Manually configure metrics and log collection for Windows on Splunk App for Infrastructure
To collect performance metrics and log collection, you need to set up data collection using a universal forwarder. The universal forwarder collects data from a data source and sends the data to your Splunk deployment.
In Splunk Insights for Infrastructure, use the Add Data page to set up a script to configure the universal forwarder for metrics and log collection. This script only works on single-instance deployments, and does not work if you have existing universal forwarders configured. If this is the case, you need to manually install the universal forwarder and data inputs. Manual installation can also be required if you work on a closed network, or do not have trusted URLs to download the universal forwarder package from.
Use the steps in this section to manually install and configure the universal forwarder, and configure data inputs to collect performance metrics and log collection.
1. Install the universal forwarder on Windows
To manually install and configure the universal forwarder on Windows, see Install a Windows universal forwarder from an installer in the Forwarder Manual.
When installing the universal forwarder, confirm that you:
- Use the forwarder default options.
- During installation process, set the Receiving indexer (<SII/SAI instance>:9997). For example, host name or IP address and the receiving port for the receiving indexer that you want the universal forwarder to send data.
- Set up
inputs.conf
for the universal forwarder and place in this location:${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config\local\inputs.conf
2. Get available Perfmon Counters for Performance Metrics
The following list is available perform counters that are available in your machine (might vary). For performance metrics, use the typeperf command to get the list of available performance counters.
- Processor is the object
- % Processor Time and % User Time are the counters
Typeperf -q displays all the counters Typeperf -q <Object Name> to display counters for a particular Perfmon object > Typeperf -q Processor \Processor(*)\% Processor Time \Processor(*)\% User Time \Processor(*)\% Privileged Time \Processor(*)\Interrupts/sec \Processor(*)\% DPC Time \Processor(*)\% Interrupt Time \Processor(*)\DPCs Queued/sec \Processor(*)\DPC Rate \Processor(*)\% Idle Time \Processor(*)\% C1 Time \Processor(*)\% C2 Time \Processor(*)\% C3 Time \Processor(*)\C1 Transitions/sec \Processor(*)\C2 Transitions/sec \Processor(*)\C3 Transitions/sec
3. Add Perfmon objects in inputs.conf
For each Perfmon object you want to collect, add a stanza with the following settings:
- counters: List counters you want to monitor for this object.
- instances: Use '*' to monitor all available instances. Or, specify single or multiple instances.
- object: Valid Perfmon object name.
- index = em_metrics is required in each stanza.
- interval: How often, in seconds, to poll for new data.
- _meta: Add
entity_type::Windows_Host
and any custom dimensions to identify this entity.
For Processor object, a valid perfmon stanza in inputs.conf might look like this. The example uses default perform counters for "Processor" object. The following is one stanza for processor, sending every 30 seconds, with selected counters you are monitoring. (there are 8 default counters, as shown above).
[perfmon://CPU Load] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time instances = * interval = 30 object = Processor index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host See "Performance Monitor" section on this page to get detailed information about these settings: http://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Inputsconf#Performance_Monitor
4. Collect Windows Event Logs
Add stanzas for the required Windows Event logs: Application, Security, System, Setup etc. For "Application" Windows Event Logs", a valid stanza in inputs.conf might look like:
[WinEventLog://Application] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest
See "Windows Event Log Monitor" section in this page for more details: http://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Inputsconf#Windows_Event_Log_Monitor
5. Monitor Files for Log Collection
Add stanzas to monitor some files in inputs.conf. A monitor stanza for the Universal Forwarder log files will look like:
[monitor://$SPLUNK_HOME\var\log\splunk\*.log*] sourcetype = uf disabled = false
See "MONITOR:" section in this page for more details: http://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Inputsconf#MONITOR:
Sample inputs.conf file for metrics and logs collection
[perfmon://CPU Load] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time instances = * interval = 30 object = Processor index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host [perfmon://Physical Disk] counters = % Disk Read Time;% Disk Write Time instances = * interval = 30 object = PhysicalDisk index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host [perfmon://Network Interface] counters = Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors instances = * interval = 30 object = Network Interface index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host [perfmon://Available Memory] counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes interval = 30 object = Memory index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host [perfmon://System] counters = Processor Queue Length;Threads instances = * interval = 30 object = System index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host [perfmon://Process] counters = % Processor Time;% User Time;% Privileged Time instances = * interval = 30 object = Process index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host [perfmon://Free Disk Space] counters = Free Megabytes;% Free Space instances = * interval = 30 object = LogicalDisk index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host [monitor://$SPLUNK_HOME\var\log\splunk\*.log*] sourcetype = uf disabled = false [WinEventLog://Application] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest [WinEventLog://Security] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest [WinEventLog://System] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest [WinEventLog://Setup] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest
About using collectd | Manually configure log collection for *nix on Splunk App for Infrastructure |
This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.2.0, 1.2.1, 1.2.2, 1.2.3
Feedback submitted, thanks!