Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

This documentation does not apply to the most recent version of Splunk® App for Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.

Manually configure metrics and log collection for Windows on Splunk App for Infrastructure

To collect performance metrics and log collection, you need to set up data collection using a universal forwarder. The universal forwarder collects data from a data source and sends the data to your Splunk deployment.

In Splunk Insights for Infrastructure, use the Add Data page to set up a script to configure the universal forwarder for metrics and log collection. This script only works on single-instance deployments, and does not work if you have existing universal forwarders configured. If this is the case, you need to manually install the universal forwarder and data inputs. Manual installation can also be required if you work on a closed network, or do not have trusted URLs to download the universal forwarder package from.

Use the steps in this section to manually install and configure the universal forwarder, and configure data inputs to collect performance metrics and log collection.

1. Install the universal forwarder on Windows

To manually install and configure the universal forwarder on Windows, see Install a Windows universal forwarder from an installer in the Forwarder Manual.

When installing the universal forwarder, confirm that you:

  • Use the forwarder default options.
  • During installation process, set the Receiving indexer (<SII/SAI instance>:9997). For example, host name or IP address and the receiving port for the receiving indexer that you want the universal forwarder to send data.
  • Set up inputs.conf for the universal forwarder and place in this location: ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config\local\inputs.conf

2. Get available Perfmon Counters for Performance Metrics

The following list is available perform counters that are available in your machine (might vary). For performance metrics, use the typeperf command to get the list of available performance counters.

  • Processor is the object
  • % Processor Time and % User Time are the counters
Typeperf  -q  displays all the counters
Typeperf -q <Object Name> to display counters for a particular Perfmon object
> Typeperf -q Processor
\Processor(*)\% Processor Time
\Processor(*)\% User Time
\Processor(*)\% Privileged Time
\Processor(*)\Interrupts/sec
\Processor(*)\% DPC Time
\Processor(*)\% Interrupt Time
\Processor(*)\DPCs Queued/sec
\Processor(*)\DPC Rate
\Processor(*)\% Idle Time
\Processor(*)\% C1 Time
\Processor(*)\% C2 Time
\Processor(*)\% C3 Time
\Processor(*)\C1 Transitions/sec
\Processor(*)\C2 Transitions/sec
\Processor(*)\C3 Transitions/sec

3. Add Perfmon objects in inputs.conf

For each Perfmon object you want to collect, add a stanza with the following settings:

    • counters: List counters you want to monitor for this object.
    • instances: Use '*' to monitor all available instances. Or, specify single or multiple instances.
    • object: Valid Perfmon object name.
    • index = em_metrics is required in each stanza.
    • interval: How often, in seconds, to poll for new data.
    • _meta: Add entity_type::Windows_Host and any custom dimensions to identify this entity.

For Processor object, a valid perfmon stanza in inputs.conf might look like this. The example uses default perform counters for "Processor" object. The following is one stanza for processor, sending every 30 seconds, with selected counters you are monitoring. (there are 8 default counters, as shown above).

[perfmon://CPU Load]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time
instances = *
interval = 30
object = Processor
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

See "Performance Monitor" section on this page to get detailed information about these settings:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Inputsconf#Performance_Monitor

4. Collect Windows Event Logs

Add stanzas for the required Windows Event logs: Application, Security, System, Setup etc. For "Application" Windows Event Logs", a valid stanza in inputs.conf might look like:

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

See "Windows Event Log Monitor" section in this page for more details: http://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Inputsconf#Windows_Event_Log_Monitor

5. Monitor Files for Log Collection

Add stanzas to monitor some files in inputs.conf. A monitor stanza for the Universal Forwarder log files will look like:

[monitor://$SPLUNK_HOME\var\log\splunk\*.log*]
sourcetype = uf
disabled = false

See "MONITOR:" section in this page for more details: http://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Inputsconf#MONITOR:

Sample inputs.conf file for metrics and logs collection

[perfmon://CPU Load]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time
instances = *
interval = 30
object = Processor
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://Physical Disk]
counters = % Disk Read Time;% Disk Write Time
instances = *
interval = 30
object = PhysicalDisk
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors
instances = *
interval = 30
object = Network Interface
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://Available Memory]
counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes
interval = 30
object = Memory
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://System]
counters = Processor Queue Length;Threads
instances = *
interval = 30
object = System
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://Process]
counters = % Processor Time;% User Time;% Privileged Time
instances = *
interval = 30
object = Process
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
instances = *
interval = 30
object = LogicalDisk
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

 [monitor://$SPLUNK_HOME\var\log\splunk\*.log*]
sourcetype = uf
disabled = false

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

 [WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest
Last modified on 21 March, 2019
About using collectd   Manually configure log collection for *nix on Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.2.0, 1.2.1, 1.2.2, 1.2.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters