Troubleshoot the Windows entity integration in ITE Work
Here are some common Windows integration issues and how to resolve them.
The Splunk universal forwarder isn't sending metrics data to Splunk
- Make sure the outputs.conf file on the universal forwarder is configured properly. Use the following Splunk CLI command to see active forwards:
$SPLUNK_HOME/bin/splunk list forward-server
- Make sure the correct version of the Splunk Add-on for Infrastructure is installed on indexers and heavy forwarders.
- Use the btool command to check inputs.conf perfmon configurations on the universal forwarder running on the monitored Windows machine. For more information, see Use btool to troubleshoot configurations in the Splunk Enterprise Troubleshooting Manual.
The following is a sample perfmon stanza:
[perfmon://CPU] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time instances = * interval = 30 mode = single object = Processor index = itsi_im_metrics meta = os::"Microsoft Windows Server 2012 R2 Standard" entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:CPU disabled = 0
Mode, index, entity_type, meta, and sourcetype are important fields. Most of the issues you might encounter are due to conflicts in the inputs.conf perfmon stanzas in the Splunk Add-on for Windows or other apps.
Windows metrics data in index but there are no entities in ITE Work
- Make sure processor metrics are enabled and available for the monitored Windows host. Windows entity discovery uses the prefix
Processor.*
for metric names. Use mstats to look into metrics data. The metric_name in Splunk metrics index should look like this:Processor.%_Processor_Time
. - Make sure there's no data lag while indexing. If there's significant data lag, increase the monitoring_window for the
[ITSI Import Objects - Perfmon]
stanza in $SPLUNK_HOME/etc/apps/itsi/local/savedsearches.conf, then restart Splunk. - Make sure data is indexed in the itsi_im_metrics index. If you're using a custom index, make sure the
itsi_im_metrics_indexes
macro is updated to include the custom index used. For more information, see Use custom indexes in ITE Work. - Verify that entity discovery saved searches are enabled for the
[ITSI Import Objects - Perfmon]
stanza in $SPLUNK_HOME/etc/apps/itsi/local/savedsearches.conf.
Entities appear but the overview dashboards aren't populated
Check the meta
fields within perfmon stanzas in inputs.conf and verify that entity_type::Windows_Host
was added. See the sample inputs.conf file above.
Manually collect logs from a Windows host in ITE Work | About the VMware vSphere entity integration in ITE Work |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1
Feedback submitted, thanks!