Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

perfmon.conf

The following are the spec and example files for perfmon.conf.

perfmon.conf.spec

# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.3 
#
# This file contains possible attribute/value pairs for configuring Splunk's
# Windows Performance Monitor.  
#
# There is a perfmon.conf in $SPLUNK_HOME\etc\system\default\.  To set custom
# configurations, place a perfmon.conf in $SPLUNK_HOME\etc\system\local\. For
# examples, see perfmon.conf.example.  You must restart Splunk to enable
# configurations.
# 
# To learn more about configuration files (including precedence) please see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

###############################################################################
#----PERFMON SETTINGS-----
#
# Each [Perfmon:] stanza represents an individually configured performance
# monitoring input.  The value of "$NAME" will match what was specified in
# Splunk Web.  Splunk recommends that you use the Manager interface to configure
# performance monitor inputs because it is easy to mistype the values for
# Performance Monitor objects, counters and instances.
#
# Note: perfmon.conf is for local systems ONLY.  When defining performance
# monitor inputs for remote machines, use wmi.conf.
###############################################################################

[PERFMON:{NAME}]

object = <string>
* This is a valid Performance Monitor object as defined within Performance
  Monitor (for example, "Process," "Server," "PhysicalDisk.")
* You can only specify a single valid Performance Monitor object per input.
* This attribute is required, and the input will not run if the attribute is not
  present.
* There is no default.

counters = <semicolon-separated strings>
* This can be a single counter, or multiple valid Performance Monitor counters.
* This attribute is required, and the input will not run if the attribute is not
  present.
* '*' is equivalent to all available counters for a given Performance Monitor object.
* There is no default.

instances = <semicolon-separated strings>
* This can be a single instance, or multiple valid Performance Monitor
  instances.
* '*' is  equivalent to all available instances for a given Performance Monitor
  counter.
* If applicable instances are available for a counter and this attribute is not
  present, then all available instances are specified (this is the same as
  setting 'instances = *').
* If there are no applicable instances for a counter, then this attribute
  can be safely omitted.
* There is no default.

interval = <integer>
* How often, in seconds, to poll for new data.
* This attribute is required, and the input will not run if the attribute is not
  present.
* The recommended setting depends on the Performance Monitor object,
  counter(s) and instance(s) you are defining in the input, and how much 
  performance data you require for the input.  Objects with numerous
  instantaneous or per-second counters, such as "Memory," "Processor" and
  "PhysicalDisk" should have shorter interval times specified (anywhere
  from 1-3 seconds). Less volatile counters such as "Terminal Services,"
  "Paging File" and "Print Queue" can have longer times configured.
* There is no default.

disabled = [0|1]
* Specifies whether or not the input is enabled.
* 1 to disable the input, 0 to enable it.
* Defaults to 0 (enabled).

index = <string>
* Specifies the index that this input should send the data to.
* This attribute is optional.
* If no value is present, defaults to the default index.

perfmon.conf.example

# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.3 
#
# This is an example perfmon.conf.  These settings are used to configure
# Splunk's Windows performance monitor scripted input. Refer to
# perfmon.conf.spec and the documentation at splunk.com for more information
# about this file. 
#
# To use one or more of these configurations, copy the configuration block
# into perfmon.conf in $SPLUNK_HOME\etc\system\local\.  You must restart Splunk
# to enable configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at 
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

# Important: You must specify the names of objects, counters and instances 
# exactly as they are shown in the Performance Monitor application.  Splunk Web
# is the recommended interface to use to configure performance monitor inputs.

# Important: These stanzas gather performance data from the local system only.
# Use wmi.conf for performance monitor metrics on remote systems.

# Query the PhysicalDisk performance object and gather disk access data for
# all physical drives installed in the system. Store this data in the 
# "perfmon" index.
# Note: If the interval attribute is set to 0, Splunk will reset the interval
# to 1.

[PERFMON:LocalPhysicalDisk]
interval = 0
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time
instances = *
disabled = 0
index = PerfMon

# Gather common memory statistics using the Memory performance object, every 
# 5 seconds.  Store the data in the "main" index.  Since none of the counters
# specified have applicable instances, the instances attribute is not required.

[PERFMON:LocalMainMemory]
interval = 5
object = Memory
counters = Committed Bytes; Available Bytes; % Committed Bytes In Use
disabled = 0
index = main

# Gather data on USB activity levels every 10 seconds.  Store this data in the default index.

[PERFMON:USBChanges]
interval = 10
object = USB
counters = Usb Control Data Bytes/Sec
instances = *
disabled = 0

PREVIOUS
pdf_server.conf
  NEXT
procmon-filters.conf

This documentation applies to the following versions of Splunk® Enterprise: 4.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters