Getting Data In

Perfmon:Memory missing from search head

dtrelford
Path Finder

I'm trying to timechart memory usage on my search head, but for some reason it's not collecting data. Specifically, memory counters. Other perfmon counters (such as cpu and disk) are available. Checked inputs.conf and verified settings match other servers that are correctly sending memory counter data to the indexers:

[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Pages/sec; Page Reads/sec; Page Writes/sec
disabled = 0
interval = 10
object = Memory
useEnglishOnly=true
index = perfmon

I have run lodctr and tested the counter in Performance Monitor on the server itself, so I know the counter works locally. Where else can I look for a fault?

EDIT:
To clarify- all other counters configured in inputs.conf are working.
perfmon://Memory is working on other servers it's deployed on. Search Head is the only server where the memory counter is missing from search results.

1 Solution

dtrelford
Path Finder

After working with Splunk Support, I found the solution.

There is a default app created by splunk - Splunk_TA_microsoft_ad

Although all the inputs used in this app were disabled, the app itself was enabled in the app.conf. This was overriding our setup in a custom perfmon app.

Changes made to resolve:

.../etc/apps/Splunk_TA_microsoft_ad/local/app.conf
[install]
state = disabled

Restarted Splunk. Issue is now resolved.

View solution in original post

dtrelford
Path Finder

After working with Splunk Support, I found the solution.

There is a default app created by splunk - Splunk_TA_microsoft_ad

Although all the inputs used in this app were disabled, the app itself was enabled in the app.conf. This was overriding our setup in a custom perfmon app.

Changes made to resolve:

.../etc/apps/Splunk_TA_microsoft_ad/local/app.conf
[install]
state = disabled

Restarted Splunk. Issue is now resolved.

soumyasaha25
Contributor

can you check if you have the input OperatingSystem enabled in your inputs.conf
sample stanza below
[WinHostMon://OperatingSystem]
interval = 600
disabled = 1
type = OperatingSystem
index = windows

i had a similar issue long time back enabling this input resolved it. Hope it works for you as well

0 Karma

dtrelford
Path Finder

Hi soumyasaha,

The stanza you provided has disabled = 1, is that correct? Wouldn't that disable that input?

0 Karma

soumyasaha25
Contributor

yes, sorry. we had disabled it later. can you try to put the stanza with disabled = 0

0 Karma

dtrelford
Path Finder

Added the stanza and restarted splunk on the search head. Unfortunately it did not resolve the problem. Search head memory counters are still missing.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...