Monitor Windows performance
supports the monitoring of all Windows performance counters in real time, which includes support for both local and remote collection of performance data.
The performance monitoring input gives you access to the Performance Monitor in a web interface. The Splunk platform uses the Windows Performance Data Helper (PDH) API for performance counter queries on local Windows machines.
The types of performance objects, counters, and instances that are available to the platform depend on the performance libraries that are on the machine. Both Microsoft and third-party vendors provide libraries that contain performance counters. For information on performance monitoring, search the Microsoft documentation website for "Performance Counters".
To get Windows performance monitor data in, you must run either a Splunk Enterprise heavy forwarder or universal forwarder on the Windows machine from which you want to collect the performance metrics, and then forward that data to the Splunk platform instance. Both full instances of Splunk Enterprise and universal forwarders can collect local performance metrics. Remote performance monitoring is available through Windows Management Instrumentation (WMI) and requires that the Splunk platform instance on the Windows machine runs as a user with appropriate Active Directory credentials.
On Splunk Enterprise and the universal forwarder, the performance monitor input runs as a process called splunk-perfmon.exe. The process runs once for every input you define, at the interval you specify in the input. You can configure performance monitoring either with Splunk Web or by using configuration files.
The performance monitor input uses two files for configuration. The file that you use to configure the input depends on whether you want to get performance data from a local instance or from a remote instance:
- You use the inputs.conf configuration file to get local performance data.
- You use the wmi.conf configuration file to get performance data from a remote machine.
Why monitor performance metrics?
Performance monitoring is an important part of the Windows administrator toolkit. Windows generates a lot of data about machine health. Properly analyzing that data can mean the difference between a healthy, well-functioning machine, and one that suffers downtime.
What you need to monitor performance counters
The following table lists the minimum requirements you need to monitor performance counters in Windows. You might have additional requirements based on the performance objects or counters that you want to monitor.
For additional information on performance metrics monitoring requirements, see Security and remote access considerations later in this topic.
Activity | Required permissions |
---|---|
Monitor local performance metrics | * The Splunk platform instance must receive performance data from a forwarder. * The forwarder must run on Windows. See Install on Windows in the Splunk Enterprise Installation Manual. * The forwarder must run as the LocalSystem Windows user. Choose the Windows user Splunk Enterprise should run as in the Splunk Enterprise Installation Manual. |
Monitor remote performance metrics on another computer over WMI | * The Splunk platform instance must receive performance data from a forwarder. * The forwarder must run on Windows. * The forwarder must run as a domain or remote user with at least read access to WMI on the target machine. * The forwarder must run as a domain or remote user with appropriate access to the Performance Data Helper libraries on the target machine. |
Security and remote access considerations
Where possible, use a universal forwarder to send performance data from remote machines to the Splunk platform or Splunk Enterprise indexer.
Splunk Enterprise gets data from remote machines with either a forwarder or WMI.
If you install forwarders on your remote Windows machines to collect performance data, then you can install the forwarder as the LocalSystem user on those machines. The LocalSystem user has access to all data on the local machine, but not to remote computers.
If you want Splunk Enterprise to use WMI to get performance data from remote machines, then you must configure both Splunk Enterprise and your Windows network. You cannot install Splunk Enterprise as the LocalSystem user, and the user that you choose determines what Performance Monitor objects Splunk Enterprise can read.
After you install Splunk Enterprise with a valid user, you must add that user to the following groups before you enable local performance monitor inputs:
- Performance Monitor Users (domain group)
- Performance Log Users (domain group)
To learn more about WMI security, see Security and remote access considerations in the Monitor data through Windows Management Instrument (WMI) topic. To learn how to use a universal forwarder, see The universal forwarder in the Splunk Universal Forwarder Forwarder Manual.
Enable local Windows performance monitoring
On the Splunk platform, you must forward data from the Windows machines where you want to collect performance data.
On Splunk Enterprise, you can configure local performance monitoring directly either in Splunk Web or with configuration files.
Splunk Web is the preferred way to add performance monitoring data inputs on Splunk Enterprise instances. Typos are easy to make in configuration files, and it is important to specify performance monitor objects exactly as the Performance Monitor API defines them. See "Important information about specifying performance monitor objects in inputs.conf" later in this topic for a full explanation.
Configure local Windows performance monitoring with Splunk Web
You can collect Windows performance monitoring metrics with Splunk Web only on Splunk Enterprise instances.
To begin configuring Windows performance monitoring metrics, access the Add New page in Splunk Web through either Splunk Settings or Splunk Home.
To connect Windows performance monitoring metrics through Splunk Settings, follow these steps:
- Click Settings > Data Inputs.
- Click Local performance monitoring.
- Click New to add an input.
- Continue with the steps in "Select an input source" later in this topic.
To connect Windows performance monitoring metrics through through Splunk Home, follow these steps:
- Click the Add Data link in Splunk Home.
- Click Monitor to monitor performance data from the local Windows machine, or Forward to receive performance data from another machine.
- If you selected Forward, choose or create the group of forwarders you want this input to apply to.
- Click Next.
- Continue with the steps in "Select an input source" later in this topic.
Select the input source
- In the left pane of Splunk Enterprise, select Local Performance Monitoring.
- In the Collection Name field, enter a unique name for this input that you will remember.
- Click Select Object to get a list of the performance objects available on this Windows machine, then choose the object that you want to monitor from the list. Splunk Enterprise displays the Select Counters and Select Instances list boxes.
- In the Select Counters list box, locate the performance counters you want this input to monitor.
- Click once on each counter you want to monitor. Splunk Enterprise moves the counter from the Available counter(s) window to the Selected counter(s) window.
- (Optional) To unselect a counter, click its name in the Available Items window.
- (Optional) To select or unselect all of the counters, click the add all or remove all links.
- (Optional) In the Select Instances list box, select the instances that you want this input to monitor by clicking once on the instance in the Available instance(s) window.
Selecting all of the counters can result in the indexing of a lot of data and possibly lead to license violations. - In the Polling interval field, enter the time, in seconds, between polling attempts for the input.
- Click Next.
You can add only one performance object per data input. If you need to monitor multiple objects, create additional data inputs for each object.
Selecting all of the counters can result in the indexing of a lot of data.
The _Total
instance is a special instance, and appears for many types of performance counters. This instance is the average of any associated instances under the same counter.
Specify input settings
Specify application context, default host value, and index in the he Input Settings page. All of these parameters are optional.
Setting the Host on this page sets only the host field in the resulting events. It doesn't direct Splunk Enterprise to look on a specific host on your network.
- In Splunk Enterprise, select the application context for the input in the Application context field.
- Set the Host value. You have several choices for this setting. Learn more about setting the host value in About hosts.
- Set the Index that you want Splunk Enterprise to send data to. Leave the value as
default
, unless you have defined multiple indexes to handle different types of events. - Click Review.
Review your choices
After you specify input settings, review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.
- Review the settings.
- If they don't match what you want, click the left-pointing bracket ( < ) to go back to the previous step in the wizard. Otherwise, click Submit.
Splunk Enterprise then loads a confirmation page and begins indexing the specified performance metrics. For more information on getting data from files and directories, see Monitor Windows performance in this manual.
Configure local Windows performance monitoring with configuration files
The inputs.conf configuration file controls performance monitoring configurations. To set up performance monitoring using configuration files, you must create or edit inputs.conf in %SPLUNK_HOME%\etc\system\local on the Windows machine where you want to collect the performance metrics. If you haven't worked with configuration files before, see About configuration files.
The option to configure local Windows monitoring is available for both Splunk Cloud Platform instances that receive forwarded data and Splunk Enterprise instances.
The [perfmon://<name>]
stanza defines performance monitoring inputs in inputs.conf. You specify one stanza per performance object that you want to monitor.
In each stanza, you can specify the following settings:
Setting | Required? | Description |
---|---|---|
interval
|
Yes | How often, in seconds, to poll for new data. If this setting is not present, the input runs every 300 seconds (5 minutes). |
object
|
Yes | The performance objects that you want to capture. Specify either a string that exactly matches the name of an existing Performance Monitor object, or use a regular expression to reference multiple objects. If this setting isn't present and defined, the input can't run because there is no default. |
counters
|
Yes | One or more valid performance counters that are associated with the object specified in the object setting. Separate multiple counters with semicolons. You can also use an asterisk ( * ) to specify all available counters under a given object . If this setting isn't present and defined, the input can't run because there is no default.
|
instances
|
No | One or more valid instances associated with the performance counter specified in the counters setting. Multiple instances are separated by semicolons. Specify all instances by using an asterisk ( * ), which is the default if you don't define the setting in the stanza.
|
index
|
No | The index to route performance counter data to. If this setting isn't defined, the default index is used. |
disabled
|
No | Whether or not to gather the performance data defined in this input. Set this setting to 1 to disable this stanza, and 0 to enable it. If the setting isn't defined, it defaults to 0 .
|
The following table shows advanced options:
Setting | Required? | Description |
---|---|---|
showZeroValue
|
No | Whether or not Splunk Enterprise should collect events that have values of zero.
|
samplingInterval
|
No | How often, in milliseconds, that Splunk Enterprise is to collect performance data.
|
stats
|
No | A semicolon-separated list of statistic values that Splunk Enterprise reports for high-frequency performance sampling.
|
mode
|
No | When you enable high-performance sampling, this setting controls how Splunk Enterprise outputs events.
|
useEnglishOnly
|
No | Controls how Splunk Enterprise indexes performance metrics on systems whose locale isn't English. Specifically, this setting dictates which Windows Performance Monitor API to use when Splunk Enterprise indexes performance metrics on hosts that don't use the English language.
|
useWinApiProcStats
|
No | When enabled, the useWinApiProcStats setting in the Performance Monitor input uses process kernel mode and user mode times to calculate CPU usage for a process. Currently, the input uses the standard Performance Data Helper (PDH) APIs to calculate CPU usage for a process.
It's a best practice to enable the The APIs that this setting uses are English only. If your Windows machine uses a non-English system locale, you must also set See Performance Monitor inputs show maximum values of 100 percent usage for a process on multicore Microsoft Windows machines in the release notes for more information on calculating CPU usage on Windows multicore machines. |
formatString
|
No | Controls how Splunk Enterprise formats the output of floating-point values for performance counter events.
|
Collect performance metrics in English regardless of system locale
You can collect performance metrics in English even if the system that Splunk Enterprise runs on doesn't use the English language.
To do this, use the useEnglishOnly
setting in stanzas within inputs.conf. There is no way to configure the useEnglishOnly
setting in Splunk Web.
There are caveats to using useEnglishOnly
in an inputs.conf stanza. See Caveats later in this topic.
Examples of performance monitoring input stanzas
Following are some example stanzas that show you how to use the inputs.conf configuration file to monitor performance monitor objects.
# Query the PhysicalDisk performance object and gather disk access data for # all physical drives installed in the system. Store this data in the # "perfmon" index. # Note: If the interval setting is set to 0, Splunk resets the interval # to 1. [perfmon://LocalPhysicalDisk] interval = 0 object = PhysicalDisk counters = Disk Bytes/sec; % Disk Read Time; % Disk Write Time; % Disk Time instances = * disabled = 0 index = PerfMon # Gather SQL statistics for all database instances on this SQL server. # 'object' setting uses a regular expression "\$.*" to specify SQL # statistics for all available databases. [perfmon://SQLServer_SQL_Statistics] object = MSSQL\$.*:SQL Statistics counters = * instances = * # Gather information on all counters under the "Process" and "Processor" # Perfmon objects. # We use '.*' as a wild card to match the 'Process' and 'Processor' objects. [perfmon://ProcessandProcessor] object = Process.* counters = * instances = * # Collect CPU processor usage metrics in English only on a French system. [perfmon://Processor] object = Processor instances = _Total counters = % Processor Time;% User Time useEnglishOnly = 1 interval = 30 disabled = 0 # Collect CPU processor usage metrics in the French system's native locale. # Note that you must specify the counters in the language of that locale. [perfmon://FrenchProcs] counters = * disabled = 0 useEnglishOnly = 0 interval = 30 object = Processeur instances = * # Collect CPU processor usage metrics. Format the output to two decimal places only. [perfmon://Processor] counters = * disabled = 0 interval = 30 object = Processor instances = * formatString = %.20g
Important information about specifying performance monitor objects in the inputs.conf file
When you use the inputs .con configuration file to configure Windows performance monitor inputs, you must take special care in ensuring that the file contains the correct syntax for the inputs, or the Splunk platform will not index the data correctly.
Use all lowercase letters when specifying the perfmon keyword
When you create a performance monitor input in the inputs.conf file, you must use all lowercase letters for the perfmon
keyword. See the following example:
- Correct)
[perfmon://CPUTime]
- Incorrect
[Perfmon://CPUTime]
[PERFMON://CPUTime]
If you use capital or mixed-case letters for the keyword, the Splunk platform warns of the problem on start up, and the specified performance monitor input doesn't run.
Specify valid regular expressions to capture multiple performance monitor objects
To specify multiple objects in a single performance monitor stanza, you must use a valid regular expression to capture those objects. For example, to specify a wildcard to match a string beyond a certain number of characters, do not use an asterisk ( * ), but rather a period followed by an asterisk ( .* ). If the object contains a dollar sign or similar special character, you might need to escape it with a backslash ( \ ).
Values must exactly match what is in the Performance Monitor API if you don't use regular expressions
When you specify values for the object
, counters
, and instances
settings in th [perfmon://]
stanzas, confirm that those values exactly match those defined in the Performance Monitor API, including case, or else the input might return incorrect data or no data at all. If the input cannot match a performance object, counter, or instance value that you've specified, it logs that failure to the splunkd.log file. See the following example of a failed return:
01-27-2011 21:04:48.681 -0800 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-perfmon.exe" -noui" splunk-perfmon - PerfmonHelper::enumObjectByNameEx: PdhEnumObjectItems failed for object - 'USB' with error (0xc0000bb8): The specified object is not found on the system.
Use Splunk Web to add performance monitor data inputs to ensure that you add them correctly.
Enable remote Windows performance monitoring over WMI
You can configure remote performance monitoring either in Splunk Web or by using configuration files.
When you collect performance metrics over WMI, you must configure the Splunk platform instance to run as an Active Directory (AD) user with appropriate access for remote collection of performance metrics. You must do this before attempting to collect those metrics. Both the machine that runs the Splunk platform instance and the machines the Splunk platform collects performance data from must reside in the same AD domain or forest.
WMI self-throttles by design to prevent denial-of-service attacks. The Splunk platform also reduces the number of WMI calls it makes over time as a precautionary measure if these calls return an error. Depending on the size, configuration, and security profile of your network, installing a local forwarder on the host that you want to collect performance metrics might be a better choice. See Considerations for deciding how to monitor remote Windows data in this manual.
WMI-based performance values versus Performance Monitor values
When you gather remote performance metrics through WMI, some metrics return zero values or values that are not in line with values that Performance Monitor returns. A limitation in the implementation of WMI for performance monitor counters causes this problem. This is not an issue with the Splunk platform or how it retrieves WMI-based data.
WMI uses the Win32_PerfFormattedData_*
data classes to gather performance metrics. Find more information about Win32 classes at https://docs.microsoft.com/en-us/previous-versions//aa394084(v=vs.85)?redirectedfrom=MSDN.
WMI defines the data structures within these classes as either 32- or 64-bit unsigned integers, depending on the version of Windows you run. The Windows Performance Data Helper (PDH) API defines Performance Monitor objects as floating-point variables. A floating-point variable means that you might see WMI-based metrics that appear anomalous, due to rounding factors.
For example, if you collect data on the Average Disk Queue Length Performance Monitor counter at the same time you collect the Win32_PerfFormattedData_PerfDisk_PhysicalDisk\AvgDiskQueueLength
metric through WMI, the WMI-based metric might return zero values even though the Performance Monitor metric returns values that are greater than zero but less than 0.5. This is because WMI rounds the value down before displaying it.
If you require additional granularity in your performance metrics, configure the performance monitoring inputs on a universal forwarder on each machine from which you want to collect performance data. You can then forward that data to an indexer. Data retrieved using this method is more reliable than data gathered remotely using WMI-based inputs.
Configure remote Windows performance monitoring with Splunk Web
This option is available on Splunk Enterprise only, It isn't available on Splunk Cloud instances. You can instead configure a universal forwarder in Splunk Enterprise and forward that data to the Splunk Cloud instance.
In Splunk Enterprise, go to the Add New page in Splunk Web through either Splunk Settings or Splunk Home.
To access the Add New page through Splunk Settings, follow these steps:
- Click Settings in the upper-right corner of Splunk Web.
- Click Data Inputs.
- Click Remote performance monitoring.
- Click New to add an input.
To access the Add New page through Splunk Home, follow these steps:
- Click the Add Data link in Splunk Home.
- Click Monitor to monitor performance data from the local Windows machine, or Forward to forward performance data from another Windows machine. Splunk Enterprise loads the Add Data - Select Source page.
- In the left pane, locate and select Local Performance Monitoring.
Forwarding performance data requires additional setup.
Select the input source
Win32_PerfFormattedData_*
classes don't show up as available objects in Splunk Web. If you want to monitor Win32_PerfFormattedData_*
classes, you must add them directly in the wmi.conf file. See Configure remote Windows performance monitoring with configuration files for more information. Follow these steps:
- In the left pane of Splunk Enterprise, select Local Performance Monitoring.
- In the Collection Name field, enter a unique name for this input that you will remember.
- In the Select Target Host field, enter the host name or IP address of the Windows computer you want to collect performance data from.
- Click Query to get a list of the performance objects available on the Windows machine you specified in the Select Target Host field.
- Choose the object that you want to monitor from the Select Class list. Splunk Enterprise displays the Select Counters and Select Instances list boxes.
- In the Select Counters list box, locate the performance counters you want this input to monitor.
- Click once on each counter you want to monitor. Splunk Enterprise moves the counter from the Available counter(s) window to the Selected counter(s) window.
- To unselect a counter, click its name in the Available Items window. Splunk Enterprise moves the counter from the Selected counter(s) window to the Available counter(s)window.
- To select or unselect all of the counters, click the add all or remove all links.
Selecting all of the counters can result in the indexing of a lot of data, possibly more than your license allows.
- In the Select Instances list box, select the instances that you want this input to monitor by clicking once on the instance in the Available instance(s) window. Splunk Enterprise moves the instance to the Selected instance(s) window.
- In the Polling interval field, enter the time, in seconds, between polling attempts for the input.
- Click Next.
You can add only one performance object per data input. This is due to how Microsoft handles performance monitor objects. Many objects enumerate classes that describe themselves dynamically upon selection. This can lead to confusion as to which performance counters and instances belong to which object, as defined in the input. If you need to monitor multiple objects, create additional data inputs for each object.
The _Total
instance is a special instance, and appears for many types of performance counters. This instance is the average of any associated instances under the same counter. Data collected for this instance can be significantly different than for individual instances under the same counter.
For example, when you monitor performance data for the Disk Bytes/Sec performance counter under the PhysicalDisk
object on a system with two disks, the available instances include one for each physical disk (0 C:
and 1 D:
) and the _Total
instance, which is the average of the two physical disk instances.
Specify input settings
Specify application context, default host value, and index in the Input Settings page. All of these parameters are optional.
Setting the Host value sets the host field only in the resulting events. It doesn't direct Splunk Enterprise to look on a specific host on your network.
- Select the appropriate Application context for this input.
- Set the Host value. You have several choices for this setting. Learn more about setting the host value in About hosts.
- Set the Index that Splunk Enterprise should send data to. Leave the value as
default
, unless you have defined multiple indexes to handle different types of events. - Click the Review button.
Review your choices
After you specify input settings, review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.
- Review the settings.
- If they don't match what you want, click the left-pointing bracket ( < ) to go back to the previous step in the wizard. Otherwise, click Submit.
Splunk Enterprise then loads a confirmation page and begins indexing the specified performance metrics. For more information on getting data from files and directories, see Monitor Windows performance in this manual.
Configure remote Windows performance monitoring with configuration files
The wmi.conf configuration file controls remote performance monitoring configurations. To set up remote performance monitoring using configuration files, create or edit wmi.conf in %SPLUNK_HOME%\etc\system\local. If you haven't worked with configuration files before, read About configuration files before you begin.
For Splunk Cloud instances, install a universal forwarder on the machine where you want to collect the performance data, and configure that forwarder to send the data to Splunk Cloud. On Splunk Enterprise instances, use Splunk Web to create remote performance monitor inputs unless you do not have access to it. The names of performance monitor objects, counters, and instances must exactly match what the Performance Monitor API defines, including case. Splunk Web uses WMI to get the properly formatted names, eliminating the potential for typos.
The wmi.conf file contains one stanza for each remote performance monitor object that you want to monitor. In each stanza, you specify the following settings:
Global settings
Setting | Required? | Description | Default |
---|---|---|---|
initial_backoff
|
No | How long, in seconds, to wait before retrying a connection to a WMI provider when an error occurs. If problems persist on connecting to the provider, then the wait time between connection attempts doubles until either it can connect or until the wait time is greater than or equal to the max_backoff setting.
|
5 |
max_backoff
|
No | The maximum amount of time, in seconds, to attempt to reconnect to a WMI provider. | 20 |
max_retries_at_max_backoff
|
No | How many times, after max_backoff seconds has been reached between reconnection attempts with a WMI provider, to continue to attempt to reconnect to that provider.
|
2 |
checkpoint_sync_interval
|
No | How long, in seconds, to wait for state data to be flushed to disk. | 2 |
Input-specific settings
Setting | Required? | Description | Default |
---|---|---|---|
interval
|
Yes | How often, in seconds, to poll for new data. If this setting isn't present, the input can't run because there is no default. | N/A |
server
|
No | A comma-separated list of one or more valid hosts on which you want to monitor performance. | The local machine |
event_log_file
|
No | The names of one or more Windows event log channels to poll. This setting configures Splunk Enterprise that the incoming data is in event log format.
|
N/A |
wql
|
No | A valid Windows Query Language (WQL) statement that specifies the performance objects, counters, and instances you want to poll remotely. This setting tells Splunk Enterprise to expect data from a WMI provider.
|
N/A |
namespace
|
No | The namespace in which the WMI provider you want to query resides. The value for this setting can be either relative, such as Root\CIMV2 or absolute, such as \\SERVER\Root\CIMV2 , but it must be relative if you specify the server setting.
|
Root\CIMV2
|
index
|
No | The desired index to route performance counter data to. | default
|
current_only
|
No | The characteristics and interaction of WMI-based event collections based on whether the wql setting or the event_log_file setting is defined:
|
N/A |
disabled
|
No | Tells Splunk Enterprise whether or not to gather the performance data defined in this input. Set to 1 to disable performance monitoring for this stanza, or 0 to enable it.
|
0 |
Examples of using wmi.conf
The following example of wmi.conf gathers local disk and memory performance metrics and places them into the wmi_perfmon
index:
[settings] initial_backoff = 5 max_backoff = 20 max_retries_at_max_backoff = 2 checkpoint_sync_interval = 2 # Gather disk and memory performance metrics from the local system every second. # Store event in the "wmi_perfmon" Splunk index. [WMI:LocalPhysicalDisk] interval = 1 wql = select Name, DiskBytesPerSec, PercentDiskReadTime,PercentDiskWriteTime, PercentDiskTime from \ Win32_PerfFormattedData_PerfDisk_PhysicalDisk disabled = 0 index = wmi_perfmon [WMI:LocalMainMemory] interval = 10 wql = select CommittedBytes, AvailableBytes, PercentCommittedBytesInUse, Caption from \ Win32_PerfFormattedData_PerfOS_Memory disabled = 0 index = wmi_perfmon
Additional information on WQL query statements
WQL queries must be structurally and syntactically correct. If they aren't, you might get undesirable results or no results at all. When writing event notification queries by specifying current_only=1
in the stanza in which a WQL query resides, your WQL statement must contain one of the clauses that specify such a query: (WITHIN, GROUP,
or HAVING
. See https://docs.microsoft.com/en-us/windows/win32/wmisdk/querying-with-wql?redirectedfrom=MSDN on the Microsoft website for more information.
Splunk Web eliminates problems with WQL syntax by generating the appropriate WQL queries when you use it to create performance monitor inputs.
Caveats to using the performance monitoring input
When you use the Windows performance monitor input to collect performance monitoring data from Windows machines, mind the following caveats:
Increased memory usage during collection of performance metrics
When you collect data on some performance objects, such as the Thread
object and its associated counters, you might notice increased memory usage in your Splunk Enterprise deployment. This increase in usage is normal, as certain performance objects consume more memory than others during the collection process.
Processor Time counters don't return values higher than 100
Due to how Microsoft tallies CPU usage with the Processor:% Processor Time
and Process:% Processor Time
counters, these counters don't return a value higher than 100 regardless of the number of CPUs or cores in the system. This return is by design. These counters subtract the amount of time spent on the idle process from 100%.
Limitations to the useEnglishOnly setting
When you edit the inputs.conf file on a non-English system to enable performance monitoring, there are some limitations to how the useEnglishOnly
setting works.
If you set the setting to true
, you cannot use wildcards or regular expressions for the object
and counters
settings. These settings must contain specific entries based on valid English values as defined in the Performance Data Helper library. You can specify a wildcard for the instances
setting. Here's an example:
[perfmon://Processor] object = Processor instances = _Total counters = % Processor Time;% User Time useEnglishOnly = 1 interval = 30 disabled = 0
The counters
setting contain values in English even though the system language is not English.
If you set the setting to false
, you can use wildcards and regular expressions for these settings, but you must specify values based on the operating system's language. An example of a stanza on a system running in French follows:
[perfmon://FrenchProcs] counters = * disabled = 0 useEnglishOnly = 0 interval = 30 object = Processeur instances = *
Note in this example that the object
setting has been set to Processeur
, which is the French equivalent of Processor
. If you specify English values here, Splunk Enterprise will not find the performance object or instance.
Additional impacts of using the useEnglishOnly setting
There are additional items to consider when using the setting.
- When you use Splunk Web to create performance monitor inputs on a non-English operating system, it always specifies
useEnglishOnly = false
. - Additionally, you can enable, disable, clone, or delete these stanzas within Splunk Web. You cannot, however, edit them in Splunk Web unless the operating system's locale matches the locale specified in the stanza.
- You can use Splunk Web to enable, disable, clone, or delete a performance monitor stanza with the
useEnglishOnly
setting set totrue
. However, you cannot edit them in Splunk Web unless the system's locale is English.
Monitor Windows Registry data | Monitor Windows data with PowerShell scripts |
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!