Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk-perfmon.exe not run

Mai_splunk
Explorer
‎07-08-2020 08:32 AM

I have a Splunk Deployment Server that pull the apps to UF. I have create an app WinPerfmon and inside of inputs.conf:

[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
interval = 10
object = LogicalDisk
useEnglishOnly=true

## Memory
[perfmon://Memory]
counters = Available MBytes
disabled = 0
interval = 10
object = Memory
useEnglishOnly=true

The app is created on UF but splunk-perfmon.exe is running one second and after is closed and not send any data to the indexer. 

In splunkd.log:

07-08-2020 16:57:32.423 +0200 DEBUG ExecProcessor - Running: "C:\Program Files\HomeOffSec\bin\splunk-perfmon.exe" on PipelineSet 0
07-08-2020 16:57:32.423 +0200 DEBUG ExecProcessor - PipelineSet 0: Created new ExecedCommandPipe for ""C:\Program Files\HomeOffSec\bin\splunk-perfmon.exe"", uniqueId=5
07-08-2020 16:57:32.423 +0200 DEBUG QueueManager - Failed to parse memory queueSize for path=perfmon and conf=inputs.
07-08-2020 16:57:32.423 +0200 DEBUG QueueManager - Failed to parse queueSize for path=perfmon and conf=inputs.
07-08-2020 16:57:32.423 +0200 DEBUG QueueManager - Memory queueSize for path=perfmonand conf=inputs and queueName=execProcessorInternalQ set to 512000.

I have other app WinEventlog and splunk-wineventlog.exe is working.

UF has been installed as Windows local admin user. 

Could any help me please? Should I do something else in Windows?

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2020 09:00 AM
Have you checked splunkd.log on the UF?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Mai_splunk
Explorer
‎07-08-2020 09:27 AM

Hi @richgalloway  

Yes i have checked it and have not found any error about perfmon.

07-08-2020 18:14:00.521 +0200 INFO SpecFiles - Found external scheme definition for stanza="perfmon://" from spec file="C:\Program Files\HomeOffSec\etc\system\README\inputs.conf.spec" with parameters="object, counters, instances, interval, mode, samplingInterval, stats, disabled, showZeroValue, useEnglishOnly, useWinApiProcStats, formatString, usePDHFmtNoCap100"

07-08-2020 18:14:01.402 +0200 INFO ModularInputs - Introspection setup completed for scheme "perfmon".

07-08-2020 18:14:01.838 +0200 INFO ExecProcessor - New scheduled exec process: "C:\Program Files\HomeOffSec\bin\splunk-perfmon.exe"

Thanks a lot.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-08-2020 08:50 AM

Hi @Mai_splunk ,

did you tried to deploy (eventually only in one server) the last version of Splunk_TA_Windows?

because I see some differences with you perfmon.

Ciao.

Giuseppe

0 Karma
Reply

Mai_splunk
Explorer
‎07-08-2020 09:23 AM

Hi @gcusello  yes, im working with the last version available in splunkbase 8.0.0

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-08-2020 11:48 PM

Hi @Mai_splunk ,

the inputs.conf in splunkbase is different from your:

your

[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
interval = 10
object = LogicalDisk
useEnglishOnly=true

[perfmon://Memory]
counters = Available MBytes
disabled = 0
interval = 10
object = Memory
useEnglishOnly=true

TA_Windows:

[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 1
instances = *
interval = 10
mode = multikv
object = LogicalDisk
useEnglishOnly=true

[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 1
interval = 10
mode = multikv
object = Memory
useEnglishOnly=true

I understand that you're taking less counters, but mode = multikv is missing.

Ciao.

Giuseppe

0 Karma
Reply

Mai_splunk
Explorer
‎07-09-2020 11:21 AM

Yes, because i want monitor only some counters and not all of them. The selected mode there is not a problem to ingest the data, but i tried both and the same problem, no data ingested.

Thanks! 

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...