All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to index NMON file without NMON app?

sabrinebs0702
Engager
‎01-04-2017 01:05 AM

is there any other solution to index Nmon file in Splunk without using the Nmon App

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-04-2017 06:15 AM

Hi sabrinebs0702,
Only to understand: you don't want to install the Nmon App on your Splunk Server or the TA-Nmon on your forwarders?

in the first case the easyest way is to install TA-nmon, the Technical Add-On that ingest logs showed with the NMON App.

If you don't want to install this TA on your Forwarders, open inputs.conf file of this TA and copy stanzas in one other App deployed on your Forwarders.
This isn't a good solution because in every way you have to deploy something on your forwarders.

If you don't want to install a Forwarder on your servers, you have to open TA-Nmon and study inputs.conf file to see what to ingest and find a different way to send this logs to Splunk (e.g. using syslog).

Bye.
Giuseppe

0 Karma
Reply

guilmxm
Influencer
‎01-04-2017 06:36 AM

Hi,

In addition to great Giuseppe's answer.

If there are any reason that you may to highlight for not wanting to use the Nmon app to ingest Nmon data in Splunk, feel free I will be happy to read.

At the origin of the Nmon App development, I intensively searched for the better way, most simple, most optimised to ingest Nmon data into Splunk, after numerous tests and attempts I have designed things the way they are (using third party parsers) for various reasons related to the structure of nmon files.

The structure of Nmon data is (for the performance data, not inventory) indeed a structured csv format, however timestamps are in a specific format Splunk cannot understand in any case (ZZZZ lines defines the timestamp in the first line of every measure collection)
This is one of the key that makes it almost impossible for a direct Splunk ingestion, there also other reasons like the inventory data (multi-line events in the AAA and BBB sections), and the per column structure for devices statistics.

There are also numerous ways of using nmon, one of those generates nmon files that you can later ingest, this is not the same than indexing the result of a simple script output.

You can start having a read at the very interesting Nmon FAQ:

http://nmon.sourceforge.net/pmwiki.php?n=Site.NmonFAQ

In any case, the Nmon app exists since the beginning of 2014, since that time there are have been numerous large and different deployments in various conditions, which makes from the solution a very robust, efficient and simple to implement solution.

Finally, if transporting the information through syslog is the purpose (eg. no deployment of UF on servers), I also provide a solution with the nmon-logger package:

http://nmon-for-splunk.readthedocs.io/en/latest/rsyslog_deployment.html

http://nmon-for-splunk.readthedocs.io/en/latest/syslogng_deployment.html

Hope this helps.

Guilhem

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...