Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder not Forwarding Performance

Rickmcvick31
New Member
‎11-13-2012 09:40 AM

I have a receiver and one forwarder, the universal forwarder (Windows 7 box) sends logs (sys, app, etc) but will not send performance data. I have all the firewalls turned off, the ports are correct, and re-installed the forwarder. Nothing. Any Ideas?

0 Karma
Reply

DaveSavage
Builder
‎11-29-2012 08:07 AM

Good luck!I'll follow this thread to see if it worked & will change the question to 'a' (potential)answer to help others.

0 Karma
Reply

Rickmcvick31
New Member
‎11-29-2012 07:38 AM

hmm, well that may be the proverbial button, I started the service, we will see how it goes. Perhaps starting that service with the inputs.conf comments will work.

0 Karma
Reply

DaveSavage
Builder
‎11-29-2012 07:19 AM

Rick - I take it you have checked Computer Management (compmgmt.msc from the command line) and that under Services, 'Performance Logs and Alerts' is Started? Best make it persistent as well?
Br Dave

0 Karma
Reply

DaveSavage
Builder
‎11-30-2012 02:39 AM

Lastly - it is worth going the perfmon.conf route. Splunk docs has more on it here: http://docs.splunk.com/Documentation/Splunk/4.2.3/ReleaseNotes/Workaroundtoadd64-bitWindowsperfmonin...
You may find that you don't have a perfmon.conf operational i.e. there is an example file in ../etc/system but not in /system/default..nor in your ../system/local as yet.
Use the example file as your template and save it to local per usual. Then restart the service.

0 Karma
Reply

DaveSavage
Builder
‎11-30-2012 02:18 AM

Rick. Ok - I assume that JMETZGER-PC is the source with the UF on it, not the host indexer, and that you still only see WMI:stuff from the latter...and that JMETZ..is sending other data through e.g. it confirms the UF started?
If the above is true then try 2 things:
1) deep dive into the Splunk internal indexes for perfmon errors using: index=_internal source=*splunkd.log perfmon
2) Just check that the PC with the UF on it does have Splunk running with system permissions - sufficient to initiate the performance monitor?
Br, Dave

0 Karma
Reply

Rickmcvick31
New Member
‎11-29-2012 11:20 AM

I have, I haven't tried the comments in the inputs.conf in conjunction with turning on the services, but as of now when I check the performance of one of my forwarders, I get no info: click here. So when I click to see the search criteria I see this:

This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

search source=WMI:CPUTime host=JMETZGER-PC | eval CPULoad = PercentProcessorTime | timechart avg(CPULoad) min(CPULoad) max(CPULoad)

0 Karma
Reply

matthewcanty
Communicator
‎11-29-2012 01:33 AM

I just put all my perfmon configurations straight into the inputs.conf. Worked a treat. Don't know why it works, or why it's not written down anywhere but there ya go.

Update:

This is as it appears in my inputs.conf -

[perfmon://Processor Information]
interval = 10
object = Processor Information
counters = % Processor Time;
instances = _Total
disabled = 0
index=daldevperfmon

In outputs.conf make sure you have the index setup:

[tcpout]
defaultGroup=daldevperfmon
disabled=false

[tcpout:daldevperfmon]
server=127.0.0.1:9997

HTH

Reply

Rickmcvick31
New Member
‎11-29-2012 06:36 AM

I have done that and I got nothing. I wonder if I am missing something obvious. Like the proverbial glowing button that says "click to enable performance data you dope"

0 Karma
Reply

Rickmcvick31
New Member
‎11-28-2012 02:25 PM

I am still working on it, however, the comments did not work in the .conf so I'm stuck with no performance data, save for the host PC.

0 Karma
Reply

jsmander
Explorer
‎11-28-2012 02:22 PM

I have the same problem - did you ever get to the bottom of it? Or did you stick with adding comments to the input.conf directly?

This seems like something Splunk would've heavily tested - did we miss something obvious?

0 Karma
Reply

matthewcanty
Communicator
‎11-28-2012 03:58 AM

Have you got anywhere with this, not sure what the answers below are meant to mean.

0 Karma
Reply

brokolice
New Member
‎11-14-2012 03:44 AM

Hi,

dealing with the same issue right now.

I've added this to the inputs.conf in directory of the Universal Forwarder. C:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local

[perfmon://LocalPhysicalDisk]
interval = 30
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time
instances = *
disabled = 0
index = main

[perfmon://LocalMainMemory]
interval = 30
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = main

[perfmon://Processor]

interval = 60

object = Processor
counters = % Processor Time

instances = _Total

disabled = 0

index = main

kind of works, still playing around

Jiri

0 Karma
Reply

tirusplunk
Engager
‎11-13-2013 01:46 AM

Hi Brokolice,

Have you managed to get these counters and perfmons in the splunk indexer?

If yes, Can you please tell me how you did it?

Thanks & Regards,

Tirumal

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...