Hello
I just setup a trial install of Splunk (running with an Enterprise license at the moment). My version is 4.2.5, build 113966. I have one universal forwarder that is functioning fine, as far as I can tell (it is forwarding data from Event Logs to the indexer) - the UF was installed with this command line:
msiexec.exe /i splunkforwarder-4.2.5-113966-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER="indexer_server:9997" DEPLOYMENT_SERVER="indexer_server:8089" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet
I created a couple of entries in the C:\Program Files\SplunkUniversalForwarder\etc\system\local\perfmon.conf file of the UF, as follows:
[Perfmon:LocalPhysicalDisk]
interval = 15
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time; Avg. Disk sec/Read; Avg. Disk sec/Write
instances = *
disabled = 0
index = ic_perfdatadb
[Perfmon:LocalMainMemory]
interval = 15
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = ic_perfdatadb
There are also a few entries (preconfigured) for WMI perfmon counter collection.
My problem... I see the WMI collection data (e.g. source=WMI:Memory) from host=indexer_server, I also see entries from Perfmon (e.g. source=Perfmon:Network Interface) from host=indexer_server. What I do NOT see are the perfmon entries from my UF... It almost looks like I have forgotten to enable something, however I DO see that the entries are being sent from the UF to the indexer - the index "ic_perfdatadb" was specifically created for these perf counters and I can see it growing constantly...
Thanks!
Hmm, are you specifically querying for data in that index when you are looking for it, i.e., do your queries contain index=ic_perfdatadb
, or else does your user's role include that index to be searched by default?
Now that you put it that way... 🙂 I did not know I could do that, nor did I know the admin user didn't have access to all by default... I added the new indexes I created to the role and now I see! Thank you!
the admin has access, but it's just not queried by default.
Hmm, are you specifically querying for data in that index when you are looking for it, i.e., do your queries contain index=ic_perfdatadb
, or else does your user's role include that index to be searched by default?