All Apps and Add-ons

Where is the sourcetype "Perfmon:FreeDiskSpace" within the Splunk Add-on for Microsoft Windows?

markusspitzli2
Explorer

Hi.

We use Perfmon for our Windows Systems, but we are missing the sourcetype "Perfmon:FreeDiskSpace".
We downloaded the latest Windows TA App (4.8.3), where we have found the [Perfmon:FreeDiskSpace] definition within probs.conf. But there is no such section within the inputs.conf. We are confused, because there should be an input or a transform in any way.

Does anyone know where the sourcetype Perfmon:FreeDiskSpace comes from, how it is definied and where it can be enabled?

Thanks
Markus

0 Karma

dstaulcu
Builder

I think that is an errant entry in the splunk_ta_windows and that it has no effect. The sourcetype name listed in props.conf does not match either the WMI or PERFMON based input specifications in the app. The sourcetype for inputs associated with the perfmon input handler will, by default, have a sourcetype value starting with "perfmon" and ending with the "object" name.

I would enable the [perfmon://LogicalDisk] stanza in inputs.conf of the app. At which point, a search for sourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance=* would return the results you are looking for

Bonus:

There is a command line tool built into windows (usage: typeperf.exe -q) which lists available performance monitoring objects and their associated counters. On my windows 10 desktop, typeperf reports only single object having the word disk (LogicalDisk) and only one counter (% Free Space) having the words "free" and "space".

C:\Program Files\SplunkUniversalForwarder>typeperf -q | find /i "disk" | find /i "free" | find /i "space"
\LogicalDisk(*)\% Free Space

If the perfmon input type was "multikv" instead of "single" (Single is the default perfmon input type and what is currently used in Splunk_TA_windows) then the sourcetype value would instead be sourcetype="Perfmonk:LogicalDisk"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...