Splunk® IT Essentials Work

Entity Integrations Manual

Manually collect metrics from a Windows host in ITSI

You can manually set up a universal forwarder to collect metrics from a Windows host. Manually configure metrics collection for a host when you meet at least one of these conditions:

  • You're collecting data from a host on a closed network with no internet access.
  • You already installed a universal forwarder on the host.
  • You don't have trusted URLs you can download the required packages from.

If you also want to manually collect log data from a Windows host, see Manually collect logs from a Windows host in ITSI.

Prerequisites

Requirement Description
Windows host See Windows operating system support.
Dependencies See Required Windows dependencies.
Administrator role

In Splunk Enterprise, you have to be a user with the admin role.

In Splunk Cloud Platform, you have to be a user with the sc_admin role.

Steps

Follow these steps to manually collect metrics from a windows host.

1. Install the universal forwarder on Windows

Install a universal forwarder on the host. For information about installing a universal forwarder, see Install a Windows universal forwarder from an installer in the Forwarder Manual.

If you already installed a universal forwarder, you can skip this step.

2. Get available Windows Performance Monitor (perfmon) counters

Use the typeperf command to get a list of the available perfmon counters.

To get a list of all available counters, run this command:

typeperf -q

To get a list of all available counters for a specific perfmon object, run this command:

typeperf -q objectName

where objectName is the object you want to view available counters for.

For more information about using the typeperf command on a Windows host, see typeperf on the Microsoft website.

3. Configure inputs.conf on the universal forwarder

Configure inputs.conf on the universal forwarder to set up receiving and specify perfmon objects to monitor in ITSI.

  1. Create the ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config directory if it doesn't already exist.
  2. Create inputs.conf at ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config\local\ if it doesn't already exist.
  3. Open inputs.conf with a text editor.
  4. Add a [perfmon://name] stanza for each perfmon object you want to collect data for. Include these values for the stanza parameters:
    Parameter Description
    counters Enter each counter you want to monitor for the object. Separate each counter with a semicolon. If you want to monitor all available counters, enter *.
    instances Enter each instance you want to collect counters for. If you want to monitor all available instances, enter *. An instance is also commonly known as a process.
    object Enter the perfmon object you want to monitor.
    mode Enter single. ITSI doesn't support the multikv mode.
    index Enter the index you use to collect metrics. By default, the index is itsi_im_metrics. If you want to use a custom index, see Use custom metric indexes in ITSI.
    interval How often, in seconds, to poll for new data.
    _meta Enter any other field-value pair as a custom dimension to identify the host. For example, datacenter::DC1
    useEnglishOnly Enter true. This enables you to enter counters and store them in indexes in English.
    sourcetype Enter PerfmonMetrics:metricName where metricName is the metric the object represents.
    disabled Enter 0 to enable the object.

    Here's an example stanza for the Processor object:

    [perfmon://CPU]
    counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time
    instances = *
    interval = 30
    mode = single
    object = Processor
    index = itsi_im_metrics
    useEnglishOnly = true
    sourcetype = PerfmonMetrics:CPU
    disabled = 0
    
    For more information about perfmon stanzas, see Performance Monitor in the Splunk Enterprise Admin Manual.
  5. When you're done, save and close the file.
  6. Restart splunkd. If you also need to configure outputs.conf in the next step, you can wait to restart splunkd until after you've configured outputs.conf as well.
    $SPLUNK_HOME\bin\splunk restart
    

4. Configure outputs.conf on the universal forwarder

Configure outputs.conf on the universal forwarder to define how the universal forwarder sends data to your Splunk platform deployment. If you've already done this, skip this step.

  1. Create the ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config directory if it doesn't already exist.
  2. Open outputs.conf with a text editor.
  3. Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For more information, see Configuration levels for outputs.conf in the Splunk Universal Forwarder Forwarder Manual.
  4. Save and close outputs.conf.
  5. Restart splunkd.
    $SPLUNK_HOME\bin\splunk restart
    

Example inputs.conf file for a universal forwarder

[perfmon://CPU]
counters=% C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Reserved Time;% Interrupt Time;% Privileged Time; Interrupts/sec
instances=*
object=Processor
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:CPU
disabled=false

[perfmon://LogicalDisk]
counters=Free Megabytes;% Free Space; Avg. Disk sec/Transfer
instances=*
object=LogicalDisk
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:LogicalDisk
disabled=false

[perfmon://Memory]
counters=Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes; Available MBytes
object=Memory
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:Memory
disabled=false

[perfmon://Network]
counters=Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors;Current Bandwidth
instances=*
object=Network Interface
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:Network
disabled=false

[perfmon://PhysicalDisk]
counters=% Disk Read Time;% Disk Write Time;Avg. Disk Queue Length;% Idle Time; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write
instances=*	
object=PhysicalDisk
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:PhysicalDisk
disabled=false

[perfmon://Process]
counters=% Processor Time;% User Time;% Privileged Time;Elapsed Time;ID Process;Virtual Bytes;Working Set;Private Bytes;IO Read Bytes/sec;IO Write Bytes/sec
instances=*
object=Process
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:Process
disabled=false

[perfmon://System]
counters = Processor Queue Length;Threads;System Up Time
instances = *
object = System
mode = single
index = itsi_im_metrics
interval = 60
sourcetype = PerfmonMetrics:System
disabled = false

Example outputs.conf file for a universal forwarder

[tcpout]
defaultGroup = splunk-app-infra-autolb-group

[tcpout:splunk-app-infra-autolb-group]
disabled = false
server = <monitoring_machine>:<receiver_port>
Setting Description
monitoring_machine The hostname or IP address of the Splunk Enterprise instance you want to send log data to.
receiver_port The port that your Splunk platform deployment uses to receive data.
Last modified on 24 September, 2024
Collect Windows metrics and logs with the data collection script in ITE Work   Manually collect logs from a Windows host in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters