Monitor Windows performance in real time

Splunk Enterprise supports the monitoring of all Windows performance counters available to the system in real time, and includes support for both local and remote collection of performance data.

The Splunk Enterprise performance monitoring utility gives you the abilities of Performance Monitor in a web or command-line interface. Splunk uses the Performance Data Helper (PDH) API for performance counter queries on local machines.

The types of performance objects, counters and instances that are available to Splunk depend on the performance libraries installed on the system. Both Microsoft and third-party vendors provide libraries that contain performance counters. For additional information on performance monitoring, review "Performance Counters" (http://msdn.microsoft.com/en-us/library/aa373083%28v=VS.85%29.aspx) on MSDN.

Both full instances of Splunk and universal forwarders support local collection of performance metrics. Remote performance monitoring is available through WMI (Windows Management Instrumentation) and requires that Splunk runs as a user with appropriate Active Directory credentials.

The performance monitor input runs as a process called splunk-perfmon.exe. This process runs once for every input defined, at the interval specified in the input. You can configure performance monitoring using Splunk Web, or either inputs.conf (for local performance data) or wmi.conf (for performance data from a remote machine).

Why monitor performance metrics?

Performance monitoring is an important part of the Windows administrator's toolkit. Windows generates a lot of data about a system's health. Proper analysis of that data can make the difference between a healthy, well functioning system, and one that suffers downtime.

What's required to monitor performance counters?

The following table lists the explicit permissions needed to monitor performance counters in Windows. You might need additional permissions based on the performance objects or counters that you want to monitor.

For additional information on what's required to monitor performance metrics, read "Security and remote access considerations" later in this topic.

Security and remote access considerations

Splunk gets data from remote machines using either a forwarder or WMI. Splunk recommends using a universal forwarder to send performance data from remote machines to an indexer. Review "Introducing the universal forwarder" in the Forwarding Data Manual for information about how to install, configure and use the forwarder to collect performance metrics.

If you choose to install forwarders on your remote machines to collect performance data, then you can install the forwarder as the Local System user on those machines. The Local System user has access to all data on the local machine, but not to remote computers.

If you want Splunk to use WMI to get performance data from remote machines, then you must ensure that your network and Splunk instances are properly configured. You cannot install Splunk as the Local System user, and the user you install with determines the set of performance metrics Splunk sees. Review "Security and remote access considerations" in the "Monitor WMI Data" topic in this manual for additional information on the requirements you must satisfy in order for Splunk to collect remote data properly using WMI.

After you install Splunk with a valid user, add that user to the following groups before enabling local performance monitor inputs:

• Performance Monitor Users (domain group)
• Performance Log Users (domain group)

Enable local Windows performance monitoring

You can configure local performance monitoring either in Splunk Web, or by using configuration files.

Splunk Web is the preferred way to add performance monitoring data inputs. This is because you can make typos when using configuration files, and it's important to specify performance monitor objects exactly as the Performance Monitor API defines them. See "Important information about specifying performance monitor objects in inputs.conf" below for a full explanation.

Configure local Windows performance monitoring with Splunk Web

1. Click Settings in the upper right-hand corner of Splunk Web.

2. Under Data, click Data Inputs.

3. Click Local performance monitoring.

4. Click New to add an input.

5. Enter a unique, memorable name for this input.

6. Under Available objects, choose the performance object whose counters you wish to display.

Splunk loads the available performance counters for the selected object.

Note: You can only add one performance object per data input. This is due to how Microsoft handles performance monitor objects. Many objects enumerate classes that describe themselves dynamically upon selection. This can lead to confusion as to which performance counters and instances belong to which object, as defined in the input. If you need to monitor multiple objects, create additional data inputs for each object.

7. Under Counters, choose the counters in the Available counters list box that you want Splunk to monitor by clicking once on them.

The selected counter moves from the Available counters list box to the Selected counters list box.

8. Under Instances, select the instances you want Splunk to monitor by clicking on those instances in the Available instances list.

The selected instance moves from the Available instances list box to the Selected instances list box.

Note: The "_Total" instance is a special instance, and is present for many types of performance counters. This instance is defined as the average of any associated instances under the same counter. Data collected for this instance can be significantly different than for individual instances under the same counter.

For example, when monitoring performance data for the "Disk Bytes/Sec" performance counter under the "PhysicalDisk" object on a system with two disks installed, the available instances displayed include one for each physical disk - "0 C:" and "1 D:" - as well as the "_Total" instance. In this case, the "_Total" instance is the average of the two physical disk instances.

9. Specify an interval, in seconds, between polls.

10. Choose the destination index for this collection.

11. Click Save.

Splunk adds and enables the input.

Configure local Windows performance monitoring with configuration files

inputs.conf controls performance monitoring configurations. To set up performance monitoring using configuration files, create and/or edit inputs.conf in %SPLUNK_HOME%\etc\system\local. If you haven't worked with Splunk's configuration files before, be sure to read "About configuration files" before you begin.

the [perfmon://<name>] stanza defines performance monitoring inputs in inputs.conf. You specify one stanza per performance object that you wish to monitor.

In each stanza, you can specify the following attributes:

The following example section of inputs.conf collects performance data from the local disk on the system and places it into the 'perfmon' index:

# Query the PhysicalDisk performance object and gather disk access data for
# all physical drives installed in the system. Store this data in the 
# "perfmon" index.
# Note: If the interval attribute is set to 0, Splunk resets the interval
# to 1.

[perfmon://LocalPhysicalDisk]
interval = 0
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time
instances = *
disabled = 0
index = PerfMon

# Gather SQL statistics for all database instances on this SQL server.
# 'object' attribute uses a regular expression "\$.*" to specify SQL
# statistics for all available databases.
[perfmon://SQLServer_SQL_Statistics]
object = MSSQL\$.*:SQL Statistics
counters = *
instances = *

# Gather information on all counters under the "Process" and "Processor" 
# Perfmon objects.
# We use '.*' as a wild card to match the 'Process' and 'Processor' objects.
[perfmon://ProcessandProcessor]
object = Process.*
counters = *
instances = *

Important information about specifying performance monitor objects in inputs.conf

Use all lower case when specifying the perfmon keyword

When you create a performance monitor input in inputs.conf, you must use all lower case for the perfmon keyword, for example:

If you use capital or mixed-case letters for the keyword, Splunk warns of the problem on start-up, and the specified performance monitor input does not run.

Specify valid regular expressions to capture multiple performance monitor objects

When you need to specify multiple objects in a single performance monitor stanza, you must use a valid regular expression to capture those objects. For example, to specify a wildcard to match a string beyond a certain number of characters, do not use *, but rather .*. If the object contains a dollar sign or similar special character, you might need to escape it with a backslash (\).

Except in the above case, values must exactly match what is in the Performance Monitor API

When you specify values for the object, counters and instances attributes in [perfmon://] stanzas, be sure that those values exactly match those defined in the Performance Monitor API, including case, or the input might return incorrect data, or no data at all. If Splunk is unable to match a performance object, counter or instance value that you've specified, it logs that failure to splunkd.log. For example:

The best way to ensure that you specify the correct objects, counters, and instances is to use Splunk Web to add performance monitor data inputs.

Enable remote Windows performance monitoring over WMI

You can configure remote performance monitoring either in Splunk Web or by using configuration files.

When collecting performance metrics over WMI, you must configure Splunk to run as an AD user with appropriate access for remote collection of performance metrics. You must do this before attempting to collect those metrics. Both the machine that runs Splunk and the machine(s) Splunk collects performance data from must reside in the same AD domain or forest.

Note: WMI self-throttles by design to prevent denial of service attacks. Splunk also reduces the number of WMI calls it makes over time as a precautionary measure if these calls return an error. Depending on the size, configuration, and security profile of your network, installing a local forwarder on the system from which you want to collect performance metrics might be a better choice. Consult "Considerations for deciding how to monitor remote Windows data" in this manual for additional information.

Important information regarding WMI-based performance metrics

When gathering remote performance metrics through WMI, you might notice that some metrics return zero values, or values that are not in line with values returned by Performance Monitor. This is because of a limitation in the implementation of WMI for performance monitor counters, and is not an issue with Splunk or how it retrieves WMI-based data..

WMI uses the Win32_PerfFormattedData_* classes to gather performance metrics. More info on the specific classes is available at "Win32 Classes" (http://msdn.microsoft.com/en-us/library/aa394084%28v=vs.85%29.aspx) on MSDN.

WMI defines the data structures within these classes as either 32- or 64-bit unsigned integers, depending on the version of Windows you are running. Performance Monitor objects, meanwhile, are defined as floating-point variables. This means that you might see WMI-based metrics that appear anomalous, due to rounding factors.

For example, if you collect data on the "Average Disk Queue Length" Performance Monitor counter at the same time you collect the Win32_PerfFormattedData_PerfDisk_PhysicalDisk\AvgDiskQueueLength metric through WMI, the WMI-based metric might return zero values even though the Performance Monitor metric returns values greater than zero (but less than 0.5). This is because WMI rounds the value down before displaying it.

If you require additional granularity in your performance metrics, it's better to configure the performance monitoring inputs on a universal forwarder on each machine from which you wish to collect performance data. You can then forward that data to an indexer. Data retrieved using this method is more reliable than data gathered remotely using WMI-based inputs.

Configure remote Windows performance monitoring with Splunk Web

1. Click System in the upper right-hand corner of Splunk Web.

2. Under Data, click Data Inputs.

3. Click Remote Performance monitoring.

4. Click New to add an input.

5. Enter a unique name for this collection.

6. Under Select target host, enter the name of a valid Windows host to query performance monitor objects from, then click "Query..."

Splunk connects to the host and gets the available performance objects.

7. In the "Available objects" drop-down, select the performance object whose counters you wish to display.

Splunk loads the available performance counters for the selected object.

Note: You can only add one performance object per data input. This is due to how Microsoft handles performance monitor objects. Many objects enumerate classes that describe themselves dynamically upon selection. This can lead to confusion as to which performance counters and instances belong to which object, as defined in the input. If you need to monitor multiple objects, create additional data inputs for each object.

8. Under Counters, choose the counters in the "Available counters" list box that you want Splunk to monitor by clicking once on them.

The selected counter moves from the "Available counters" list box to the "Selected counters" list box.

9. Next, under Instances, select the instances you want Splunk to monitor by clicking on those instances in the Available instances list.

The selected instance moves from the "Available instances" list box to the "Selected instances" list box.

Note: The "_Total" instance is a special instance, and is present for many types of performance counters. This instance is defined as the average of any associated instances under the same counter. Data collected for this instance can be - and oftentimes is - significantly different than for individual instances under the same counter.

For example, when monitoring performance data for the "Disk Bytes/Sec" performance counter under the "PhysicalDisk" object on a system with two disks installed, the available instances displayed include one for each physical disk - "0 C:" and "1 D:" - as well as the "_Total" instance. In this case, the "_Total" instance is the average of the two physical disk instances.

10. You can optionally tell Splunk to collect the same set of metrics from additional hosts by specifying those hosts, separated by commas, in the field provided.

11. Specify an interval, in seconds, between polls.

12. Optionally, choose the destination index for this collection.

By default, Splunk selects the "default" index.

13. Click Save.

Splunk adds and enables the input.

Note: Win32_PerfFormattedData_* classes do not show up as available objects in Splunk Web. If you wish to monitor Win32_PerfFormattedData_* classes, you must add them directly in wmi.conf.

Configure remote Windows performance monitoring with configuration files

Remote performance monitoring configurations are controlled by wmi.conf. To set up remote performance monitoring using configuration files, create and/or edit wmi.conf in %SPLUNK_HOME%\etc\system\local. If you haven't worked with Splunk's configuration files before, be sure to read "About configuration files" before you begin.

Caution: Splunk strongly recommends that you use Splunk Web to create remote performance monitor inputs. This is because the names of performance monitor objects, counters, and instances must exactly match what the Performance Monitor API defines, including case. Splunk Web uses WMI to get the properly-formatted names, eliminating the potential for typos.

wmi.conf contains one stanza for each remote performance monitor object that you wish to monitor. In each stanza, you specify:

Global settings

Input-specific settings

The following example of wmi.conf gathers local disk and memory performance metrics and places them into the 'wmi_perfmon' index:

[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 2
checkpoint_sync_interval = 2

# Gather disk and memory performance metrics from the local system every second.
# Store event in the "wmi_perfmon" Splunk index.

[WMI:LocalPhysicalDisk]
interval = 1
wql = select Name, DiskBytesPerSec, PercentDiskReadTime,PercentDiskWriteTime, PercentDiskTime from \
 Win32_PerfFormattedData_PerfDisk_PhysicalDisk
disabled = 0
index = wmi_perfmon

[WMI:LocalMainMemory]
interval = 10
wql = select CommittedBytes, AvailableBytes, PercentCommittedBytesInUse, Caption from \
 Win32_PerfFormattedData_PerfOS_Memory
disabled = 0
index = wmi_perfmon

Additional information on WQL query statements

WQL queries must be structurally and syntactically correct. If they are not, you might get undesirable results or no results at all when specifying them. In particular, when writing event notification queries (by specifying current_only=1 in the stanza in which a WQL query resides), your WQL statement must contain one of the clauses that specify such a query (WITHIN, GROUP, and/or HAVING). Review this MSDN article on Querying with WQL for additional information.

Splunk Web eliminates problems with WQL syntax by generating the appropriate WQL queries when you use it to create performance monitor inputs.

Caveats

Increased memory usage during collection of performance metrics

When collecting data on some performance objects, such as the "Thread" object and its associated counters, you might notice increased memory usage in Splunk. This is normal, as certain performance objects consume more memory than others during the collection process.

Processor Time counters do not return values of higher than 100

Due to how Microsoft tallies CPU usage with the Processor:% Processor Time and Process:% Processor Time counters, these counters do not return a value of more than 100 regardless of the number of CPUs or cores in the system. This is by design - these counters subtract the amount of time spent on the Idle process from 100%.