Getting Data In

How to get perfmon data into a metrics index?

jkwiotek
New Member

Hello,

i have TA Windows 6.0.0 installed on my multisite cluster enviroment on but i cannot see any data incoming into my metrics index.
my operation system language is german. on a standalone splunk instance this works fine and i see the metrics incoming.

  • serach heads
  • universal forwarder (with deployment server)
  • serach head

inputs.conf:

[perfmon://CPU]
counters = *
instances = *
interval = 30
object = Prozessor
useEnglishOnly=false
index=perfmon
disabled = 0

[perfmon://Memory]
counters = *
interval = 30
object = Arbeitsspeicher
useEnglishOnly=false
index=perfmon
disabled = 0

[perfmon://Network]
counters = *
instances = *
interval = 30
object = Netzwerkschnittstelle
useEnglishOnly=false
index=perfmon
disabled = 0

[perfmon://Process]
counters = *
instances = *
interval = 300
object = Prozess
useEnglishOnly=false
index=perfmon
disabled = 0

[perfmon://PhysicalDisk]
counters = *
instances = *
interval = 300
object = Physikalischer Datenträger
useEnglishOnly=false
index=perfmon
disabled = 0

Tags (2)
0 Karma

jkwiotek
New Member

I always get messages like this:

xxx has the following message: Metric value= is not valid for source=CPU, sourcetype=CPU, host=yyy, index=perfmon. Metric event data with an invalid metric value would not be indexed. Ensure the input metric data is not malformed.

0 Karma

daniel333
Builder

A few things to check pop to mind -

1) Sounds like your mode isn't set to single in inputs.conf add this to your inputs.conf
mode = single
Splunk_TA_Windows requires single mode for the transforms.conf to convert to metrics.
2) Make sure you have counters and instances configured. They appear blank in your example
3) Ensure your perfmon index is declared as metrics.

Just a thought - you might want your indexes name to indicate the data type to avoid confusion later. By no means a requirement, but not all perfmon inputs convert to metrics under Splunk_TA_windows 6.0.0 automatically. You can see which ones actually convert by default by reading transforms.conf in Splunk_TA_windows towards the bottom.
index=perfmon_metrics instead of index=perfmon.

More about Perfmon mode
https://www.splunk.com/blog/2013/10/28/new-features-for-perfmon-in-splunk-6.html

0 Karma

jkwiotek
New Member

on my single instance, it works without mode, but i will try

counters and instances are wildcard, which should work together with useEnglishOnly=false

index is declared as metrics

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perfmon data is not in the correct format for metrics indexes. You must use an events index.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jkwiotek
New Member

there are transforms for a metrics index... and on my single test instance it works just fine

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@jkwiotek Please share the transforms you use for metrics.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jkwiotek
New Member

im using the original transforms from the ta-windows app

0 Karma

jkwiotek
New Member

Search peer xxx has the following message: Metric value= is not valid for source=CPU, sourcetype=CPU, host=yyy, index=perfmon. Metric event data with an invalid metric value would not be indexed. Ensure the input metric data is not malformed.
10.8.2019, 13:37:05
Search peer xxx has the following message: Metric name is missing for source=CPU, sourcetype=CPU, host=yyy, index=perfmon. Metric event data without metric name is invalid and would not be indexed. Ensure the input metric data is not malformed.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...