Source types for the Splunk Add-on for Microsoft SCOM
The Splunk Add-on for Microsoft SCOM divides data from Microsoft SCOM into thirteen source types. Each source type maps to one or more SCOM commands.
| Source | Description | CIM compliance | ITSI compliance | Direct SQL available |
|---|---|---|---|---|
microsoft:scom:alert
|
Get one or more alerts and their history. An alert is an indication of a significant event that requires your attention. Rules and monitors can generate alerts. | Alerts | None | Yes |
microsoft:scom:monitor
|
Get monitors which define logic for determining the health of an object. | None | None | No |
microsoft:scom:diagnostic
|
Get diagnostic tasks to discover the cause of a problem or provide you with additional information. | None | None | No |
microsoft:scom:task
|
Get a list of tasks and their results. Task have a specific name or ID as well as tasks that are associated with specified user roles, class instances, management packs, or target classes. | None | None | No |
microsoft:scom:recovery
|
Get a list of recoveries. | None | None | No |
microsoft:scom:discovery
|
Get a list of discoveries. | None | None | No |
microsoft:scom:override
|
Get a list of overrides, and a resulting set of overrides. | None | None | No |
microsoft:scom:event
|
Get one or more events which are collected by rules. | None | None | Yes |
microsoft:scom:rule
|
Get one or more monitoring rules. | None | None | No |
microsoft:scom:internal
|
Get some internal references such as SCOM class definitions, and class instances. | None | OS | No |
microsoft:scom:network
|
Get some network configurations such as SCOM agent, connector, and proxy info. | None | None | No |
microsoft:scom:mgmt
|
Get management configurations such as ManagementPack, group, and role. | None | None | No |
microsoft:scom:performance
|
Get network performance such as CPU usage, memory, storage and network performance data. | Performance | OS | Yes |
Configure Microsoft SCOM to send performance data
To collect performance data from Microsoft SCOM, you must import the System Center Management Pack in your Microsoft SCOM environment and enable rules to map to Splunk ITSI model.
Import System Center Management Pack
- Download the System Center Management Pack from the Microsoft website.
- Import the management pack in the Microsoft SCOM. See the System Center Management Pack Guide provided in your installation package for instructions.
Enable Rules in Management Pack Object
Each management pack has different rules for collecting performance data from metrics such as memory, processor, network or disk. To get the performance data and map to the ITSI Performance model, you must enable the rules manually if they are not enabled by default.
The table below describes the rules and the mapping to ITSI Performance data model.
| Name (differs by OS version) | Enabled by default? | ITSI Object | ITSI Fields |
|---|---|---|---|
| Processor Information % Processor Time Total Windows Server 2016 and 1709+ Processor Information % Processor Time Total Windows Server 2012 R2 |
True | Performance | cpu_user_percent |
| System Processor Queue Length Windows Server 2016 and 1709+ System Processor Queue Length Windows Server 2012 R2 |
True | Performance | wait_threads_count |
| Memory Available Megabytes Windows Server 2016 and 1709+ Memory Available Megabytes Windows Server 2012 R2 |
True | Performance | mem_free |
| Percent Memory Used |
True | Performance | mem_free_percent mem_used_percent |
| Memory Pages per Second Windows Server 2016 and 1709+ Memory Pages per Second Windows Server 2012 R2 |
True | Performance | mem_page_ops |
| Cluster Disk - Total size / MB Cluster Shared Volume - Total size / MB |
True | Performance | Storage |
| Cluster Disk - Free space / MB Cluster Shared Volume - Free space / MB |
True | Performance | storage_free storage_used |
| Cluster Disk - Free space / % Cluster Shared Volume - Free space / % |
True | Performance | storage_free_percent storage_used_percent |
| Network Adapter Bytes Total per Second Windows Server 2016 and 1709+ Network Adapter Bytes Total per Second Windows Server 2012 |
True | Performance | bytes |
| Physical Disk Average Disk Seconds per Transfer Windows Server 2016 and 1709+ Physical Disk Average Disk Seconds per Transfer Windows Server 2012 |
True | Performance | latency |
| Collection Rule for Average Disk Seconds Per Read Windows Server 2016 and 1709+ Collection Rule for Average Disk Seconds Per Read Windows Server 2012 |
False | Performance | read_latency |
| Collection Rule for Disk Reads Per Second Windows Server 2016 and 1709+ Collection Rule for Disk Reads Per Second Windows Server 2012 |
False | Performance | read_ops |
| Collection Rule for Average Disk Seconds Per Write Windows Server 2016 and 1709+ Collection Rule for Average Disk Seconds Per Write Windows Server 2012 |
False | Performance | write_latency |
| Collection Rule for Disk Writes Per Second Windows Server 2016 and 1709+ Collection Rule for Disk Writes Per Second Windows Server 2012 |
False | Performance | write_ops |
| Network Adapter Bytes Received per Second Windows Server 2016 and 1709+ Network Adapter Bytes Received per Second Windows Server 2012 |
False | Performance | bytes_in |
| Network Adapter Bytes Sent per Second Windows Server 2016 and 1709+ Network Adapter Bytes Sent per Second Windows Server 2012 |
False | Performance | bytes_out |
Other than the rules in the table, if you want to collect data on disk transfers per second, you must create a rule with the prefix Collection Rule for Disk Transfers Per Second. For example, Collection Rule for Disk Transfers Per Second Windows Server 2012. Then map the data to the total_ops field of ITSI Performance object.
| Splunk Add-on for Microsoft SCOM | Release notes for the Splunk Add-on for Microsoft SCOM |
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released
Download manual
Feedback submitted, thanks!