Splunk® IT Service Intelligence

Entity Integrations Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manually collect metrics from a Windows host in ITSI

You can manually set up a universal forwarder to collect metrics from a Windows host. Manually configure metrics collection for a host when you meet at least one of these conditions:

  • You're collecting data from a host on a closed network with no internet access.
  • You already installed a universal forwarder on the host.
  • You don't have trusted URLs you can download the required packages from.

If you also want to manually collect log data from a Windows host, see Manually collect logs from a Windows host in ITSI.

Prerequisites

Requirement Description
Windows host See Windows operating system support.
Dependencies See Required Windows dependencies.
Administrator role

In Splunk Enterprise, you have to be a user with the admin role.

In Splunk Cloud Platform, you have to be a user with the sc_admin role.

Steps

Follow these steps to manually collect metrics from a windows host.

1. Install the universal forwarder on Windows

Install a universal forwarder on the host. For information about installing a universal forwarder, see Install a Windows universal forwarder from an installer in the Forwarder Manual.

If you already installed a universal forwarder, you can skip this step.

2. Get available Windows Performance Monitor (perfmon) counters

Use the typeperf command to get a list of the available perfmon counters.

To get a list of all available counters, run this command:

typeperf -q

To get a list of all available counters for a specific perfmon object, run this command:

typeperf -q objectName

where objectName is the object you want to view available counters for.

For more information about using the typeperf command on a Windows host, see typeperf on the Microsoft website.

3. Configure inputs.conf on the universal forwarder

Configure inputs.conf on the universal forwarder to set up receiving and specify perfmon objects to monitor in Splunk IT Service Intelligence (ITSI).

  1. Create the ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config directory if it doesn't already exist.
  2. Create inputs.conf at ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config\local\ if it doesn't already exist.
  3. Open inputs.conf with a text editor.
  4. If you haven't already, add these stanzas to configure the host and receiving port:
    host = <monitoring_machine>
    
    tcp://<receiver_port>
    
    Setting Description
    monitoring_machine The hostname or IP address of the Splunk Enterprise instance you want to send log data to.
    receiver_port The port that your Splunk platform deployment uses to receive data.
  5. Add a [perfmon://name] stanza for each perfmon object you want to collect data for. Include these values for the stanza parameters:
    Parameter Description
    counters Enter each counter you want to monitor for the object. Separate each counter with a semicolon. If you want to monitor all available counters, enter *.
    instances Enter each instance you want to collect counters for. If you want to monitor all available instances, enter *. An instance is also commonly known as a process.
    object Enter the perfmon object you want to monitor.
    mode Enter single. ITSI doesn't support the multikv mode.
    index Enter the index you use to collect metrics. By default, the index is itsi_im_metrics. If you want to use a custom index, see Use custom metric indexes in ITSI.
    interval How often, in seconds, to poll for new data.
    _meta Enter any other field-value pair as a custom dimension to identify the host. This also can be used to add static dimensions to every input, which can be used to filter data in ITSI.
    useEnglishOnly Enter true. This enables you to enter counters and store them in indexes in English.
    sourcetype Enter PerfmonMetrics:metricName where metricName is the metric the object represents.
    disabled Enter 0 to enable the object.

    Here's an example stanza for the Processor object:

    [perfmon://CPU]
    counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time
    instances = *
    interval = 30
    mode = single
    object = Processor
    index = itsi_im_metrics
    _meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 
    useEnglishOnly = true
    sourcetype = PerfmonMetrics:CPU
    disabled = 0
    
    For more information about perfmon stanzas, see Performance Monitor in the Splunk Enterprise Admin Manual.
  6. When you're done, save and close the file.
  7. Restart splunkd. If you also need to configure outputs.conf in the next step, you can wait to restart splunkd until after you've configured outputs.conf as well.
    $SPLUNK_HOME\bin\splunk restart
    

4. Configure outputs.conf on the universal forwarder

Configure outputs.conf on the universal forwarder to define how the universal forwarder sends data to your Splunk platform deployment. If you've already done this, skip this step.

  1. Create the ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config directory if it doesn't already exist.
  2. Open outputs.conf with a text editor.
  3. Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For more information, see Configuration levels for outputs.conf in the Splunk Universal Forwarder Forwarder Manual.
  4. Save and close outputs.conf.
  5. Restart splunkd.
    $SPLUNK_HOME\bin\splunk restart
    

Example inputs.conf file for a universal forwarder

[perfmon://CPU]
counters=% C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Reserved Time;% Interrupt Time;% Privileged Time;
instances=*
object=Processor
mode=single
index=itsi_im_metrics
interval=60
_meta = entity_type::Windows_Host
sourcetype=PerfmonMetrics:CPU
disabled=false

[perfmon://LogicalDisk]
counters=Free Megabytes;% Free Space;
instances=*
object=LogicalDisk
mode=single
index=itsi_im_metrics
interval=60
_meta = entity_type::Windows_Host
sourcetype=PerfmonMetrics:LogicalDisk
disabled=false

[perfmon://Memory]
counters=Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes
object=Memory
mode=single
index=itsi_im_metrics
interval=60
_meta = entity_type::Windows_Host
sourcetype=PerfmonMetrics:Memory
disabled=false

[perfmon://Network]
counters=Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors;
instances=*
object=Network Interface
mode=single
index=itsi_im_metrics
interval=60
_meta = entity_type::Windows_Host
sourcetype=PerfmonMetrics:Network
disabled=false

[perfmon://PhysicalDisk]
counters=% Disk Read Time;% Disk Write Time;
instances=*	
object=PhysicalDisk
mode=single
index=itsi_im_metrics
interval=60
_meta = entity_type::Windows_Host
sourcetype=PerfmonMetrics:PhysicalDisk
disabled=false

[perfmon://Process]
counters=% Processor Time;% User Time;% Privileged Time;Elapsed Time;ID Process;Virtual Bytes;Working Set;Private Bytes;IO Read Bytes/sec;IO Write Bytes/sec;
instances=*
object=Process
mode=single
index=itsi_im_metrics
interval=60
_meta = entity_type::Windows_Host
sourcetype=PerfmonMetrics:Process
disabled=false

[perfmon://System]
counters = Processor Queue Length;Threads;System Up Time
instances = *
object = System
mode = single
index = itsi_im_metrics
interval = 60
_meta = entity_type::Windows_Host
sourcetype = PerfmonMetrics:System
disabled = false

Example outputs.conf file for a universal forwarder

[tcpout]
defaultGroup = splunk-app-infra-autolb-group

[tcpout:splunk-app-infra-autolb-group]
disabled = false
server = <monitoring_machine>:<receiver_port>
Setting Description
monitoring_machine The hostname or IP address of the Splunk Enterprise instance you want to send log data to.
receiver_port The port that your Splunk platform deployment uses to receive data.
Last modified on 03 November, 2021
PREVIOUS
Collect Windows metrics and logs with the data collection script in ITSI
  NEXT
Manually collect logs from a Windows host in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters