Manually configure metrics and log collection for a Windows host for Splunk App for Infrastructure
To collect performance metrics and log collection, you need to set up data collection using a universal forwarder. The universal forwarder collects data from a data source and sends the data to your Splunk deployment.
In the Splunk App for Infrastructure, use the Add Data page to set up a script to configure the universal forwarder for metrics and log collection. This script only works on single-instance, Windows deployments, and does not work if you have existing universal forwarders configured. If this is the case, you need to manually install the universal forwarder and data inputs. Manual installation can also be required if you work on a closed network, or do not have trusted URLs to download the universal forwarder package from.
Use the steps in this section to manually install and configure the universal forwarder, and configure data inputs to collect performance metrics and log collection.
For information about stopping or removing the universal forwarder for metrics and logs collection on the Splunk App for Infrastructure, see Uninstall the universal forwarder in the Forwarder Manual.
1. Install the universal forwarder on Windows
To manually install and configure the universal forwarder on Windows, see Install a Windows universal forwarder from an installer in the Forwarder Manual.
When installing the universal forwarder, confirm that you:
- Use the forwarder default options.
- During installation process, set the Receiving indexer. For example, the hostname or IP address and the receiving port for the receiving indexer that you want the universal forwarder to send data to.
- Created the
${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_configdirectory if it did not already exist. - Set up
inputs.conffor the universal forwarder and placed the file in this location:${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config\local\inputs.conf
2. Get available perfmon counters for metrics
The following list is available Perfmon counters that are available in your machine (might vary). For performance metrics, use the typeperf command to get the list of available performance counters.
- Processor is the object
- % Processor Time and % User Time are the counters
Typeperf -q displays all the counters Typeperf -q <Object Name> to display counters for a particular Perfmon object > Typeperf -q Processor \Processor(*)\% Processor Time \Processor(*)\% User Time \Processor(*)\% Privileged Time \Processor(*)\Interrupts/sec \Processor(*)\% DPC Time \Processor(*)\% Interrupt Time \Processor(*)\DPCs Queued/sec \Processor(*)\DPC Rate \Processor(*)\% Idle Time \Processor(*)\% C1 Time \Processor(*)\% C2 Time \Processor(*)\% C3 Time \Processor(*)\C1 Transitions/sec \Processor(*)\C2 Transitions/sec \Processor(*)\C3 Transitions/sec
3. Add perfmon objects in inputs.conf
For each Perfmon object you want to collect, add a stanza with the following settings:
- counters: List counters you want to monitor for this object.
- instances: Use '*' to monitor all available instances. Or, specify single or multiple instances.
- object: Valid Perfmon object name.
- mode: Enter
single. The Splunk App for Infrastructure does not support themultikvmode. - index = em_metrics is required in each stanza. If you use another index for metrics, replace em_metrics with the custom index.
- interval: How often, in seconds, to poll for new data.
- _meta: Add
entity_type:Windows_Hostand any custom dimensions to identify this entity. - useEnglishOnly = true is required in each stanza.
For Processor object, a valid perfmon stanza in inputs.conf might look like this. The example uses default Perfmon counters for "Processor" object. The following is one stanza for processor, sending every 30 seconds, with selected counters you are monitoring. (there are 8 default counters, as shown above).
[perfmon://CPU Load] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time instances = * interval = 30 mode = single object = Processor index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true See "Performance Monitor" section on this page to get detailed information about these settings: http://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Inputsconf#Performance_Monitor
4. Collect Windows Event Logs
Add stanzas for the required Windows Event logs: Application, Security, System, Setup etc. For Application Windows Event Logs, a valid stanza in inputs.conf might look like:
[WinEventLog://Application] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest
For more information, see Windows Event Log Monitor.
5. Monitor Files for Log Collection
Add stanzas to monitor some files in inputs.conf. A monitor stanza for the Universal Forwarder log files will look like:
[monitor://$SPLUNK_HOME\var\log\splunk\*.log*] sourcetype = uf disabled = false
For more information, see MONITOR:.
Sample inputs.conf file for metrics and logs collection
[perfmon://CPU Load] counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time instances = * interval = 30 mode = single object = Processor index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true [perfmon://Physical Disk] counters = % Disk Read Time;% Disk Write Time instances = * interval = 30 mode = single object = PhysicalDisk index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true [perfmon://Network Interface] counters = Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors instances = * interval = 30 mode = single object = Network Interface index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true [perfmon://Available Memory] counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes interval = 30 mode = single object = Memory index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true [perfmon://System] counters = Processor Queue Length;Threads instances = * interval = 30 mode = single object = System index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true [perfmon://Process] counters = % Processor Time;% User Time;% Privileged Time instances = * interval = 30 mode = single object = Process index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true [perfmon://Free Disk Space] counters = Free Megabytes;% Free Space instances = * interval = 30 mode = single object = LogicalDisk index = em_metrics _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true [monitor://$SPLUNK_HOME\var\log\splunk\*.log*] sourcetype = uf disabled = false [WinEventLog://Application] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest [WinEventLog://Security] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest [WinEventLog://System] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest [WinEventLog://Setup] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest
| Collect Windows metrics and logs with Splunk App for Infrastructure | Configure Mac OS X data collection for Splunk App for Infrastructure |
This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.3.0, 1.3.1
Download manual
Feedback submitted, thanks!