Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Universal Forwarder won't stop sending performance data

ptierney
New Member
‎10-03-2011 10:16 AM
  • Splunk Linux Indexer 4.2.3
  • Splunk Universal Forwarder for Windows 4.2.3-1055
  • Windows Server 2008 Standard

Playing with the Windows App, I realized I was sending the wrong type of data to my linux indexer. I was sending perfmon data when I wanted to send WMI data. I've successfully installed a wmi.conf file and am collecting that data (thank you, MarioM). But when I remove the perfmon scripts from my inputs.conf and restart splunk, it just keeps sending the perfdata. The contents of my inputs.conf file, are pretty basic.

[default]
host = DOLLAR

That's it. I've also tried rebooting, no change. What am I missing?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-03-2011 11:24 AM

There are many places for an inputs.conf file to reside. In fact, an infinite number.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

Probably your config was in %SPLUNK_HOME%\etc\apps\windows\local\ or etc\apps\search\local\.

0 Karma
Reply

ptierney
New Member
‎10-03-2011 11:40 AM

I thought of this, and have searched through all inputs.conf file in the $SPLUNK_HOME\etc dirs. The splunkperfom entry appears in two places, etc\system\local and etc\system\defaults. It appears in etc\systems\defaults not matter how I install the splunk fowarder, and it is always with disabled = 0, so I don't think that's it. The other entry is where I've manually disabled it.

0 Karma
Reply

ptierney
New Member
‎10-03-2011 10:42 AM

So, I have a workaround, I suppose, but I'd like to understand how this works so I know what/where to edit for changes in the future.

0 Karma
Reply

ptierney
New Member
‎10-03-2011 10:41 AM

BTW, if I completely uninstall and reinstall splunk, it stops sending perfdata, and the local/inputs.conf file looks the same, so apparently it gets set somewhere during the install, but not in local.

Also, it appears that placing this in local\inputs.conf


[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
interval = 10000000
source = PerformanceMonitor
sourcetype = PerformanceMonitor
disabled = 1
queue = winparsing
persistentQueueSize=50MB

Prevents it from sending the data. But this doesn't exist in a client where I didn't check the perf option checkboxes.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...