Solved: How could config Windows Performance Management?

ITSD · ‎11-13-2011

I'd install Universal Forwarder on windows and froward wmi events to index server (Linux server). But I see "No results found". Where did I missed?

Takajian · ‎11-13-2011

As for performance, there are four dashboads in Win App. The folder is default/data/ui/view.

cpu_view.xml
disk_view.xml
mem_view.xml
network_view.xml

Then each view have setting which source will display.

As for network, there are two searches to display report.

dash_wmidata(LocalNetwork) host=$host$| timechart avg(eval(BytesReceivedPersec/1024)) as Received avg(eval(BytesSentPersec/1024)) as Sent
dash_wmidata(LocalNetwork) | timechart avg(eval(BytesTotalPersec/1024)) by host limit=10 usenull=f

These contains "BytesReceivedPersec" and "BytesTotalPersec". It means you need to collect these object from Universal forwarder in order to display those values on the dashboard.

Please check them in your environment.

View solution in original post

ITSD · ‎11-14-2011

I found another answer through Takajian's answer:

http://splunk-base.splunk.com/answers/23901/windows-app-on-linux-indexer

Steps as follow:

Install Universal Forwarder
Put wmi.conf in C:\Program Files\SplunkUniversalForwarder\etc\system\local (By default)
Restart Splunk UF

Takajian · ‎11-13-2011

As for performance, there are four dashboads in Win App. The folder is default/data/ui/view.

cpu_view.xml
disk_view.xml
mem_view.xml
network_view.xml

Then each view have setting which source will display.

As for network, there are two searches to display report.

dash_wmidata(LocalNetwork) host=$host$| timechart avg(eval(BytesReceivedPersec/1024)) as Received avg(eval(BytesSentPersec/1024)) as Sent
dash_wmidata(LocalNetwork) | timechart avg(eval(BytesTotalPersec/1024)) by host limit=10 usenull=f

These contains "BytesReceivedPersec" and "BytesTotalPersec". It means you need to collect these object from Universal forwarder in order to display those values on the dashboard.

Please check them in your environment.

Takajian · ‎11-13-2011

Did you install UF with Windows Local system user? If no, splunk user will require following permission.

Permission to log on as a service
Permission to log on as a batch job
Permission to replace a process-level token
Permission to act as part of the operating system
Permission to bypass traverse checking

Addtion to this, please check if there is any wmi error in splunkd.log under $SPLUNK_HOME/var/log/splunk.

ITSD · ‎11-13-2011

Because I'd use windows APPS from Splunk. Right now I want use it's dashboard to monitor performance. How could I config it ? Thanks again:D

Takajian · ‎11-13-2011

You seems to see Windows performance events properly. What is problem now? Could you explain what you can see and what you can not see?

ITSD · ‎11-13-2011

I can see follow events:
PM 11/14/2011 14:53:50.370collection="Network Interface"object="Network Interface"counter="Bytes Received/sec"instance="Intel[R] PRO_1000 MT Network Connection"Value=332.00027378610179
host=APYTEST Options| sourcetype=Perfmon:Network Interface Options| source=Perfmon:Network Interface Options

But Can't shawn in dashboard , any ideas? Thanks

Takajian · ‎11-13-2011

There are many things you need to check. Following two issues are most freaquent splunk users face. Could you check?

Did you configure received port on splunk indexer? The port may be 9997.
Is there no network conectivity issue between indexer and universal forwarder?

ITSD · ‎11-13-2011

Sorry for not cleared describe it. I can see windows events. But can not see performance events. Thanks for your answer.

How could config Windows Performance Management?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk