Re: sending perfmon data to indexer from UF

Splunk_U · ‎12-27-2012

I have an universal forwarder in windows machine. I want to send the perfmon data from the UF to the indexer (a linux machine). How to do that?

jonuwz · ‎12-28-2012

You should have the opportunity to configure perfmon inputs at install time.

If re-installing the UF is not an option take a look at the bottom of this page for how to add entries to <install dir>\etc\system\local\inputs.conf to forward perfmon data.

You'll need to restart the UF service for hte change to take effect.

Note :

The interval is in seconds, '1' might be too frequent for you.
You might want to create a new index to store the performance data

Edit

For example add this to etc/system/local/inputs.conf (example from the link above) :

[perfmon://LocalMainMemory]
interval = 5
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = main

and restart your service.

jonuwz · ‎12-28-2012

not sure where perfmon.conf or wmi.conf come into it.

Just add entries to inputs.conf and restart

Splunk_U · ‎12-28-2012

I am not able to see perfmon.conf file in the default. shall I create the wmi.conf file?

sending perfmon data to indexer from UF

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases