Troubleshoot the Windows entity integration in ITSI
Here are some common Windows integration issues and how to resolve them.
The Splunk universal forwarder isn't sending metrics data to Splunk
- Make sure the outputs.conf file on the universal forwarder is configured properly. Use the following Splunk CLI command to see active forwards:
$SPLUNK_HOME/bin/splunk list forward-server
- Make sure the correct version of the Splunk Add-on for Infrastructure is installed on indexers and heavy forwarders.
- Use the btool command to check inputs.conf perfmon configurations on the universal forwarder running on the monitored Windows machine. For more information, see Use btool to troubleshoot configurations in the Splunk Enterprise Troubleshooting Manual.
The following is a sample perfmon stanza:
[perfmon://CPU] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time instances = * interval = 30 mode = single object = Processor index = em_metrics meta = os::"Microsoft Windows Server 2012 R2 Standard" entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:CPU disabled = 0
Mode, index, entity_type, meta, and sourcetype are important fields. Most of the issues you might encounter are due to conflicts in the inputs.conf perfmon stanzas in the Splunk Add-on for Windows or other apps.
Windows metrics data in index but there are no entities in ITSI
- Make sure processor metrics are enabled and available for the monitored Windows host. Windows entity discovery uses the prefix
Processor.*for metric names. Use mstats to look into metrics data. The metric_name in Splunk metrics index should look like this:
- Make sure there's no data lag while indexing. If there's significant data lag, increase the monitoring_window for the
[perfmon]stanza in entity_classes.conf, then restart Splunk.
- Make sure data is indexed in the em_metrics index. If you're using a custom index, make sure the sai_metrics_indexes macro is updated to include the custom index used. For more information, see Use custom metric indexes in Splunk App for Infrastructure in the Administer Splunk App for Infrastructure manual.
- Verify that entity discovery saved searches are enabled for the
[Entity Class - perfmon]stanza in $SPLUNK_HOME/etc/apps/splunk_app_infrastructure/local/savedsearches.conf.
Entities appear but the overview dashboards aren't populated
meta fields within perfmon stanzas in inputs.conf and verify that
entity_type::Windows_Host was added. See the sample inputs.conf file above.
Entities appear in SAI but not in ITSI
Make sure the SAI entity integration in enabled. Entity discovery occurs in SAI and entities are sent to ITSI through the message bus. For more information, see Integrate the Splunk App for Infrastructure with ITSI.
Stop collecting data from a Windows host in ITSI
About the VMware vSphere entity integration in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only