Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Object field on network perfmon data

doddsjr653
New Member
‎09-12-2013 11:17 PM

I'm running Splunk 5.0.4 along with the Windows app. I'm trying to figure out what is fiddling with the object field on all of my network perfmon data. The raw data of a typical event looks like so:

09/13/2013 01:56:26.169
collection=LocalNetwork
object="Network Interface"
counter="Bytes Sent/sec"
instance="Intel[R] PRO_1000 MT Network Connection"
Value=145267.89417928556

All of the fields are being indexed properly, as they show up in the field list on the left in the search app. However, for each event that has the [ character in the instance field, an additional value is being generated for the object field that contains the rest of the instance field data, plus the Value field line. Using the above event as an example, I see this as a value in the object field for that event:

R] PRO_1000 MT Network Connection" Value=145267.89417928556

This makes a terrible mess of windows_perfmon_details.csv, and I think it's causing a performance impact on the Windows app because of the thousands of extra perfmon instances it's detecting.

I've looked through transforms.conf and props.conf, and I don't think there's anything in there that could be causing this. I'm not exactly sure what to look for though. My OCD would appreciate any help offered to solve this.

Tags (2)
0 Karma
Reply

doddsjr653
New Member
‎09-15-2013 12:28 PM

Correct, each event has those two values for object.

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎09-15-2013 11:45 AM

Do you have "Network Interface" in quotes in your config, like you do in your original post?

I ask because I'm looking at the Splunk_TA_windows app right now and it doesn't have quotes around that string.

0 Karma
Reply

doddsjr653
New Member
‎09-18-2013 01:38 PM

I do not have quotes around Network Interface in my inputs.conf.

0 Karma
Reply

doddsjr653
New Member
‎09-15-2013 12:40 PM

The event data has the quotes, but I can't remember off the top of my head if the conf file has the quotes...I believe it does. I will check on that.

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎09-15-2013 11:40 AM

So, for each event with a "[" in the instance field, you're getting two values for object? One set to "Network Interface" and one set to "R] PRO_1000...."?

0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...