Manually collect metrics from a Windows host in ITSI

You can manually set up a universal forwarder to collect metrics from a Windows host. Manually configure metrics collection for a host when you meet at least one of these conditions:

• You're collecting data from a host on a closed network with no internet access.
• You already installed a universal forwarder on the host.
• You don't have trusted URLs you can download the required packages from.

If you also want to manually collect log data from a Windows host, see Manually collect logs from a Windows host in ITSI.

Prerequisites

Steps

Follow these steps to manually collect metrics from a windows host.

1. Install the universal forwarder on Windows

Install a universal forwarder on the host. For information about installing a universal forwarder, see Install a Windows universal forwarder from an installer in the Forwarder Manual.

If you already installed a universal forwarder, you can skip this step.

2. Get available Windows Performance Monitor (perfmon) counters

Use the typeperf command to get a list of the available perfmon counters.

To get a list of all available counters, run this command:

typeperf -q

To get a list of all available counters for a specific perfmon object, run this command:

typeperf -q objectName

where objectName is the object you want to view available counters for.

For more information about using the typeperf command on a Windows host, see typeperf on the Microsoft website.

3. Configure inputs.conf on the universal forwarder

Configure inputs.conf on the universal forwarder to set up receiving and specify perfmon objects to monitor in Splunk IT Service Intelligence (ITSI).

1. Create the ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config directory if it doesn't already exist.
2. Create inputs.conf at ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config\local\ if it doesn't already exist.
3. Open inputs.conf with a text editor.
4. If you haven't already, add these stanzas to configure the host and receiving port:

   host = <monitoring_machine>
   
   tcp://<receiver_port>
   

   Setting	Description
   monitoring_machine	The hostname or IP address of the Splunk Enterprise instance you want to send log data to.
   receiver_port	The port that your Splunk platform deployment uses to receive data.

5. Add a [perfmon://name] stanza for each perfmon object you want to collect data for. Include these values for the stanza parameters:

   Parameter	Description
   counters	Enter each counter you want to monitor for the object. Separate each counter with a semicolon. If you want to monitor all available counters, enter *.
   instances	Enter each instance you want to collect counters for. If you want to monitor all available instances, enter *. An instance is also commonly known as a process.
   object	Enter the perfmon object you want to monitor.
   mode	Enter single. ITSI doesn't support the multikv mode.
   index	Enter the index you use to collect metrics. By default, the index is em_metrics. If you want to use a custom index, see Use custom metric indexes in ITSI.
   interval	How often, in seconds, to poll for new data.
   _meta	Enter entity_type::Windows_Host. Also enter any other field-value pair as a custom dimension to identify the host.
   useEnglishOnly	Enter true. This enables you to enter counters and store them in indexes in English.
   sourcetype	Enter PerfmonMetrics:metricName where metricName is the metric the object represents.
   disabled	Enter 0 to enable the object.

   Here's an example stanza for the Processor object:

   [perfmon://CPU]
   counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time
   instances = *
   interval = 30
   mode = single
   object = Processor
   index = em_metrics
   _meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
   useEnglishOnly = true
   sourcetype = PerfmonMetrics:CPU
   disabled = 0
   

   For more information about perfmon stanzas, see Performance Monitor in the Splunk Enterprise Admin Manual.
6. When you're done, save and close the file.
7. Restart splunkd. If you also need to configure outputs.conf in the next step, you can wait to restart splunkd until after you've configured outputs.conf as well.

   $SPLUNK_HOME\bin\splunk restart
   

4. Configure outputs.conf on the universal forwarder

Configure outputs.conf on the universal forwarder to define how the universal forwarder sends data to your Splunk platform deployment. If you've already done this, skip this step.

1. Create the ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config directory if it doesn't already exist.
2. Open outputs.conf with a text editor.
3. Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For more information, see Configuration levels for outputs.conf in the Splunk Universal Forwarder Forwarder Manual.
4. Save and close outputs.conf.
5. Restart splunkd.

   $SPLUNK_HOME\bin\splunk restart
   

Example inputs.conf file for a universal forwarder

[perfmon://CPU]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time
instances = *
interval = 30
mode = single
object = Processor
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true
sourcetype = PerfmonMetrics:CPU
disabled = 0

[perfmon://PhysicalDisk]
counters = % Disk Read Time;% Disk Write Time
instances = *
interval = 30
mode = single
object = PhysicalDisk
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true
sourcetype = PerfmonMetrics:PhysicalDisk
disabled = 0

[perfmon://Network]
counters = Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors
instances = *
interval = 30
mode = single
object = Network Interface
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true
sourcetype = PerfmonMetrics:Network
disabled = 0

[perfmon://Memory]
counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes
interval = 30
mode = single
object = Memory
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true
sourcetype = PerfmonMetrics:Memory
disabled = 0

[perfmon://System]
counters = Processor Queue Length;Threads;System Up Time
instances = *
interval = 30
mode = single
object = System
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true
sourcetype = PerfmonMetrics:System
disabled = 0

[perfmon://Process]
counters = % Processor Time;% User Time;% Privileged Time;Elapsed Time;ID Process;Virtual Bytes;Working Set;Private Bytes;IO Read Bytes/sec;IO Write Bytes/sec
instances = *
interval = 30
mode = single
object = Process
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true
sourcetype = PerfmonMetrics:Process
disabled = 0

[perfmon://LogicalDisk]
counters = Free Megabytes;% Free Space
instances = *
interval = 30
mode = single
object = LogicalDisk
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true
sourcetype = PerfmonMetrics:LogicalDisk
disabled = 0

Example outputs.conf file for a universal forwarder

[tcpout]
defaultGroup = splunk-app-infra-autolb-group

[tcpout:splunk-app-infra-autolb-group]
disabled = false
server = <monitoring_machine>:<receiver_port>