Splunk 6.2 Feature Overview: Perfmon Delocalization

Last week, I covered the XML Event Logs – an awesome feature that will reduce your data ingest, increase the fidelity of the data that is stored and allow us to work with localized data. Today, I want to discuss another localization feature – or at least a delocalization feature – perfmon.

Prior to Splunk 6.2, Windows perfmon was always collected localized. If you wanted the % Processor Time counter, you had to specify the localized version of this. If you were running on a french version of Windows, you would have to specify object=Processeur and counter=”% Temps Processeur” in both your inputs.conf and searches. Given that there are over 30 different localized versions of Windows, this really meant that apps only worked in US/English unless you took extraordinary measures to adjust them for the different locales. I even wrote a blog post about how to alleviate this condition.

In Splunk 6.2 we introduced a flag to the perfmon stanzas in inputs.conf called useEnglishOnly. Instead of specifying the counters and objects in your installed language, you can specify them in US/English. For instance:

[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec
disabled = 0
instances = *
interval = 10
object = Processor
useEnglishOnly = true
index = perfmon

This will record the counter and object names as US/English in the index as well. The end result is that you can – with a simple change to the inputs.conf stanza – record, store and search for everything in the US/English version, effectively ensuring that your app works with all locales that Microsoft produces. We’ve already made this change to the disabled perfmon inputs on Splunk_TA_Windows v4.7.3.

There is one caveat to this. The underlying API that we use (PdhAddEnglishCounter, for the curious) does not allow us to add perfmon counters with a wildcard. This means that the counters parameter must explicitly list each counter you are interested in indexing.

Our hope, of course, is that you will write and distribute excellent apps that are locale agnostic. The pairing of XML Event Logs and English-Only Perfmon should assist in accomplishing this. We are certainly working on releasing the premium and Splunk supported apps with this in mind.