Splunk® IT Service Intelligence

Entity Integrations Manual

Troubleshoot the Windows entity integration in ITSI

Here are some common Windows integration issues and how to resolve them.

The Splunk universal forwarder isn't sending metrics data to Splunk

  • Make sure the outputs.conf file on the universal forwarder is configured properly. Use the following Splunk CLI command to see active forwards:
    $SPLUNK_HOME/bin/splunk list forward-server
  • Use the btool command to check inputs.conf perfmon configurations on the universal forwarder running on the monitored Windows machine. For more information, see Use btool to troubleshoot configurations in the Splunk Enterprise Troubleshooting Manual.

The following is a sample perfmon stanza:

counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time
instances = *
interval = 30
mode = single
object = Processor
index = itsi_im_metrics
_meta = os::"Microsoft Windows Server 2012 R2 Standard" entity_type::Windows_Host
useEnglishOnly = true
sourcetype = PerfmonMetrics:CPU
disabled = 0

Mode, index, entity_type, _meta, and sourcetype are important fields. Most of the issues you might encounter are due to conflicts in the inputs.conf perfmon stanzas in the Splunk Add-on for Windows or other apps.

Windows metrics data in index but there are no entities in ITSI

  • Make sure processor metrics are enabled and available for the monitored Windows host. Windows entity discovery uses the prefix Processor.* for metric names. Use mstats to look into metrics data. The metric_name in Splunk metrics index should look like this: Processor.%_Processor_Time.
  • Make sure there's no data lag while indexing. If there's significant data lag, increase the monitoring_window for the [ITSI Import Objects - Perfmon] stanza in $SPLUNK_HOME/etc/apps/itsi/local/savedsearches.conf, then restart Splunk.
  • Make sure data is indexed in the itsi_im_metrics index. If you're using a custom index, make sure the itsi_im_metrics_indexes macro is updated to include the custom index used. For more information, see Use custom indexes in ITSI.
  • Verify that entity discovery saved searches are enabled for the [ITSI Import Objects - Perfmon] stanza in $SPLUNK_HOME/etc/apps/itsi/local/savedsearches.conf.

Entities appear but the overview dashboards aren't populated

Check the _meta fields within perfmon stanzas in inputs.conf and verify that entity_type::Windows_Host was added. See the sample inputs.conf file above.

Last modified on 28 April, 2023
Stop collecting data from a Windows host in ITSI   About the VMware vSphere entity integration in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters