Splunk® IT Essentials Work

Entity Integrations Manual

This documentation doesn't apply to the most recent version of Splunk IT Essentials Work.
This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

Troubleshoot the Windows entity integration in ITE Work

Here are some common Windows integration issues and how to resolve them.

The Splunk universal forwarder isn't sending metrics data to Splunk

  • Make sure the outputs.conf file on the universal forwarder is configured properly. Use the following Splunk CLI command to see active forwards:
    $SPLUNK_HOME/bin/splunk list forward-server
  • Make sure the correct version of the Splunk Add-on for Infrastructure is installed on indexers and heavy forwarders.
  • Use the btool command to check inputs.conf perfmon configurations on the universal forwarder running on the monitored Windows machine. For more information, see Use btool to troubleshoot configurations in the Splunk Enterprise Troubleshooting Manual.

The following is a sample perfmon stanza:

[perfmon://CPU]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time
instances = *
interval = 30
mode = single
object = Processor
index = itsi_im_metrics
meta = os::"Microsoft Windows Server 2012 R2 Standard" entity_type::Windows_Host
useEnglishOnly = true
sourcetype = PerfmonMetrics:CPU
disabled = 0

Mode, index, entity_type, meta, and sourcetype are important fields. Most of the issues you might encounter are due to conflicts in the inputs.conf perfmon stanzas in the Splunk Add-on for Windows or other apps.

Windows metrics data in index but there are no entities in ITE Work

  • Make sure processor metrics are enabled and available for the monitored Windows host. Windows entity discovery uses the prefix Processor.* for metric names. Use mstats to look into metrics data. The metric_name in Splunk metrics index should look like this: Processor.%_Processor_Time.
  • Make sure there's no data lag while indexing. If there's significant data lag, increase the monitoring_window for the [ITSI Import Objects - Perfmon] stanza in $SPLUNK_HOME/etc/apps/itsi/local/savedsearches.conf, then restart Splunk.
  • Make sure data is indexed in the itsi_im_metrics index. If you're using a custom index, make sure the itsi_im_metrics_indexes macro is updated to include the custom index used. For more information, see Use custom indexes in ITE Work.
  • Verify that entity discovery saved searches are enabled for the [ITSI Import Objects - Perfmon] stanza in $SPLUNK_HOME/etc/apps/itsi/local/savedsearches.conf.

Entities appear but the overview dashboards aren't populated

Check the meta fields within perfmon stanzas in inputs.conf and verify that entity_type::Windows_Host was added. See the sample inputs.conf file above.

Last modified on 28 February, 2024
Manually collect logs from a Windows host in ITE Work   About the VMware vSphere entity integration in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters