Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

interval in input.conf not followed, Windows add-on

mykol_j
Path Finder
‎11-09-2020 09:02 AM

Windows add-on 8.0.0, Splunk 8.0.4.

No matter the interval settings in inputs.conf, they seem to run at random times. For example on one host alone, the "service" checker ran 9 times in one hour. The setting in the stanza is for once a day (86400). I've tried setting it other values -- nothing seems to matter.

Also happening on all other inputs (sourcetype=WinHostMon) that have an interval setting.

Disk, for example (also set interval = 86400) is running 2-16 times for host in one hour.

I've searched for this, and heard the descriptions of the scripts "taking a long time to run" yadda, yadda... but come on, not all of them...and these aren't scripts (and we have arguably over powered hardware running this). This is generating a *lot* of entries for our small test group of only 200.

Thoughts?

Thanks.

Mike

Labels (2)
Labels
0 Karma
Reply

SinghK
Builder
‎11-10-2020 12:36 AM

It all looks ok. Unless there is something that's doing an overide. can you try using btool to check if inputs are all correct.

0 Karma
Reply

mykol_j
Path Finder
‎11-10-2020 08:21 AM

Great suggestion on using btool...

However, it confirmed that all is good. I'm focusing on [WinHostMon://Disk] for my test case.

I definitely have:

[WinHostMon://Disk]
interval = 86400
disabled = 0
type = Disk

And definitely confirmed my system is showing data for my Name="C:" at exactly 2 hour intervals... but once in a while only waits an hour in between. Go figure.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2020 10:25 AM

What are the inputs.conf settings for the respective inputs and where are they set?  If you use universal forwarders then the settings must be on the UFs.  Be sure to restart Splunk after changing inputs.conf settings.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mykol_j
Path Finder
‎11-09-2020 11:40 AM

[WinHostMon://Disk]
interval = 86400
disabled = 0
type = Disk

...straight out-of-the-box -- (except that I enabled it and changed the interval). In these cases it's being handed out by a deployment server to UFs. Yes, I know the inputs.conf is being applied because other changes are reflected. There's only one app being applied. Yes, it's in local.

Yes, I know to restart/reload it...   😕

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...