Getting Data In

Object field on network perfmon data

doddsjr653
New Member

I'm running Splunk 5.0.4 along with the Windows app. I'm trying to figure out what is fiddling with the object field on all of my network perfmon data. The raw data of a typical event looks like so:

09/13/2013 01:56:26.169
collection=LocalNetwork
object="Network Interface"
counter="Bytes Sent/sec"
instance="Intel[R] PRO_1000 MT Network Connection"
Value=145267.89417928556

All of the fields are being indexed properly, as they show up in the field list on the left in the search app. However, for each event that has the [ character in the instance field, an additional value is being generated for the object field that contains the rest of the instance field data, plus the Value field line. Using the above event as an example, I see this as a value in the object field for that event:

R] PRO_1000 MT Network Connection" Value=145267.89417928556

This makes a terrible mess of windows_perfmon_details.csv, and I think it's causing a performance impact on the Windows app because of the thousands of extra perfmon instances it's detecting.

I've looked through transforms.conf and props.conf, and I don't think there's anything in there that could be causing this. I'm not exactly sure what to look for though. My OCD would appreciate any help offered to solve this.

Tags (2)
0 Karma

doddsjr653
New Member

Correct, each event has those two values for object.

0 Karma

mloven_splunk
Splunk Employee
Splunk Employee

Do you have "Network Interface" in quotes in your config, like you do in your original post?

I ask because I'm looking at the Splunk_TA_windows app right now and it doesn't have quotes around that string.

0 Karma

doddsjr653
New Member

I do not have quotes around Network Interface in my inputs.conf.

0 Karma

doddsjr653
New Member

The event data has the quotes, but I can't remember off the top of my head if the conf file has the quotes...I believe it does. I will check on that.

0 Karma

mloven_splunk
Splunk Employee
Splunk Employee

So, for each event with a "[" in the instance field, you're getting two values for object? One set to "Network Interface" and one set to "R] PRO_1000...."?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...