Getting Data In

Adding perf counters for processes that are not currently running

matthewmalecki
New Member

I'm setting up my splunk forwarder on a generalized image that will be sysprep'd. I want to include perf counters, such as .NET CLR Memory, Process, and others that I want to be process specific.

As it appears to me with all the process-specific counters, I can only select processes that are currently running. What I would like to do is select something like "all running processes" because in my use case, I want to see all processes that would be installed on the machines after sysprep. I'm not concerned with gathering too much info on processes I don't care about as long as I cover any and all of them. Can anyone think of a way to retrieve this or any possible workarounds?

Also, I'm finding that the .NET CLR Memory counters are only global and not process specific. Is there a way to retrieve ones that are not just global but per process?

Any help or insight is greatly appreciated.

Thanks!

Tags (3)
0 Karma

tmarlette
Motivator

What you would be looking for is a Query to each machine that runs a list of installed processes then right?

In that case, you may be able to build a wmi call that does that.

In the technical add-on for windows (Splunk.TA.Windows) /default directory you will see a file called 'wmi.conf' which is where you will see all of the wql queries that splunk uses to talk to windows directly. copy that to /local, and If you research your wql query on the web, and then add a new section to this file with your desired query in it, you should get the results you're looking for.

This is an example of an entry from that file:

disabled = 1

Run twice per day

interval = 43200

wql = SELECT Caption, Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status FROM Win32_Account

the 'wql' portion is what you would need to adjust, and keep in mind the interval is in seconds.
(43200 seconds = 12 hours)

Unfortunately I don't know enough about wql to help with that part. =(

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...