- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- What is the intended behavior when setting the "in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the inputs.conf spec for collecting perfmon data (https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf#Performance_Monitor ), there is an option called "instances". Reading the description of the option seems to suggest that it allows one to specify string patterns that will filter the reported perfmon data based on if the instance field from the host matches the string specified in the stanza. For example, if one wanted to capture perfmon data for all instances of svchost, I would assume this could be done by specifying a stanza like the following:
[perfmon://Process]
counters = Working Set;Virtual Bytes;% Processor Time;Handle Count;Thread Count;Elapsed Time;Creating Process ID;ID Process;
disabled = 0
index = perfmon
instances = svchost*
interval = 30
object = Process
mode = multikv
showZeroValue = 1
Setting up the stanza in this way does not result in all instances of svchost being reported with the prescribed configuration. Instead, the only thing reported back is the perfmon data for the top-level, parent svchost process, and its value for the "instance" field is set to the pattern in the stanza, e.g., "svchost*". None of the child svchost processes (whose instances should be svchost#1, svchost#2, etc.) are reported.
Is this the expected behavior?
I tested this with Splunk Forwarder 6.4.4, Splunk Add-on for Windows version 4.8.0 on Windows 10 64-bit.
Another user (@Yorokobi) reported seeing this on Windows Server 2012 R2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on documentation (link below) for perfmon setting 'instances', I don't think it can be used as wild carded names of instances. You should provide full names of instances that you want the counter to be monitored for (semicolon separated) OR use '*' to monitor for all instances.
https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf#Performance_Monitor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on documentation (link below) for perfmon setting 'instances', I don't think it can be used as wild carded names of instances. You should provide full names of instances that you want the counter to be monitored for (semicolon separated) OR use '*' to monitor for all instances.
https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf#Performance_Monitor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2, I will accept your feedback if you change it to an answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't disagree, but I am little surprised that it wouldn't support the wildcard except for the "ALL" case. Seems a bit odd compared to most other semantics in Splunk configuration files.
Thanks as always @somesoni2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It occurred to me later (the wildcard only applying to instances = *) so I tried a semicolon-separated list of expected process names and this feature appears to work as expected.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
