I am trying to forward the performance stats (CPU, Memory) from Windows Universal forwarder to Splunk Indexer on remote server (Linux 6.2.3). I am modifying the inputs.conf file in /etc/system/local ,but whatever I do, as soon as I start the Windows Forwarder Server, Splunk Indexer gets performance stats every 10 seconds in the main index (instead of perfmon index I have created for this purpose).
inputs.conf looks like:
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
# Perfmon: Windows performance monitoring examples
[perfmon://LocalMainMemory]
interval = 60
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = perfmon
[perfmon://LocalPhysicalDisk]
interval = 60
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time
instances = *
disabled = 0
index = perfmon
[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
useEnglishOnly = 1
interval = 60
disabled = 0
Did anybody experience this issue? Any suggestions?
... View more