Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

This documentation does not apply to the most recent version of Splunk® App for Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.

Manually configure metrics and log collection for a Windows host for Splunk App for Infrastructure

To collect performance metrics and log collection, you need to set up data collection using a universal forwarder. The universal forwarder collects data from a data source and sends the data to your Splunk deployment.

In the Splunk App for Infrastructure, use the Add Data page to set up a script to configure the universal forwarder for metrics and log collection. This script only works on single-instance, Windows deployments, and does not work if you have existing universal forwarders configured. If this is the case, you need to manually install the universal forwarder and data inputs. Manual installation can also be required if you work on a closed network, or do not have trusted URLs to download the universal forwarder package from.

Use the steps in this section to manually install and configure the universal forwarder, and configure data inputs to collect performance metrics and log collection.

For information about stopping or removing the universal forwarder for metrics and logs collection on the Splunk App for Infrastructure, see Uninstall the universal forwarder in the Forwarder Manual.

1. Install the universal forwarder on Windows

To manually install and configure the universal forwarder on Windows, see Install a Windows universal forwarder from an installer in the Forwarder Manual.

When installing the universal forwarder, confirm that you:

  • Use the forwarder default options.
  • During installation process, set the Receiving indexer. For example, the hostname or IP address and the receiving port for the receiving indexer that you want the universal forwarder to send data to.
  • Created the ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config directory if it did not already exist.
  • Set up inputs.conf for the universal forwarder and placed the file in this location: ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config\local\inputs.conf

2. Get available perfmon counters for metrics

The following list is available Perfmon counters that are available in your machine (might vary). For performance metrics, use the typeperf command to get the list of available performance counters.

  • Processor is the object
  • % Processor Time and % User Time are the counters
Typeperf  -q  displays all the counters
Typeperf -q <Object Name> to display counters for a particular Perfmon object
> Typeperf -q Processor
\Processor(*)\% Processor Time
\Processor(*)\% User Time
\Processor(*)\% Privileged Time
\Processor(*)\Interrupts/sec
\Processor(*)\% DPC Time
\Processor(*)\% Interrupt Time
\Processor(*)\DPCs Queued/sec
\Processor(*)\DPC Rate
\Processor(*)\% Idle Time
\Processor(*)\% C1 Time
\Processor(*)\% C2 Time
\Processor(*)\% C3 Time
\Processor(*)\C1 Transitions/sec
\Processor(*)\C2 Transitions/sec
\Processor(*)\C3 Transitions/sec

3. Add perfmon objects in inputs.conf

For each Perfmon object you want to collect, add a stanza with the following settings:

    • counters: List counters you want to monitor for this object.
    • instances: Use '*' to monitor all available instances. Or, specify single or multiple instances.
    • object: Valid Perfmon object name.
    • mode: Enter single. The Splunk App for Infrastructure does not support the multikv mode.
    • index = em_metrics is required in each stanza. If you use another index for metrics, replace em_metrics with the custom index.
    • interval: How often, in seconds, to poll for new data.
    • _meta: Add entity_type:Windows_Host and any custom dimensions to identify this entity.
    • useEnglishOnly = true is required in each stanza.

For Processor object, a valid perfmon stanza in inputs.conf might look like this. The example uses default Perfmon counters for "Processor" object. The following is one stanza for processor, sending every 30 seconds, with selected counters you are monitoring. (there are 8 default counters, as shown above).

[perfmon://CPU Load]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time
instances = *
interval = 30
mode = single
object = Processor
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true

See "Performance Monitor" section on this page to get detailed information about these settings:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Inputsconf#Performance_Monitor

4. Collect Windows Event Logs

Add stanzas for the required Windows Event logs: Application, Security, System, Setup etc. For Application Windows Event Logs, a valid stanza in inputs.conf might look like:

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

For more information, see Windows Event Log Monitor.

5. Monitor Files for Log Collection

Add stanzas to monitor some files in inputs.conf. A monitor stanza for the Universal Forwarder log files will look like:

[monitor://$SPLUNK_HOME\var\log\splunk\*.log*]
sourcetype = uf
disabled = false

For more information, see MONITOR:.

Sample inputs.conf file for metrics and logs collection

[perfmon://CPU Load]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time
instances = *
interval = 30
mode = single
object = Processor
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true

[perfmon://Physical Disk]
counters = % Disk Read Time;% Disk Write Time
instances = *
interval = 30
mode = single
object = PhysicalDisk
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true

[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors
instances = *
interval = 30
mode = single
object = Network Interface
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true

[perfmon://Available Memory]
counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes
interval = 30
mode = single
object = Memory
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true

[perfmon://System]
counters = Processor Queue Length;Threads
instances = *
interval = 30
mode = single
object = System
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true

[perfmon://Process]
counters = % Processor Time;% User Time;% Privileged Time
instances = *
interval = 30
mode = single
object = Process
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true

[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
instances = *
interval = 30
mode = single
object = LogicalDisk
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host
useEnglishOnly = true

[monitor://$SPLUNK_HOME\var\log\splunk\*.log*]
sourcetype = uf
disabled = false

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest
Last modified on 02 July, 2019
Collect Windows metrics and logs with Splunk App for Infrastructure   Configure Mac OS X data collection for Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.3.0, 1.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters