Hi,
The following is my setup.
Indexer is running on Linux, and App "Splunk for Windows" installed on it. Universal Forwarder is installed on another Windows Server, forwarding everything to the indexer.
I can see windows event log, but in the Performance Management windows, all 5 pane are empty. Wondering if the app only works on Windows indexer, not linux indexer.
Thanks,
James
This works, thanks MarioM!
and can you accept the answer.Thanks 😜
Be aware that MS WMI is very resource hungry.Then you might need to adapt the interval.
in your UF installation you need a wmi.conf for example in splunk\etc\system\local with the following:
[WMI:CPUTime]
## Run every 5 minutes
interval = 300
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
disabled = false
[WMI:FreeDiskSpace]
interval = 10
wql = SELECT Name,FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
disabled = false
[WMI:LocalPhysicalDisk]
interval = 10
wql = select Name,CurrentDiskQueueLength,DiskBytesPerSec,PercentDiskReadTime,PercentDiskWriteTime,PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
disabled = false
[WMI:LocalProcesses]
## Run every 5 minutes
interval = 300
wql = select Name,IDProcess,PrivateBytes,PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process
disabled = false
[WMI:LocalNetwork]
## Run every 5 minutes
interval = 300
wql = select Name,BytesReceivedPerSec,BytesSentPerSec,BytesTotalPerSec,CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface
disabled = false
[WMI:Memory]
## Run every 5 minutes
interval = 300
wql = select PagesPerSec,AvailableMBytes,CommittedBytes,PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory
disabled = false
It seems Universal Forwarder doesn't forward wmi, only eventlog + perfmon, I can't see WMI: source in the main splunk. How can I collect wmi data from windows in Linux?
Thanks,
James
Do you see any WMI:* source or sourcetype in your main splunk ?
You could search internal log for any issues:
index="_*" WMI*
The Universal Forwarder in Windows is configured to forward wmi data to the indexer(receiving is enabled in indexer as well). What else needs to be done in indexer to show the performance data from windows?
Thanks,
James
The windows app does work on linux (i mean searches,reports,dashboard) and the performance management dashboard based it's searching over WMI data, so if you're not indexing WMI:* these will not load.
Also if using Perfmon:* it will not work.