Hi,
How do you add Perfmon:Process into Splunk universal forwarders? I tried using the guides, but Splunk does not show any new Source/type.
I added the following in both inputs.conf and wmi.conf. Do I need just one of them?
I added the files in /etc/system/local/ directory of each server that has a UF:
wmi.conf
## Processes
[WMI:LocalProcesses]
interval = 10
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
index = windows
disabled = 0
inputs.conf
[perfmon://Process]
interval = 10
object = Process
counters = *
instances = *
index = windows
Also in inputs.conf
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
The default index for the Windows event logs "wineventlog" seems to grow, but I can't see them in any of the servers. How do I search them? Are they supposed to show up in Source or Source Type?
Please help.
Thanks.
↧