Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

TAs with redundant perfmon inputs

dlofstrom
Path Finder
‎01-06-2014 09:08 AM

We recently deployed the Splunk for Exchange app, and I just happened to notice that some perfmon information from the Exchange hosts are not being indexed, specifically the standard Windows objects like CPU, Memory, etc.

Made me realize I may have misunderstood something when I was deploying the TAs for each server role (our Exchange hosts - with the exception of our Edge servers are mult-roled). On all TAs save for the MailboxStore TA, I disabled these perfmon inputs, assuming having it enabled on all of them would significantly increase the amount of perfmon info getting indexed. For example, for 3 TAs each with a CPU perfmon input queried every 10sec, I assumed this would result in 3 results getting indexed every 10sec rather than 1.

Is this assumption correct? Or does it build a single input for the host no matter how many times it's defined?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎01-06-2014 09:19 AM

Hi there,
The perfmon inputs will only get indexed once per forwarder. Btool can help show this:
"splunk.exe cmd btool inputs list"
So it is safe to leave the inputs enabled, especially in the case of multiple addons, disabling one may disable the same stanza across the board.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎01-06-2014 09:19 AM

Hi there,
The perfmon inputs will only get indexed once per forwarder. Btool can help show this:
"splunk.exe cmd btool inputs list"
So it is safe to leave the inputs enabled, especially in the case of multiple addons, disabling one may disable the same stanza across the board.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...