Splunk® IT Service Intelligence

Entity Integrations Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot the Windows entity integration in ITSI

Here are some common Windows integration issues and how to resolve them.

The Splunk universal forwarder isn't sending metrics data to Splunk

  • Make sure the outputs.conf file on the universal forwarder is configured properly. Use the following Splunk CLI command to see active forwards:
    $SPLUNK_HOME/bin/splunk list forward-server
  • Make sure the correct version of the Splunk Add-on for Infrastructure is installed on indexers and heavy forwarders.
  • Use the btool command to check inputs.conf perfmon configurations on the universal forwarder running on the monitored Windows machine. For more information, see Use btool to troubleshoot configurations in the Splunk Enterprise Troubleshooting Manual.

The following is a sample perfmon stanza:

[perfmon://CPU]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time
instances = *
interval = 30
mode = single
object = Processor
index = em_metrics
meta = os::"Microsoft Windows Server 2012 R2 Standard" entity_type::Windows_Host
useEnglishOnly = true
sourcetype = PerfmonMetrics:CPU
disabled = 0

Mode, index, entity_type, meta, and sourcetype are important fields. Most of the issues you might encounter are due to conflicts in the inputs.conf perfmon stanzas in the Splunk Add-on for Windows or other apps.

Windows metrics data in index but there are no entities in ITSI

  • Make sure processor metrics are enabled and available for the monitored Windows host. Windows entity discovery uses the prefix Processor.* for metric names. Use mstats to look into metrics data. The metric_name in Splunk metrics index should look like this: Processor.%_Processor_Time.
  • Make sure there's no data lag while indexing. If there's significant data lag, increase the monitoring_window for the [perfmon] stanza in entity_classes.conf, then restart Splunk.
  • Make sure data is indexed in the em_metrics index. If you're using a custom index, make sure the sai_metrics_indexes macro is updated to include the custom index used. For more information, see Use custom metric indexes in Splunk App for Infrastructure in the Administer Splunk App for Infrastructure manual.
  • Verify that entity discovery saved searches are enabled for the [Entity Class - perfmon] stanza in $SPLUNK_HOME/etc/apps/splunk_app_infrastructure/local/savedsearches.conf.

Entities appear but the overview dashboards aren't populated

Check the meta fields within perfmon stanzas in inputs.conf and verify that entity_type::Windows_Host was added. See the sample inputs.conf file above.

Entities appear in SAI but not in ITSI

Make sure the SAI entity integration in enabled. Entity discovery occurs in SAI and entities are sent to ITSI through the message bus. For more information, see Integrate the Splunk App for Infrastructure with ITSI.

Last modified on 27 July, 2020
PREVIOUS
Stop collecting data from a Windows host in ITSI
  NEXT
About the VMware vSphere entity integration in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters