Windows perfmon inputs are not converting to metrics

The Splunk Add-on for Infrastructure and the Splunk Add-on for Microsoft Windows handle metrics differently. If you run these add-ons on the same indexers, there's a transforms.conf precedence issue that breaks metrics conversions from Windows Performance Monitor (perfmon) inputs.

If you're also running Splunk Enterprise Security, there's a conflict with Splunk_TA_ForIndexers.

To address the conf file precedence issue, move metric_name_for_perfmon_metrics_store in transforms.conf on every indexer that runs the Splunk Add-on for Infrastructure. Where you move the transform depends on whether you're running the Splunk Add-on for Microsoft Windows alone or are also running Splunk Enterprise Security on the same indexer as the Splunk Add-on for Infrastructure.

What you need to do

If you're running the Splunk Add-on for Microsoft Windows on the same indexers that run the Splunk Add-on for Infrastructure, create the metric_name_for_perfmon_metrics_store stanza in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/transforms.conf. If the local directory doesn't exist, create it first.

If you're running Splunk_TA_ForIndexers for Splunk Enterprise Security on the same indexers that run the Splunk Add-on for Infrastructure in addition to the Splunk Add-on for Microsoft Windows, or if you're just running Splunk_TA_ForIndexers, create the metric_name_for_perfmon_metrics_store stanza in $SPLUNK_HOME/etc/apps/Splunk_TA_ForIndexers/local/transforms.conf. If the local directory doesn't exist, create it first.

The metric_name_for_perfmon_metrics_store stanza you need to create in the local directory looks like this:

[metric_name_for_perfmon_metrics_store]
REGEX =
object= \" ?([^ \"\r\n ]*[^ \"\s ]).*counter= \" ?([^ \"\r\n ]*[^ \"\s ]).*instance
FORMAT = metric_name::$1.$2
WRITE_META = true