I'm setting up my splunk forwarder on a generalized image that will be sysprep'd. I want to include perf counters, such as .NET CLR Memory, Process, and others that I want to be process specific.
As it appears to me with all the process-specific counters, I can only select processes that are currently running. What I would like to do is select something like "all running processes" because in my use case, I want to see all processes that would be installed on the machines after sysprep. I'm not concerned with gathering too much info on processes I don't care about as long as I cover any and all of them. Can anyone think of a way to retrieve this or any possible workarounds?
Also, I'm finding that the .NET CLR Memory counters are only global and not process specific. Is there a way to retrieve ones that are not just global but per process?
Any help or insight is greatly appreciated.
Thanks!
What you would be looking for is a Query to each machine that runs a list of installed processes then right?
In that case, you may be able to build a wmi call that does that.
In the technical add-on for windows (Splunk.TA.Windows) /default directory you will see a file called 'wmi.conf' which is where you will see all of the wql queries that splunk uses to talk to windows directly. copy that to /local, and If you research your wql query on the web, and then add a new section to this file with your desired query in it, you should get the results you're looking for.
This is an example of an entry from that file:
disabled = 1
Run twice per day
interval = 43200
wql = SELECT Caption, Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status FROM Win32_Account
the 'wql' portion is what you would need to adjust, and keep in mind the interval is in seconds.
(43200 seconds = 12 hours)
Unfortunately I don't know enough about wql to help with that part. =(