Hello
I just setup a trial install of Splunk (running with an Enterprise license at the moment). My version is 4.2.5, build 113966. I have one universal forwarder that is functioning fine, as far as I can tell (it is forwarding data from Event Logs to the indexer) - the UF was installed with this command line:

msiexec.exe /i splunkforwarder-4.2.5-113966-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER="indexer_server:9997" DEPLOYMENT_SERVER="indexer_server:8089" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet

I created a couple of entries in the C:\Program Files\SplunkUniversalForwarder\etc\system\local\perfmon.conf file of the UF, as follows:

[Perfmon:LocalPhysicalDisk]
interval = 15
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time; Avg. Disk sec/Read; Avg. Disk sec/Write
instances = *
disabled = 0
index = ic_perfdatadb

[Perfmon:LocalMainMemory]
interval = 15
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = ic_perfdatadb

There are also a few entries (preconfigured) for WMI perfmon counter collection.

My problem... I see the WMI collection data (e.g. source=WMI:Memory) from host=indexer_server, I also see entries from Perfmon (e.g. source=Perfmon:Network Interface) from host=indexer_server. What I do NOT see are the perfmon entries from my UF... It almost looks like I have forgotten to enable something, however I DO see that the entries are being sent from the UF to the indexer - the index "ic_perfdatadb" was specifically created for these perf counters and I can see it growing constantly...

Thanks!