Hi PickleRick, Agreed. Than do i remove the sourcetype= statement from stanza in inputs.conf ? ( becuase it is over written any way ) please share your thoughts. also do i create seperate index for metrics mentioned in my inputs.conf of keep with eventtype index ? here is snipped of inputs.conf ------------------------------- inputs.conf ---------- # ###### OS Logs ###### # [WinEventLog://Application] disabled = false start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true index = winos ----- ------ ----- # ###### Host monitoring ###### # [WinHostMon://Computer] interval = 600 disabled = false type = Computer index = winos [WinHostMon://Process] interval = 600 disabled = false type = Process index = winos ----- ----- # ###### Win Registry Monitoring # [WinRegMon://default] disabled = false hive = .* proc = .* type = rename|set|delete|create index = winos ------- ------ # # perfmonance Monitoring # ###### Splunk 5.0+ Performance Counters ###### ## CPU [perfmon://CPU] counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec instances = * interval = 30 mode = single object = Processor _meta = os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host useEnglishOnly = true sourcetype = PerfmonMetrics:CPU disabled = 0 index = ????? Please share your expertise thanks
... View more