- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Machine Boot Up Analysis (Windows)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm looking for an App or configuration of the existing Windows App in Splunk for machine boot up time analysis. I think we can modify the forwarders with custom logs to help in this initiative. Anyone else looking or doing something similar to this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, when windows boot, splunk is down.
To get informations on your boot performance, create scripts that mimics those tools and configure them to write the results to a log file, then you can index then with splunk, once splunk it up and running.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
make sure renderxml = true and then you probably want to do something like this:
host=somehost(s) index=yourindex source="WinEventLog:Microsoft-Windows-Diagnostics-Performance/Operational" sourcetype="XmlWinEventLog:Microsoft-Windows-Diagnostics-Performance/Operational" BootStartTime="*"
| eval BootTime_mins=round(BootTime/1000/60,2)
| eval BootUserProfileProcessingTime_mins=round(BootUserProfileProcessingTime/1000/60,2)
| eval BootDegradationDelta_mins=round(BootDegradationDelta/1000/60,2)
| eval MainPathBootTime_mins=round(MainPathBootTime/1000/60,2)
| eval BootPostBootTime_mins=round(BootPostBootTime/1000/60,2)
| eval UserLogonWaitDuration_mins=round(UserLogonWaitDuration/1000/60,2)
| stats avg(BootPostBootTime_mins) as Logon, avg(UserLogonWaitDuration_mins) as WaitingforUser, avg(MainPathBootTime_mins) as Startup BY host
Get as granular as you'd like with all the data points included in the XML, which is a lot, then make that a a stacked bar chart and get a nice visualization of one or more hosts for comparison. The 3 I've included in the stats are generally enough to give you a good idea without getting too complex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@brooklynotss, how are you converting the XML into key value pairs? When I do this with renderxml = true, Splunk does not automatically recognize any of the fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you use the default sourcetype or rename it? If this is collected with the Splunk created TA then it should get field extractions out of the box when the TA is deployed on the Search Head. Alternatively, you can play with the [xmlkv][1] and [xpath][2] commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I installed the Splunk Add-on for Microsoft Windows and now the fields are resolving.
Thanks Burch!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For mainstream windows operating systems there is a new event log named "Microsoft-Windows-Diagnostics-Performance/Operational". Among events in that log are detailed data on startup performance. Looking through details of events in that log in Event Viewer you may notice there are more fields in the XML view of the event than in the Friendly view of the event. If you didn't know already, Splunk's EventLog handler does not pick up XML portions of windows events. In the mean time you could write a custom input for event log channels whose XML-based fields you urgently need.
Log Name: Microsoft-Windows-Diagnostics-Performance/Operational
Source: Microsoft-Windows-Diagnostics-Performance
Event ID: 100
Task Category: Boot Performance Monitoring
...
Description:
Windows has started up:
Boot Duration : 43235ms
IsDegradation : false
...
2
2014-05-27T22:59:59.791691500Z
2014-05-27T23:02:10.685210300Z
78
76
43235
20035
13
385
544
...strong text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, when windows boot, splunk is down.
To get informations on your boot performance, create scripts that mimics those tools and configure them to write the results to a log file, then you can index then with splunk, once splunk it up and running.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure that monitoring the msconfig boot log file only will give me the larger picture. We could do that but I'd like determine root cause of slow boot up perfomance caused by applications and group policy (for example) or other variables. Here is an example of a tool out there but I don't have the option of deploying this to an excessive amount of machines. http://www.autoitconsulting.com/site/performance/windows-performance-toolkit-simple-boot-logging/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you talking about analyzing the msconfig boot log file?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
