All Apps and Add-ons

Splunk Universal Forwarder is not sending performance data.

antoniodelachic
New Member

Hello,

I'm evaluating Splunk as a central syslog analyzer. So I've installed a free licensed indexer on a Ubuntu virtual machine. The problem is that I've installed the Universal Forwarder on a couple of Windows Servers (W2k3 32bits and W2k8 64bits, both servers in Spanish) and both sends events data correctly to the indexer, but no performance information. I've checked that with a Wireshark capture.

Could you please help me with this issue? I don't know if I should enable something to check performance data.

Thank you very much in advance.

Best regards.

Antonio de la Chica.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Try downloading the app Splunk for Windows: http://apps.splunk.com/app/272/

It includes documentation about the entire setup: http://docs.splunk.com/Documentation/WindowsApp/latest/User/AbouttheSplunkAppforWindows

And the TA that you put on the forwarder to gather the performance data: http://apps.splunk.com/app/742/

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What's in your inputs.conf file regarding Perfmon inputs?

If you're using a localized version of Windows you may have to use localized names of Perfmon objects and counters as well.

0 Karma

antoniodelachic
New Member

I've installed the UF as local system user, and splunkd.exe and splunk-winevtlog.exe are running as SYSTEM procesess. I think splunk should collect WMI data and forward it to the indexer port 9997. I can't figure any problem in the indexer about a non domain user.

0 Karma

lukejadamec
Super Champion

You might have trouble collecting WMI data without the indexer running as a windows domain user, but you should be able to send perfmon data from the forwarder.

0 Karma

antoniodelachic
New Member

Because I've only installed de UF on the Windows Machine pointing to the Ubuntu box, that indexes the data. Is it right?.

0 Karma

lukejadamec
Super Champion

Right, the logs should be in splunk\var\logs\splunk\splunkd.log my mistake.
I have not encountered problems with w2k3 network, cpu, or memory logs.
Where are the input configurations located on your forwarders? Prior to 6.0 they would be in MSICreated\local

0 Karma

antoniodelachic
New Member

My server is a Windows Server 2003R2 Standard Edition.

Could you please indicate me if it is not supported or I've missed something?.

Thank you very much in advance.

0 Karma

antoniodelachic
New Member

Hello,

I haven't any directory named splunk\etc\apps\MSICreated\local, and logs are stored into D:\SplunkUniversalForwarder\var\log\splunk. I've checked the splukd.log, and there are two messages:

ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" wmain: Operating system major version 5, detected -- A minimum of 6 (VISTA/Server 2008) is required. Exitting.
ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-netmon.exe" splunk-netmon - Splunk network monitor is not available on this version of Windows.

0 Karma

lukejadamec
Super Champion

The input configuration will be located in the splunk\etc\apps\MSICreated\local folder.
Check the logs on the forwarders in the splunk\etc\system\logs\splunk\splunkd.log for errors.

0 Karma

antoniodelachic
New Member

Hello,
I've selected all the performance checkboxes when I installed the forwarder. No more actions.

Thank you.

0 Karma

lukejadamec
Super Champion

Are you sure the forwarders are configured to send performance information?

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...