Manually collect metrics from a Windows host in ITSI
You can manually set up a universal forwarder to collect metrics from a Windows host. Manually configure metrics collection for a host when you meet at least one of these conditions:
- You're collecting data from a host on a closed network with no internet access.
- You already installed a universal forwarder on the host.
- You don't have trusted URLs you can download the required packages from.
If you also want to manually collect log data from a Windows host, see Manually collect logs from a Windows host in ITSI.
Prerequisites
Requirement | Description |
---|---|
Windows host | See Windows operating system support. |
Dependencies | See Required Windows dependencies. |
Administrator role |
In Splunk Enterprise, you have to be a user with the In Splunk Cloud Platform, you have to be a user with the |
Steps
Follow these steps to manually collect metrics from a windows host.
1. Install the universal forwarder on Windows
Install a universal forwarder on the host. For information about installing a universal forwarder, see Install a Windows universal forwarder from an installer in the Forwarder Manual.
If you already installed a universal forwarder, you can skip this step.
2. Get available Windows Performance Monitor (perfmon) counters
Use the typeperf
command to get a list of the available perfmon counters.
To get a list of all available counters, run this command:
typeperf -q
To get a list of all available counters for a specific perfmon object, run this command:
typeperf -q objectName
where objectName
is the object you want to view available counters for.
For more information about using the typeperf
command on a Windows host, see typeperf on the Microsoft website.
3. Configure inputs.conf on the universal forwarder
Configure inputs.conf
on the universal forwarder to set up receiving and specify perfmon objects to monitor in ITSI.
- Create the
${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config
directory if it doesn't already exist. - Create
inputs.conf
at${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config\local\
if it doesn't already exist. - Open
inputs.conf
with a text editor. - Add a
[perfmon://name]
stanza for each perfmon object you want to collect data for. Include these values for the stanza parameters:Parameter Description counters Enter each counter you want to monitor for the object. Separate each counter with a semicolon. If you want to monitor all available counters, enter *
.instances Enter each instance you want to collect counters for. If you want to monitor all available instances, enter *
. An instance is also commonly known as a process.object Enter the perfmon object you want to monitor. mode Enter single
. ITSI doesn't support themultikv
mode.index Enter the index you use to collect metrics. By default, the index is itsi_im_metrics. If you want to use a custom index, see Use custom metric indexes in ITSI. interval How often, in seconds, to poll for new data. _meta Enter any other field-value pair as a custom dimension to identify the host. For example, datacenter::DC1
useEnglishOnly Enter true
. This enables you to enter counters and store them in indexes in English.sourcetype Enter PerfmonMetrics:metricName
wheremetricName
is the metric the object represents.disabled Enter 0
to enable the object.Here's an example stanza for the
Processor
object:For more information about perfmon stanzas, see Performance Monitor in the Splunk Enterprise Admin Manual.[perfmon://CPU] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time instances = * interval = 30 mode = single object = Processor index = itsi_im_metrics useEnglishOnly = true sourcetype = PerfmonMetrics:CPU disabled = 0
- When you're done, save and close the file.
- Restart splunkd. If you also need to configure
outputs.conf
in the next step, you can wait to restart splunkd until after you've configuredoutputs.conf
as well.$SPLUNK_HOME\bin\splunk restart
4. Configure outputs.conf on the universal forwarder
Configure outputs.conf
on the universal forwarder to define how the universal forwarder sends data to your Splunk platform deployment. If you've already done this, skip this step.
- Create the
${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config
directory if it doesn't already exist. - Open
outputs.conf
with a text editor. - Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For more information, see Configuration levels for outputs.conf in the Splunk Universal Forwarder Forwarder Manual.
- Save and close
outputs.conf
. - Restart splunkd.
$SPLUNK_HOME\bin\splunk restart
Example inputs.conf file for a universal forwarder
[perfmon://CPU] counters=% C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Reserved Time;% Interrupt Time;% Privileged Time; Interrupts/sec instances=* object=Processor mode=single index=itsi_im_metrics interval=60 sourcetype=PerfmonMetrics:CPU disabled=false [perfmon://LogicalDisk] counters=Free Megabytes;% Free Space; Avg. Disk sec/Transfer instances=* object=LogicalDisk mode=single index=itsi_im_metrics interval=60 sourcetype=PerfmonMetrics:LogicalDisk disabled=false [perfmon://Memory] counters=Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes; Available MBytes object=Memory mode=single index=itsi_im_metrics interval=60 sourcetype=PerfmonMetrics:Memory disabled=false [perfmon://Network] counters=Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors;Current Bandwidth instances=* object=Network Interface mode=single index=itsi_im_metrics interval=60 sourcetype=PerfmonMetrics:Network disabled=false [perfmon://PhysicalDisk] counters=% Disk Read Time;% Disk Write Time;Avg. Disk Queue Length;% Idle Time; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write instances=* object=PhysicalDisk mode=single index=itsi_im_metrics interval=60 sourcetype=PerfmonMetrics:PhysicalDisk disabled=false [perfmon://Process] counters=% Processor Time;% User Time;% Privileged Time;Elapsed Time;ID Process;Virtual Bytes;Working Set;Private Bytes;IO Read Bytes/sec;IO Write Bytes/sec instances=* object=Process mode=single index=itsi_im_metrics interval=60 sourcetype=PerfmonMetrics:Process disabled=false [perfmon://System] counters = Processor Queue Length;Threads;System Up Time instances = * object = System mode = single index = itsi_im_metrics interval = 60 sourcetype = PerfmonMetrics:System disabled = false
Example outputs.conf file for a universal forwarder
[tcpout] defaultGroup = splunk-app-infra-autolb-group [tcpout:splunk-app-infra-autolb-group] disabled = false server = <monitoring_machine>:<receiver_port>
Setting | Description |
---|---|
monitoring_machine
|
The hostname or IP address of the Splunk Enterprise instance you want to send log data to. |
receiver_port
|
The port that your Splunk platform deployment uses to receive data. |
Collect Windows metrics and logs with the data collection script in ITE Work | Manually collect logs from a Windows host in ITE Work |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!