same ?


Usually disabled in favor of Perfmon counters

[WMI:FreeDiskSpace]
interval = 120
wql = SELECT Name,FreeMegabytes,PercentFreeSpace FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
index = perfmon
disabled = 1

[WMI:LogicalDisk]
interval = 120
wql = SELECT Name,AvgDisksecPerRead,AvgDisksecPerWrite,AvgDisksecPerTransfer,DiskReadsPersec,DiskWritesPersec FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
index = perfmon
disabled = 1

[WMI:LocalPhysicalDisk]
interval = 10
wql = SELECT Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk
index = perfmon
disabled = 1

0 Karma

adonio
Ultra Champion

try this in inputs.conf

[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 10
object = LogicalDisk
useEnglishOnly=true
index = perfmon

hope it helps

guilmxm
Influencer

Hi,

For each stanza, you are lacking its activation:

disabled = false

OR:

disabled = 0

Since the default is deactivated, your configuration just doesn't do anything.
Your inputs.conf should be a local/inputs.conf file deployed to your UF, and ensure you have set "restart splunkd" in your deployment configuration.

Cheers,

Guilhem

0 Karma

sathyasubburaj
Explorer

Hi Guilhem ,

Greetings ... thanks for your reply... I am able to get data for the below

[perfmon://CPU Load]
[perfmon://Network Interface]
[perfmon://Available Memory].

Here is the sample output for cpu load .

07/20/2017 16:41:33.593 +0200
collection="CPU Load"
object=Processor
counter="% User Time"
instance=_Total
Value=3.4320712845436461

Problem i s am not getting data only for logicaldisk .Any suggestions ?

0 Karma

guilmxm
Influencer

Hi,

adanio's response is correct, again the default (in default/inputs.conf) of the TA is all disabled, you need to copy the stanza and activate it in your local/inputs.conf.

If you don't have that stanza with its activation, whatever for logical disk or another monitor, nothing will be collected

Cheers

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...