Getting Data In

Universal Forwarder not Forwarding Performance

Rickmcvick31
New Member

I have a receiver and one forwarder, the universal forwarder (Windows 7 box) sends logs (sys, app, etc) but will not send performance data. I have all the firewalls turned off, the ports are correct, and re-installed the forwarder. Nothing. Any Ideas?

0 Karma

DaveSavage
Builder

Good luck!I'll follow this thread to see if it worked & will change the question to 'a' (potential)answer to help others.

0 Karma

Rickmcvick31
New Member

hmm, well that may be the proverbial button, I started the service, we will see how it goes. Perhaps starting that service with the inputs.conf comments will work.

0 Karma

DaveSavage
Builder

Rick - I take it you have checked Computer Management (compmgmt.msc from the command line) and that under Services, 'Performance Logs and Alerts' is Started? Best make it persistent as well?
Br Dave

0 Karma

DaveSavage
Builder

Lastly - it is worth going the perfmon.conf route. Splunk docs has more on it here: http://docs.splunk.com/Documentation/Splunk/4.2.3/ReleaseNotes/Workaroundtoadd64-bitWindowsperfmonin...
You may find that you don't have a perfmon.conf operational i.e. there is an example file in ../etc/system but not in /system/default..nor in your ../system/local as yet.
Use the example file as your template and save it to local per usual. Then restart the service.

0 Karma

DaveSavage
Builder

Rick. Ok - I assume that JMETZGER-PC is the source with the UF on it, not the host indexer, and that you still only see WMI:stuff from the latter...and that JMETZ..is sending other data through e.g. it confirms the UF started?
If the above is true then try 2 things:
1) deep dive into the Splunk internal indexes for perfmon errors using: index=_internal source=*splunkd.log perfmon
2) Just check that the PC with the UF on it does have Splunk running with system permissions - sufficient to initiate the performance monitor?
Br, Dave

0 Karma

Rickmcvick31
New Member

I have, I haven't tried the comments in the inputs.conf in conjunction with turning on the services, but as of now when I check the performance of one of my forwarders, I get no info: click here. So when I click to see the search criteria I see this:

This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

search source=WMI:CPUTime host=JMETZGER-PC | eval CPULoad = PercentProcessorTime | timechart avg(CPULoad) min(CPULoad) max(CPULoad)

0 Karma

matthewcanty
Communicator

I just put all my perfmon configurations straight into the inputs.conf. Worked a treat. Don't know why it works, or why it's not written down anywhere but there ya go.

Update:

This is as it appears in my inputs.conf -

[perfmon://Processor Information]
interval = 10
object = Processor Information
counters = % Processor Time;
instances = _Total
disabled = 0
index=daldevperfmon

In outputs.conf make sure you have the index setup:

[tcpout]
defaultGroup=daldevperfmon
disabled=false

[tcpout:daldevperfmon]
server=127.0.0.1:9997

HTH

Rickmcvick31
New Member

I have done that and I got nothing. I wonder if I am missing something obvious. Like the proverbial glowing button that says "click to enable performance data you dope"

0 Karma

Rickmcvick31
New Member

I am still working on it, however, the comments did not work in the .conf so I'm stuck with no performance data, save for the host PC.

0 Karma

jsmander
Explorer

I have the same problem - did you ever get to the bottom of it? Or did you stick with adding comments to the input.conf directly?

This seems like something Splunk would've heavily tested - did we miss something obvious?

0 Karma

matthewcanty
Communicator

Have you got anywhere with this, not sure what the answers below are meant to mean.

0 Karma

brokolice
New Member

Hi,

dealing with the same issue right now.

I've added this to the inputs.conf in directory of the Universal Forwarder. C:\Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local

[perfmon://LocalPhysicalDisk]
interval = 30
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time
instances = *
disabled = 0
index = main

[perfmon://LocalMainMemory]
interval = 30
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = main

[perfmon://Processor]

interval = 60

object = Processor
counters = % Processor Time

instances = _Total

disabled = 0

index = main

kind of works, still playing around

Jiri

0 Karma

tirusplunk
Engager

Hi Brokolice,

Have you managed to get these counters and perfmons in the splunk indexer?

If yes, Can you please tell me how you did it?

Thanks & Regards,

Tirumal

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...