Splunk Search

Reporting on or displaying local PerfMon data

naydenk
Path Finder

Hello
I just setup a trial install of Splunk (running with an Enterprise license at the moment). My version is 4.2.5, build 113966. I have one universal forwarder that is functioning fine, as far as I can tell (it is forwarding data from Event Logs to the indexer) - the UF was installed with this command line:

msiexec.exe /i splunkforwarder-4.2.5-113966-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER="indexer_server:9997" DEPLOYMENT_SERVER="indexer_server:8089" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet

I created a couple of entries in the C:\Program Files\SplunkUniversalForwarder\etc\system\local\perfmon.conf file of the UF, as follows:

[Perfmon:LocalPhysicalDisk]
interval = 15
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time; Avg. Disk sec/Read; Avg. Disk sec/Write
instances = *
disabled = 0
index = ic_perfdatadb

[Perfmon:LocalMainMemory]
interval = 15
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = ic_perfdatadb

There are also a few entries (preconfigured) for WMI perfmon counter collection.

My problem... I see the WMI collection data (e.g. source=WMI:Memory) from host=indexer_server, I also see entries from Perfmon (e.g. source=Perfmon:Network Interface) from host=indexer_server. What I do NOT see are the perfmon entries from my UF... It almost looks like I have forgotten to enable something, however I DO see that the entries are being sent from the UF to the indexer - the index "ic_perfdatadb" was specifically created for these perf counters and I can see it growing constantly...

Thanks!

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Hmm, are you specifically querying for data in that index when you are looking for it, i.e., do your queries contain index=ic_perfdatadb, or else does your user's role include that index to be searched by default?

View solution in original post

naydenk
Path Finder

Now that you put it that way... 🙂 I did not know I could do that, nor did I know the admin user didn't have access to all by default... I added the new indexes I created to the role and now I see! Thank you!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

the admin has access, but it's just not queried by default.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Hmm, are you specifically querying for data in that index when you are looking for it, i.e., do your queries contain index=ic_perfdatadb, or else does your user's role include that index to be searched by default?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...