Solved: Why Splunk App for Windows Infrastructure shows on...

mwant · ‎10-27-2014

My Infrastructure App on Splunk 6.1.3 is only showing 1 counter from the perfmon index. I am sending the perfmon data using a UF and can see all of it in the perfmon index when I search it (CPU, Memory etc).

I can't see any difference with this counter (network interface) and the others.

I have been through the documentation and troubleshooting steps but am drawing a blank. Anyone?

Here is part of the Inputs.conf from the Windows add-on local folder on the UF..

Splunk 5.0+ Performance Counters

CPU

[perfmon://CPU]
counters = % Processor Time; % User Time
disabled = 0
instances = *
interval = 300
object = Processor
useEnglishOnly = true
index = perfmon

Logical Disk

[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes;
disabled = 0
instances = C; D
interval = 7200
object = LogicalDisk
useEnglishOnly = true
index = perfmon

Physical Disk

[perfmon://PhysicalDisk]
counters = Current Disk Queue Length
disabled = 0
instances = *
interval = 10
object = PhysicalDisk
useEnglishOnly = true
index = perfmon

Memory

[perfmon://Memory]
counters = Pages/sec; Available MBytes
disabled = 0
interval = 300
object = Memory
useEnglishOnly = true
index = perfmon

mwant · ‎11-11-2014

I have worked on this problem with support and have found that the problem I was experiencing was solved by adding the DNS add-on, the events sent back by this solved the problem of perfmon visibility in the dashboard (still not sure why though). The server involved was a DC. I had already successfully deployed to a test system and had not had this issue so I'm still not sure at the moment what has been going wrong.

I still need to extend the deployment to a non DC and see if the events are seen correctly for other servers.

View solution in original post

mwant · ‎11-11-2014

I have worked on this problem with support and have found that the problem I was experiencing was solved by adding the DNS add-on, the events sent back by this solved the problem of perfmon visibility in the dashboard (still not sure why though). The server involved was a DC. I had already successfully deployed to a test system and had not had this issue so I'm still not sure at the moment what has been going wrong.

I still need to extend the deployment to a non DC and see if the events are seen correctly for other servers.

mwant · ‎11-12-2014

I have deployed to other non DC's and it all seems to be working now. Unfortunately I'm not sure what the problem was.

I think I've been splunkinated or something.

mwant · ‎11-05-2014

No update yet, I have just prodded them as you often need to do.

mwant · ‎10-29-2014

I have raised this issue with support.

mwant · ‎10-30-2014

Strange. Support are looking at it now, I will update when we solve it. All of my hosts are 2008 R2.

jstockamp · ‎11-04-2014

Any updates from support on this?

jstockamp · ‎10-29-2014

Interested to find out what you hear. I've got a similar issue where all other performance counters are working, except "Network Interface". It's interesting that I'm using the same app for Windows 2003/2008 clients and it works there, the only hosts that it doesn't work with are Windows 2012 R2. I've checked and the object names have stayed the same in 2012 R2.

Why Splunk App for Windows Infrastructure shows only 1 counter from the perfmon index?

Splunk 5.0+ Performance Counters

CPU

Logical Disk

Physical Disk

Memory

Network

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms