Splunk® Enterprise

Getting Data In

Monitor Windows performance

supports the monitoring of all Windows performance counters in real time, which includes support for both local and remote collection of performance data.

The performance monitoring input gives you access to the Performance Monitor in a web interface. The Splunk platform uses the Windows Performance Data Helper (PDH) API for performance counter queries on local Windows machines.

The types of performance objects, counters, and instances that are available to the platform depend on the performance libraries that are on the machine. Both Microsoft and third-party vendors provide libraries that contain performance counters. For information on performance monitoring, search the Microsoft documentation website for "Performance Counters".

To get Windows performance monitor data in, you must run either a Splunk Enterprise heavy forwarder or universal forwarder on the Windows machine from which you want to collect the performance metrics, and then forward that data to the Splunk platform instance. Both full instances of Splunk Enterprise and universal forwarders can collect local performance metrics. Remote performance monitoring is available through Windows Management Instrumentation (WMI) and requires that the Splunk platform instance on the Windows machine runs as a user with appropriate Active Directory credentials.

On Splunk Enterprise and the universal forwarder, the performance monitor input runs as a process called splunk-perfmon.exe. The process runs once for every input you define, at the interval you specify in the input. You can configure performance monitoring either with Splunk Web or by using configuration files.

The performance monitor input uses two files for configuration. The file that you use to configure the input depends on whether you want to get performance data from a local instance or from a remote instance:

  • You use the inputs.conf configuration file to get local performance data.
  • You use the wmi.conf configuration file to get performance data from a remote machine.

Why monitor performance metrics?

Performance monitoring is an important part of the Windows administrator toolkit. Windows generates a lot of data about machine health. Properly analyzing that data can mean the difference between a healthy, well-functioning machine, and one that suffers downtime.

What you need to monitor performance counters

The following table lists the minimum requirements you need to monitor performance counters in Windows. You might have additional requirements based on the performance objects or counters that you want to monitor.

For additional information on performance metrics monitoring requirements, see Security and remote access considerations later in this topic.

Activity Required permissions
Monitor local performance metrics * The Splunk platform instance must receive performance data from a forwarder.
* The forwarder must run on Windows. See Install on Windows in the Splunk Enterprise Installation Manual.
* The forwarder must run as the LocalSystem Windows user. Choose the Windows user Splunk Enterprise should run as in the Splunk Enterprise Installation Manual.
Monitor remote performance metrics on another computer over WMI * The Splunk platform instance must receive performance data from a forwarder.
* The forwarder must run on Windows.
* The forwarder must run as a domain or remote user with at least read access to WMI on the target machine.
* The forwarder must run as a domain or remote user with appropriate access to the Performance Data Helper libraries on the target machine.

Security and remote access considerations

Where possible, use a universal forwarder to send performance data from remote machines to the Splunk platform or Splunk Enterprise indexer.

Splunk Enterprise gets data from remote machines with either a forwarder or WMI.

If you install forwarders on your remote Windows machines to collect performance data, then you can install the forwarder as the LocalSystem user on those machines. The LocalSystem user has access to all data on the local machine, but not to remote computers.

If you want Splunk Enterprise to use WMI to get performance data from remote machines, then you must configure both Splunk Enterprise and your Windows network. You cannot install Splunk Enterprise as the LocalSystem user, and the user that you choose determines what Performance Monitor objects Splunk Enterprise can read.

After you install Splunk Enterprise with a valid user, you must add that user to the following groups before you enable local performance monitor inputs:

  • Performance Monitor Users (domain group)
  • Performance Log Users (domain group)

To learn more about WMI security, see Security and remote access considerations in the Monitor data through Windows Management Instrument (WMI) topic. To learn how to use a universal forwarder, see The universal forwarder in the Splunk Universal Forwarder Forwarder Manual.

Enable local Windows performance monitoring

On the Splunk platform, you must forward data from the Windows machines where you want to collect performance data.

On Splunk Enterprise, you can configure local performance monitoring directly either in Splunk Web or with configuration files.

Splunk Web is the preferred way to add performance monitoring data inputs on Splunk Enterprise instances. Typos are easy to make in configuration files, and it is important to specify performance monitor objects exactly as the Performance Monitor API defines them. See "Important information about specifying performance monitor objects in inputs.conf" later in this topic for a full explanation.

Configure local Windows performance monitoring with Splunk Web

You can collect Windows performance monitoring metrics with Splunk Web only on Splunk Enterprise instances.

To begin configuring Windows performance monitoring metrics, access the Add New page in Splunk Web through either Splunk Settings or Splunk Home.

To connect Windows performance monitoring metrics through Splunk Settings, follow these steps:

  1. Click Settings > Data Inputs.
  2. Click Local performance monitoring.
  3. Click New to add an input.
  4. Continue with the steps in "Select an input source" later in this topic.

To connect Windows performance monitoring metrics through through Splunk Home, follow these steps:

  1. Click the Add Data link in Splunk Home.
  2. Click Monitor to monitor performance data from the local Windows machine, or Forward to receive performance data from another machine.
  3. If you selected Forward, choose or create the group of forwarders you want this input to apply to.
  4. Click Next.
  5. Continue with the steps in "Select an input source" later in this topic.

Select the input source

  1. In the left pane of Splunk Enterprise, select Local Performance Monitoring.
  2. In the Collection Name field, enter a unique name for this input that you will remember.
  3. Click Select Object to get a list of the performance objects available on this Windows machine, then choose the object that you want to monitor from the list. Splunk Enterprise displays the Select Counters and Select Instances list boxes.
  4. In the Select Counters list box, locate the performance counters you want this input to monitor.
  5. You can add only one performance object per data input. If you need to monitor multiple objects, create additional data inputs for each object.

  6. Click once on each counter you want to monitor. Splunk Enterprise moves the counter from the Available counter(s) window to the Selected counter(s) window.
  7. (Optional) To unselect a counter, click its name in the Available Items window.
  8. (Optional) To select or unselect all of the counters, click the add all or remove all links.
  9. Selecting all of the counters can result in the indexing of a lot of data.

  10. (Optional) In the Select Instances list box, select the instances that you want this input to monitor by clicking once on the instance in the Available instance(s) window.
    Selecting all of the counters can result in the indexing of a lot of data and possibly lead to license violations.
  11. In the Polling interval field, enter the time, in seconds, between polling attempts for the input.
  12. The _Total instance is a special instance, and appears for many types of performance counters. This instance is the average of any associated instances under the same counter.

  13. Click Next.

Specify input settings

Specify application context, default host value, and index in the he Input Settings page. All of these parameters are optional.

Setting the Host on this page sets only the host field in the resulting events. It doesn't direct Splunk Enterprise to look on a specific host on your network.

  1. In Splunk Enterprise, select the application context for the input in the Application context field.
  2. Set the Host value. You have several choices for this setting. Learn more about setting the host value in About hosts.
  3. Set the Index that you want Splunk Enterprise to send data to. Leave the value as default, unless you have defined multiple indexes to handle different types of events.
  4. Click Review.

Review your choices

After you specify input settings, review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.

  1. Review the settings.
  2. If they don't match what you want, click the left-pointing bracket ( < ) to go back to the previous step in the wizard. Otherwise, click Submit.

Splunk Enterprise then loads a confirmation page and begins indexing the specified performance metrics. For more information on getting data from files and directories, see Monitor Windows performance in this manual.

Configure local Windows performance monitoring with configuration files

The inputs.conf configuration file controls performance monitoring configurations. To set up performance monitoring using configuration files, you must create or edit inputs.conf in %SPLUNK_HOME%\etc\system\local on the Windows machine where you want to collect the performance metrics. If you haven't worked with configuration files before, see About configuration files.

The option to configure local Windows monitoring is available for both Splunk Cloud Platform instances that receive forwarded data and Splunk Enterprise instances.

The [perfmon://<name>] stanza defines performance monitoring inputs in inputs.conf. You specify one stanza per performance object that you want to monitor.

In each stanza, you can specify the following settings:

Setting Required? Description
interval Yes How often, in seconds, to poll for new data. If this setting is not present, the input runs every 300 seconds (5 minutes).
object Yes The performance objects that you want to capture. Specify either a string that exactly matches the name of an existing Performance Monitor object, or use a regular expression to reference multiple objects. If this setting isn't present and defined, the input can't run because there is no default.
counters Yes One or more valid performance counters that are associated with the object specified in the object setting. Separate multiple counters with semicolons. You can also use an asterisk ( * ) to specify all available counters under a given object. If this setting isn't present and defined, the input can't run because there is no default.
instances No One or more valid instances associated with the performance counter specified in the counters setting. Multiple instances are separated by semicolons. Specify all instances by using an asterisk ( * ), which is the default if you don't define the setting in the stanza.
index No The index to route performance counter data to. If this setting isn't defined, the default index is used.
disabled No Whether or not to gather the performance data defined in this input. Set this setting to 1 to disable this stanza, and 0 to enable it. If the setting isn't defined, it defaults to 0.

The following table shows advanced options:

Setting Required? Description
showZeroValue No Whether or not Splunk Enterprise should collect events that have values of zero.


Set this setting to 1 to collect zero-value events, and 0 to ignore these events. If not present, it defaults to 0.

samplingInterval No How often, in milliseconds, that Splunk Enterprise is to collect performance data.


Enables high-frequency performance sampling. When you enable high-frequency performance sampling, Splunk Enterprise collects performance data every interval and reports the average of the data as well as other statistics. It defaults to 100 milliseconds, and must be less than what you specify with the interval setting.

stats No A semicolon-separated list of statistic values that Splunk Enterprise reports for high-frequency performance sampling.


Allowed values are average, min, max, dev, and count.

The default is no setting.

mode No When you enable high-performance sampling, this setting controls how Splunk Enterprise outputs events.


Allowed values are single, multikv, multiMS, and multikvMS.

When you enable either multiMS or multikvMS, Splunk Enterprise outputs two events for each performance metric it collects. The first event is the average value, and the second is the statistics event. The statistics event has a special sourcetype depending on which output mode you use: perfmonMSStats for multiMS and perfmonMKMSStats for multikvMS.

If you don't enable high-performance sampling, the multikvMS output mode is the same as the multikv output mode.

The default is single.

useEnglishOnly No Controls how Splunk Enterprise indexes performance metrics on systems whose locale isn't English. Specifically, this setting dictates which Windows Performance Monitor API to use when Splunk Enterprise indexes performance metrics on hosts that don't use the English language.


If set to true, Splunk Enterprise collects the performance metrics in English regardless of the system locale. It uses the PdhAddEnglishCounter() API to add the counter string. It also disables regular expression and wildcard matching for the object and counter settings.

If set to false, Splunk Enterprise collects the performance metrics in the system language and expects you to configure the object and counter settings in that language. It uses the PdhAddCounter() API to add the counter string. You can use wildcards and regular expressions, but you must specify valid object, counters, and instances values that are specific to the locale of the operating system.

The default is false.

useWinApiProcStats No When enabled, the useWinApiProcStats setting in the Performance Monitor input uses process kernel mode and user mode times to calculate CPU usage for a process. Currently, the input uses the standard Performance Data Helper (PDH) APIs to calculate CPU usage for a process.


When this setting is configured to true, the input uses the GetProcessTime() function in the core Windows API to calculate CPU usage for a process for the following Performance Monitor counters:

  • Processor Time
  • User Time
  • Privileged Time

It's a best practice to enable the useWinApiProcStats function on multicore Windows machines.

Identify how many processors are in your system. The total number of cores can be verified on the System Information page in your Windows deployment.

Each processor core in your system is equal to a maximum processor performance percentage of 100%. So for each core in a multicore windows deployment, 100% is added to the total maximum available processor performance percentage. For example, an 8 core windows environment will have a maximum process capability of 800%.

Total processor capability can be validated in your Splunk Enterprise deployment by navigating to Data inputs > Local performance monitoring > Select system.

The APIs that this setting uses are English only. If your Windows machine uses a non-English system locale, you must also set useEnglishOnly to true.


See Performance Monitor inputs show maximum values of 100 percent usage for a process on multicore Microsoft Windows machines in the release notes for more information on calculating CPU usage on Windows multicore machines.

formatString No Controls how Splunk Enterprise formats the output of floating-point values for performance counter events.


Windows often prints performance counter events as floating point values. When not formatted, the events print with all significant digits to the right of the decimal point. The formatString setting controls the number of significant digits that print as part of each event.

The setting uses format specifiers from the C++ language printf function. The function includes many kinds of specifiers, depending on how you want to output the event text.

When specifying the format, do not use quotation marks ("") around the format. Specify only the valid characters needed to format the string the way you want.

The default is %.20g.

Collect performance metrics in English regardless of system locale

You can collect performance metrics in English even if the system that Splunk Enterprise runs on doesn't use the English language.

To do this, use the useEnglishOnly setting in stanzas within inputs.conf. There is no way to configure the useEnglishOnly setting in Splunk Web.

There are caveats to using useEnglishOnly in an inputs.conf stanza. See Caveats later in this topic.

Examples of performance monitoring input stanzas

Following are some example stanzas that show you how to use the inputs.conf configuration file to monitor performance monitor objects.

# Query the PhysicalDisk performance object and gather disk access data for
# all physical drives installed in the system. Store this data in the 
# "perfmon" index.
# Note: If the interval setting is set to 0, Splunk resets the interval
# to 1.

[perfmon://LocalPhysicalDisk]
interval = 0
object = PhysicalDisk
counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time
instances = *
disabled = 0
index = PerfMon

# Gather SQL statistics for all database instances on this SQL server.
# 'object' setting uses a regular expression "\$.*" to specify SQL
# statistics for all available databases.
[perfmon://SQLServer_SQL_Statistics]
object = MSSQL\$.*:SQL Statistics
counters = *
instances = *

# Gather information on all counters under the "Process" and "Processor" 
# Perfmon objects.
# We use '.*' as a wild card to match the 'Process' and 'Processor' objects.
[perfmon://ProcessandProcessor]
object = Process.*
counters = *
instances = *

# Collect CPU processor usage metrics in English only on a French system.
[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
useEnglishOnly = 1
interval = 30
disabled = 0

# Collect CPU processor usage metrics in the French system's native locale.
# Note that you must specify the counters in the language of that locale.
[perfmon://FrenchProcs]
counters = *
disabled = 0
useEnglishOnly = 0
interval = 30
object = Processeur
instances = *

# Collect CPU processor usage metrics. Format the output to two decimal places only.
[perfmon://Processor]
counters = *
disabled = 0
interval = 30
object = Processor
instances = *
formatString = %.20g

Important information about specifying performance monitor objects in the inputs.conf file

When you use the inputs .con configuration file to configure Windows performance monitor inputs, you must take special care in ensuring that the file contains the correct syntax for the inputs, or the Splunk platform will not index the data correctly.

Use all lowercase letters when specifying the perfmon keyword

When you create a performance monitor input in the inputs.conf file, you must use all lowercase letters for the perfmon keyword. See the following example:

Correct)
[perfmon://CPUTime]
Incorrect
[Perfmon://CPUTime]
[PERFMON://CPUTime]

If you use capital or mixed-case letters for the keyword, the Splunk platform warns of the problem on start up, and the specified performance monitor input doesn't run.

Specify valid regular expressions to capture multiple performance monitor objects

To specify multiple objects in a single performance monitor stanza, you must use a valid regular expression to capture those objects. For example, to specify a wildcard to match a string beyond a certain number of characters, do not use an asterisk ( * ), but rather a period followed by an asterisk ( .* ). If the object contains a dollar sign or similar special character, you might need to escape it with a backslash ( \ ).

Values must exactly match what is in the Performance Monitor API if you don't use regular expressions

When you specify values for the object, counters, and instances settings in th [perfmon://] stanzas, confirm that those values exactly match those defined in the Performance Monitor API, including case, or else the input might return incorrect data or no data at all. If the input cannot match a performance object, counter, or instance value that you've specified, it logs that failure to the splunkd.log file. See the following example of a failed return:

01-27-2011 21:04:48.681 -0800 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-perfmon.exe" -noui" splunk-perfmon - PerfmonHelper::enumObjectByNameEx: PdhEnumObjectItems failed for object - 'USB' with error (0xc0000bb8): The specified object is not found on the system.

Use Splunk Web to add performance monitor data inputs to ensure that you add them correctly.

Enable remote Windows performance monitoring over WMI

You can configure remote performance monitoring either in Splunk Web or by using configuration files.

When you collect performance metrics over WMI, you must configure the Splunk platform instance to run as an Active Directory (AD) user with appropriate access for remote collection of performance metrics. You must do this before attempting to collect those metrics. Both the machine that runs the Splunk platform instance and the machines the Splunk platform collects performance data from must reside in the same AD domain or forest.

WMI self-throttles by design to prevent denial-of-service attacks. The Splunk platform also reduces the number of WMI calls it makes over time as a precautionary measure if these calls return an error. Depending on the size, configuration, and security profile of your network, installing a local forwarder on the host that you want to collect performance metrics might be a better choice. See Considerations for deciding how to monitor remote Windows data in this manual.

WMI-based performance values versus Performance Monitor values

When you gather remote performance metrics through WMI, some metrics return zero values or values that are not in line with values that Performance Monitor returns. A limitation in the implementation of WMI for performance monitor counters causes this problem. This is not an issue with the Splunk platform or how it retrieves WMI-based data.

WMI uses the Win32_PerfFormattedData_* data classes to gather performance metrics. Find more information about Win32 classes at https://docs.microsoft.com/en-us/previous-versions//aa394084(v=vs.85)?redirectedfrom=MSDN.

WMI defines the data structures within these classes as either 32- or 64-bit unsigned integers, depending on the version of Windows you run. The Windows Performance Data Helper (PDH) API defines Performance Monitor objects as floating-point variables. A floating-point variable means that you might see WMI-based metrics that appear anomalous, due to rounding factors.

For example, if you collect data on the Average Disk Queue Length Performance Monitor counter at the same time you collect the Win32_PerfFormattedData_PerfDisk_PhysicalDisk\AvgDiskQueueLength metric through WMI, the WMI-based metric might return zero values even though the Performance Monitor metric returns values that are greater than zero but less than 0.5. This is because WMI rounds the value down before displaying it.

If you require additional granularity in your performance metrics, configure the performance monitoring inputs on a universal forwarder on each machine from which you want to collect performance data. You can then forward that data to an indexer. Data retrieved using this method is more reliable than data gathered remotely using WMI-based inputs.

Configure remote Windows performance monitoring with Splunk Web

This option is available on Splunk Enterprise only, It isn't available on Splunk Cloud instances. You can instead configure a universal forwarder in Splunk Enterprise and forward that data to the Splunk Cloud instance.

In Splunk Enterprise, go to the Add New page in Splunk Web through either Splunk Settings or Splunk Home.

To access the Add New page through Splunk Settings, follow these steps:

  1. Click Settings in the upper-right corner of Splunk Web.
  2. Click Data Inputs.
  3. Click Remote performance monitoring.
  4. Click New to add an input.

To access the Add New page through Splunk Home, follow these steps:

  1. Click the Add Data link in Splunk Home.
  2. Click Monitor to monitor performance data from the local Windows machine, or Forward to forward performance data from another Windows machine. Splunk Enterprise loads the Add Data - Select Source page.
  3. Forwarding performance data requires additional setup.

  4. In the left pane, locate and select Local Performance Monitoring.

Select the input source

Win32_PerfFormattedData_* classes don't show up as available objects in Splunk Web. If you want to monitor Win32_PerfFormattedData_* classes, you must add them directly in the wmi.conf file. See Configure remote Windows performance monitoring with configuration files for more information. Follow these steps:

  1. In the left pane of Splunk Enterprise, select Local Performance Monitoring.
  2. In the Collection Name field, enter a unique name for this input that you will remember.
  3. In the Select Target Host field, enter the host name or IP address of the Windows computer you want to collect performance data from.
  4. Click Query to get a list of the performance objects available on the Windows machine you specified in the Select Target Host field.
  5. Choose the object that you want to monitor from the Select Class list. Splunk Enterprise displays the Select Counters and Select Instances list boxes.
  6. In the Select Counters list box, locate the performance counters you want this input to monitor.
  7. You can add only one performance object per data input. This is due to how Microsoft handles performance monitor objects. Many objects enumerate classes that describe themselves dynamically upon selection. This can lead to confusion as to which performance counters and instances belong to which object, as defined in the input. If you need to monitor multiple objects, create additional data inputs for each object.

  8. Click once on each counter you want to monitor. Splunk Enterprise moves the counter from the Available counter(s) window to the Selected counter(s) window.
  9. To unselect a counter, click its name in the Available Items window. Splunk Enterprise moves the counter from the Selected counter(s) window to the Available counter(s)window.
  10. To select or unselect all of the counters, click the add all or remove all links.

    Selecting all of the counters can result in the indexing of a lot of data, possibly more than your license allows.

  11. In the Select Instances list box, select the instances that you want this input to monitor by clicking once on the instance in the Available instance(s) window. Splunk Enterprise moves the instance to the Selected instance(s) window.
  12. In the Polling interval field, enter the time, in seconds, between polling attempts for the input.
  13. The _Total instance is a special instance, and appears for many types of performance counters. This instance is the average of any associated instances under the same counter. Data collected for this instance can be significantly different than for individual instances under the same counter.

    For example, when you monitor performance data for the Disk Bytes/Sec performance counter under the PhysicalDisk object on a system with two disks, the available instances include one for each physical disk (0 C: and 1 D:) and the _Total instance, which is the average of the two physical disk instances.

  14. Click Next.

Specify input settings

Specify application context, default host value, and index in the Input Settings page. All of these parameters are optional.

Setting the Host value sets the host field only in the resulting events. It doesn't direct Splunk Enterprise to look on a specific host on your network.

  1. Select the appropriate Application context for this input.
  2. Set the Host value. You have several choices for this setting. Learn more about setting the host value in About hosts.
  3. Set the Index that Splunk Enterprise should send data to. Leave the value as default, unless you have defined multiple indexes to handle different types of events.
  4. Click the Review button.

Review your choices

After you specify input settings, review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.

  1. Review the settings.
  2. If they don't match what you want, click the left-pointing bracket ( < ) to go back to the previous step in the wizard. Otherwise, click Submit.

Splunk Enterprise then loads a confirmation page and begins indexing the specified performance metrics. For more information on getting data from files and directories, see Monitor Windows performance in this manual.

Configure remote Windows performance monitoring with configuration files

The wmi.conf configuration file controls remote performance monitoring configurations. To set up remote performance monitoring using configuration files, create or edit wmi.conf in %SPLUNK_HOME%\etc\system\local. If you haven't worked with configuration files before, read About configuration files before you begin.

For Splunk Cloud instances, install a universal forwarder on the machine where you want to collect the performance data, and configure that forwarder to send the data to Splunk Cloud. On Splunk Enterprise instances, use Splunk Web to create remote performance monitor inputs unless you do not have access to it. The names of performance monitor objects, counters, and instances must exactly match what the Performance Monitor API defines, including case. Splunk Web uses WMI to get the properly formatted names, eliminating the potential for typos.

The wmi.conf file contains one stanza for each remote performance monitor object that you want to monitor. In each stanza, you specify the following settings:

Global settings

Setting Required? Description Default
initial_backoff No How long, in seconds, to wait before retrying a connection to a WMI provider when an error occurs. If problems persist on connecting to the provider, then the wait time between connection attempts doubles until either it can connect or until the wait time is greater than or equal to the max_backoff setting. 5
max_backoff No The maximum amount of time, in seconds, to attempt to reconnect to a WMI provider. 20
max_retries_at_max_backoff No How many times, after max_backoff seconds has been reached between reconnection attempts with a WMI provider, to continue to attempt to reconnect to that provider. 2
checkpoint_sync_interval No How long, in seconds, to wait for state data to be flushed to disk. 2

Input-specific settings

Setting Required? Description Default
interval Yes How often, in seconds, to poll for new data. If this setting isn't present, the input can't run because there is no default. N/A
server No A comma-separated list of one or more valid hosts on which you want to monitor performance. The local machine
event_log_file No The names of one or more Windows event log channels to poll. This setting configures Splunk Enterprise that the incoming data is in event log format.


Do not use the event_log_file setting in a stanza that already contains the wql setting.

N/A
wql No A valid Windows Query Language (WQL) statement that specifies the performance objects, counters, and instances you want to poll remotely. This setting tells Splunk Enterprise to expect data from a WMI provider.


Don't use the wql setting in a stanza that already contains theevent_log_file setting.

N/A
namespace No The namespace in which the WMI provider you want to query resides. The value for this setting can be either relative, such as Root\CIMV2 or absolute, such as \\SERVER\Root\CIMV2, but it must be relative if you specify the server setting.


Use the namespace setting only in a stanza that contains the wql setting.

Root\CIMV2
index No The desired index to route performance counter data to. default
current_only No The characteristics and interaction of WMI-based event collections based on whether the wql setting or the event_log_file setting is defined:
  • If wql is defined, this setting tells Splunk Enterprise whether or not to expect an event notification query. Set to 1 to expect an event notification query, or 0 to expect a standard query.
  • If event_log_file is defined, this setting tells Splunk Enterprise whether or not to capture events that occur only when Splunk Enterprise is running. Set to 1 to only capture events that occur when Splunk Enterprise is running, or 0 to gather events from the last checkpoint or, if no checkpoint exists, the oldest events available.
N/A
disabled No Tells Splunk Enterprise whether or not to gather the performance data defined in this input. Set to 1 to disable performance monitoring for this stanza, or 0 to enable it. 0

Examples of using wmi.conf

The following example of wmi.conf gathers local disk and memory performance metrics and places them into the wmi_perfmon index:

[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 2
checkpoint_sync_interval = 2

# Gather disk and memory performance metrics from the local system every second.
# Store event in the "wmi_perfmon" Splunk index.

[WMI:LocalPhysicalDisk]
interval = 1
wql = select Name, DiskBytesPerSec, PercentDiskReadTime,PercentDiskWriteTime, PercentDiskTime from \
 Win32_PerfFormattedData_PerfDisk_PhysicalDisk
disabled = 0
index = wmi_perfmon

[WMI:LocalMainMemory]
interval = 10
wql = select CommittedBytes, AvailableBytes, PercentCommittedBytesInUse, Caption from \
 Win32_PerfFormattedData_PerfOS_Memory
disabled = 0
index = wmi_perfmon

Additional information on WQL query statements

WQL queries must be structurally and syntactically correct. If they aren't, you might get undesirable results or no results at all. When writing event notification queries by specifying current_only=1 in the stanza in which a WQL query resides, your WQL statement must contain one of the clauses that specify such a query: (WITHIN, GROUP, or HAVING. See https://docs.microsoft.com/en-us/windows/win32/wmisdk/querying-with-wql?redirectedfrom=MSDN on the Microsoft website for more information.

Splunk Web eliminates problems with WQL syntax by generating the appropriate WQL queries when you use it to create performance monitor inputs.

Caveats to using the performance monitoring input

When you use the Windows performance monitor input to collect performance monitoring data from Windows machines, mind the following caveats:

Increased memory usage during collection of performance metrics

When you collect data on some performance objects, such as the Thread object and its associated counters, you might notice increased memory usage in your Splunk Enterprise deployment. This increase in usage is normal, as certain performance objects consume more memory than others during the collection process.

Processor Time counters don't return values higher than 100

Due to how Microsoft tallies CPU usage with the Processor:% Processor Time and Process:% Processor Time counters, these counters don't return a value higher than 100 regardless of the number of CPUs or cores in the system. This return is by design. These counters subtract the amount of time spent on the idle process from 100%.

Limitations to the useEnglishOnly setting

When you edit the inputs.conf file on a non-English system to enable performance monitoring, there are some limitations to how the useEnglishOnly setting works.

If you set the setting to true, you cannot use wildcards or regular expressions for the object and counters settings. These settings must contain specific entries based on valid English values as defined in the Performance Data Helper library. You can specify a wildcard for the instances setting. Here's an example:

[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
useEnglishOnly = 1
interval = 30
disabled = 0

The counters setting contain values in English even though the system language is not English.

If you set the setting to false, you can use wildcards and regular expressions for these settings, but you must specify values based on the operating system's language. An example of a stanza on a system running in French follows:

[perfmon://FrenchProcs]
counters = *
disabled = 0
useEnglishOnly = 0
interval = 30
object = Processeur
instances = *

Note in this example that the object setting has been set to Processeur, which is the French equivalent of Processor. If you specify English values here, Splunk Enterprise will not find the performance object or instance.

Additional impacts of using the useEnglishOnly setting

There are additional items to consider when using the setting.

  • When you use Splunk Web to create performance monitor inputs on a non-English operating system, it always specifies useEnglishOnly = false.
  • Additionally, you can enable, disable, clone, or delete these stanzas within Splunk Web. You cannot, however, edit them in Splunk Web unless the operating system's locale matches the locale specified in the stanza.
  • You can use Splunk Web to enable, disable, clone, or delete a performance monitor stanza with the useEnglishOnly setting set to true. However, you cannot edit them in Splunk Web unless the system's locale is English.
Last modified on 27 February, 2023
Monitor Windows Registry data   Monitor Windows data with PowerShell scripts

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters