Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

SAI version 1.3.x is not compatible with the Splunk Add-on for Windows

By default, version 1.3.x of the Splunk App for Infrastructure (SAI) is not compatible with the Splunk Add-on for Windows. If you are using the Splunk Add-on for Windows and SAI version 1.3.x in the same Splunk Enterprise deployment, you must modify the universal forwarder's inputs.conf file on each Windows host and props.conf for each instance of the Splunk Add-on for Infrastructure you are running.

Prerequisites

  • Access and permission to modify files in the $SPLUNK_HOME directory on each Windows host.
  • Access and permission to modify files in the $SPLUNK_HOME directory on each Splunk Enterprise instance running the Splunk Add-on for Infrastructure.

Steps

Follow these steps to modify props, transforms, sourcetypes, and target indexes to use the Splunk Add-on for Microsoft Windows and Splunk App for Infrastructure version 1.3.x in the same Splunk Enterprise deployment.

  1. On each system running a Splunk Enterprise instance that contains the Splunk Add-on for Infrastructure, go to the $SPLUNK_HOME/etc/apps/splunk_ta_infrastructure/local directory.
  2. Open props.conf with a text editor.
  3. Replace all content in the file with the following:
    # This is for backward compatible with previous collectd version
    [em_metrics]
    TRANSFORMS-hostoverride=metrics-hostoverride
    ADD_EXTRA_TIME_FIELDS = false
    
    [aws:cloudwatch]
    TRANSFORMS-hostoverride=ebs-hostoverride, elb-hostoverride, ec2-hostoverride
    
    [em_indexed_alerts]
    SHOULD_LINEMERGE = False
    
    # For Windows Metrics
    [PerfmonMetrics:CPU]
    TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
    TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
    TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
    TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
    TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
    EVAL-metric_type = "gauge"
    SEDCMD-remove-whitespace = s/ /_/g s/\s/ /g
    
    [PerfmonMetrics:Memory]
    TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
    TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
    TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
    TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
    TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
    EVAL-metric_type = "gauge"
    SEDCMD-remove-whitespace = s/ /_/g s/\s/ /g
    
    [PerfmonMetrics:PhysicalDisk]
    TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
    TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
    TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
    TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
    TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
    EVAL-metric_type = "gauge"
    SEDCMD-remove-whitespace = s/ /_/g s/\s/ /g
    
    [PerfmonMetrics:LogicallDisk]
    TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
    TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
    TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
    TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
    TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
    EVAL-metric_type = "gauge"
    SEDCMD-remove-whitespace = s/ /_/g s/\s/ /g
    
    [PerfmonMetrics:Network]
    TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
    TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
    TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
    TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
    TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
    EVAL-metric_type = "gauge"
    SEDCMD-remove-whitespace = s/ /_/g s/\s/ /g
    
    [PerfmonMetrics:System]
    TRANSFORMS-_value_for_perfmon_metrics_store = value_thefor_perfmon_metrics_store
    TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
    TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
    TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
    TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
    EVAL-metric_type = "gauge"
    SEDCMD-remove-whitespace = s/ /_/g s/\s/ /g
    
    [PerfmonMetrics:Process]
    TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
    TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
    TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
    TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
    TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
    EVAL-metric_type = "gauge"
    SEDCMD-remove-whitespace = s/ /_/g s/\s/ /g
    
    [em_metrics_udp]
    TRANSFORMS-hostoverride = udp-metrics-hostoverride
    TRANSFORMS-run-dims-extraction = extract_dims
    SHOULD_LINEMERGE = false
    LINE_BREAKER = (\}\})
    
  4. When you are done, save your changes and close the file.
  5. On each Windows host that is sending data to the Splunk App for Infrastructure with a universal forwarder, go to the $SPLUNK_HOME/etc/system/local directory.
  6. Open inputs.conf with a text editor.
  7. For each perfmon stanza, change the sourcetype value fromPerfmon:<metric> to PerfmonMetrics:<metric>. If an input does not specify a sourcetype, add one:
    sourcetype = PerfmonMetrics:<metric>
    
  8. For each perfmon stanza, change the index value to em_metrics. If you use a custom metrics index, include that instead.
  9. Here is an example inputs.conf file:
    [perfmon://CPU Load]
    counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time
    instances = *
    interval = 30
    sourcetype = PerfmonMetrics:CPU
    object = Processor
    index = em_metrics
    _meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
    
    [perfmon://Physical Disk]
    counters = % Disk Read Time;% Disk Write Time
    instances = *
    interval = 30
    sourcetype = PerfmonMetrics:PhysicalDisk
    object = PhysicalDisk
    index = em_metrics
    _meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
    
    [perfmon://Network Interface]
    counters = Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors
    instances = *
    interval = 30
    sourcetype = PerfmonMetrics:Network
    object = Network Interface
    index = em_metrics
    _meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
    
    [perfmon://Available Memory]
    counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes
    interval = 30
    sourcetype = PerfmonMetrics:Memory
    object = Memory
    index = em_metrics
    _meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
    
    [perfmon://System]
    counters = Processor Queue Length;Threads
    instances = *
    interval = 30
    sourcetype = PerfmonMetrics:System
    object = System
    index = em_metrics
    _meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
    
    [perfmon://Process]
    counters = % Processor Time;% User Time;% Privileged Time
    instances = *
    interval = 30
    sourcetype = PerfmonMetrics:Process
    object = Process
    index = em_metrics
    _meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
    
    [perfmon://Free Disk Space]
    counters = Free Megabytes;% Free Space
    instances = *
    interval = 30
    sourcetype = PerfmonMetrics:LogicalDisk
    object = LogicalDisk
    index = em_metrics
    _meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
    
  10. When you are done, save your changes and close the file.
  11. Restart the universal forwarder on each Windows host and each Splunk Enterprise instance running the Splunk App for Infrastructure:
    $ cd $SPLUNK_HOME/bin
    $ ./splunk restart
    
Last modified on 06 July, 2020
PREVIOUS
The status of an entity is not updating
  NEXT
Manage and debug the local server in Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.3.0, 1.3.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters