Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows Universal Forwarder stopped logging perfmon: How can I restore this feature?

twinspop
Influencer
‎07-21-2014 09:40 AM

I have ~ 800 windows servers getting their configs from a deployment server. Often when i roll a new version of the perf app out, and splunk restarts, perfmon targets stop logging completely from some hosts. Splunk UF version 4.3-6.0 running on Windows 2003-2008.

Why? Is there a known workaround?

EDIT: Non-perfmon targets continue to work normally on these servers

EDIT2:

inputs.conf

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0

perfmon.conf

[PERFMON:CPU]
counters = % Processor Time
disabled = 0
instances = _Total
interval = 60
object = Processor
index = perf
Reply
1 Solution
Solved! Jump to solution
Solution

linu1988
Champion
‎07-21-2014 07:39 PM

After splunk 5 there is no perfmon.conf. While upgrading some gets migrated to inputs.conf. sometimes if the migration doesn't happen properly then they don't forward. The configurations are case sensitive.

Replace like below.

[perfmon://CPU]
counters = % Processor Time
disabled = 0
instances = _Total
interval = 60
object = Processor
index = perf

Thanks,
L

View solution in original post

Reply
Solved! Jump to solution
Solution

linu1988
Champion
‎07-21-2014 07:39 PM

After splunk 5 there is no perfmon.conf. While upgrading some gets migrated to inputs.conf. sometimes if the migration doesn't happen properly then they don't forward. The configurations are case sensitive.

Replace like below.

[perfmon://CPU]
counters = % Processor Time
disabled = 0
instances = _Total
interval = 60
object = Processor
index = perf

Thanks,
L

Reply
Solved! Jump to solution

twinspop
Influencer
‎07-21-2014 08:50 PM

Thank you! I didn't grok what you were saying in the first comment. 🙂

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎07-21-2014 01:05 PM

They all have identical settings. Let's just focus on the 6.0 SUF servers. Some work and some don't. They have identical configs. Reboots don't cure the problem.

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎07-21-2014 10:11 AM

they have different syntax , if not migrated properly they wont forward the data.

include perfmon in the inputs.conf file and restart

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...