.

Making The Windows Perfmon Uptime Metric CIM Compliant

Common Information Model: Imposing Order On Data Chaos

I’m a fan of Splunk’s Common Information Model (CIM). In a world of widely divergent formats and unstructured data, the CIM is Splunk’s answer to imposing order on data chaos and allowing people to represent data in the same way, even if it comes from totally different sources.

 

Windows Uptime: WMI vs Perfmon

I was recently deploying Splunk in an all windows environment for a customer and noted that the uptime field was not appearing in the interesting fields section. A little digging into the Splunk_TA_windows add-on config revealed that this is because the uptime metric, by default, is instrumented using the add-on’s WMI input, something that had not been instrumented in this particular case. Anyone who has had a reasonable amount to do with either Splunk_TA_windows or Perfmon itself will be aware that uptime of a Windows Server can also be retrieved from a Perfmon counter, specifically System Up Time from the System Collection.  We were already collecting a whole bunch of Perfmon metrics including System Up Time so I decided make it CIM compliant by defining the appropriate event types, tags and calculated fields.

 

The Configuration

$SPLUNK_HOME\etc\apps\Splunk_TA_windows\local\eventtypes.conf
###### Uptime ######
[perfmon_uptime]
search = sourcetype=Perfmon:System counter=”System Up Time”
#tags = performance uptime report
[perfmon_uptime_anomalous]
search = sourcetype=Perfmon:System counter=counter=”System Up Time” uptime>2592000
#tags = anomalous

 

$SPLUNK_HOME\etc\apps\Splunk_TA_windows\local\tags.conf
###### Uptime ######
[eventtype=perfmon_uptime]
uptime = enabled
report = enabled
performance = enabled
[eventtype=perfmon_uptime_anomalous]
anomalous = enabled

  

$SPLUNK_HOME\etc\apps\Splunk_TA_windows\local\props.conf
###### Uptime ######
[Perfmon:System]
EVAL-uptime=case(counter=”System Up Time”,Value)

Note: You only need to add the above configurations to instances of the Splunk_TA_windows add-on existing Search Head(s).

Now the uptime field will be available using tags as follows:

splunk_uptime

Happy Splunking!

Add your comments

Your email address will not be published. Required fields are marked *