Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows app on LInux Indexer

jameszh
New Member
‎05-06-2011 04:05 PM

Hi,

The following is my setup.

Indexer is running on Linux, and App "Splunk for Windows" installed on it. Universal Forwarder is installed on another Windows Server, forwarding everything to the indexer.

I can see windows event log, but in the Performance Management windows, all 5 pane are empty. Wondering if the app only works on Windows indexer, not linux indexer.

Thanks,
James

0 Karma
Reply

jameszh
New Member
‎05-09-2011 09:46 AM

This works, thanks MarioM!

0 Karma
Reply

MarioM
Motivator
‎05-09-2011 09:59 AM

and can you accept the answer.Thanks 😜

0 Karma
Reply

MarioM
Motivator
‎05-09-2011 09:57 AM

Be aware that MS WMI is very resource hungry.Then you might need to adapt the interval.

0 Karma
Reply

MarioM
Motivator
‎05-09-2011 07:57 AM

in your UF installation you need a wmi.conf for example in splunk\etc\system\local with the following:

   [WMI:CPUTime]
    ## Run every 5 minutes
    interval = 300
    wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
    disabled = false

    [WMI:FreeDiskSpace]
    interval = 10
    wql = SELECT Name,FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
    disabled = false

    [WMI:LocalPhysicalDisk]
    interval = 10
    wql = select Name,CurrentDiskQueueLength,DiskBytesPerSec,PercentDiskReadTime,PercentDiskWriteTime,PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
    disabled = false

    [WMI:LocalProcesses]
    ## Run every 5 minutes
    interval = 300
    wql = select Name,IDProcess,PrivateBytes,PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process
    disabled = false

    [WMI:LocalNetwork]
    ## Run every 5 minutes
    interval = 300
    wql = select Name,BytesReceivedPerSec,BytesSentPerSec,BytesTotalPerSec,CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface
    disabled = false

    [WMI:Memory]
    ## Run every 5 minutes
    interval = 300
    wql = select PagesPerSec,AvailableMBytes,CommittedBytes,PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory
    disabled = false
Reply

jameszh
New Member
‎05-09-2011 06:38 AM

It seems Universal Forwarder doesn't forward wmi, only eventlog + perfmon, I can't see WMI: source in the main splunk. How can I collect wmi data from windows in Linux?

Thanks,
James

0 Karma
Reply

MarioM
Motivator
‎05-08-2011 10:43 PM

Do you see any WMI:* source or sourcetype in your main splunk ?

You could search internal log for any issues:

index="_*" WMI*
Reply

jameszh
New Member
‎05-08-2011 03:05 PM

The Universal Forwarder in Windows is configured to forward wmi data to the indexer(receiving is enabled in indexer as well). What else needs to be done in indexer to show the performance data from windows?

Thanks,
James

0 Karma
Reply

MarioM
Motivator
‎05-08-2011 02:24 AM

The windows app does work on linux (i mean searches,reports,dashboard) and the performance management dashboard based it's searching over WMI data, so if you're not indexing WMI:* these will not load.

Also if using Perfmon:* it will not work.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...