Splunk App for Windows Infrastructure為Splunk監控window機台必裝基礎功能,新手在使用Splunk App(Splunk App for Windows Infrastructure)時會遇到幾個問題,在此中文化解法。此應用程序主要用途是用來即時監控Windows系統。
Pb1."Key value store must be enabled. Please enable it" running Splunk 6.2.1?
Q1: Delete the Lock file defaulf path(預設路徑): "C:\Program Files\Splunk\var\lib\splunk/kvstore\mongo\mongod.lock" and the mongod.lock is our target except the file splunk.key then restart it but the main reason of the .lock file is we don't start mongod service so just start mongod in $splunk\bin then splunk restart it. 因為mongo系統中的lock檔讓系統無法重新讀取資料,刪掉就好,特別記得不能刪除splunk.key。其實主因是我們在關閉mongo時可能有不當操作或任何錯誤,把mongod修復即可。
參考指令: $Splunk\bin\mongod --dbpath "$Splunk\var\lib\splunk\kvstore\mongo" --repair --repairpath "$Splunk\var\lib\splunk\kvstore\mongo"
Pb3."Splunk Supporting Add-on for Microsoft Windows Active Directory v2.0.1+"
Q3: install Splunk Supporting Add-on for Active Directory & edit the proper setting.
Pb4."Users and/or groups configured with the winfra-admin user role:"
Q4:可以從web端進去Access controls連結,將admin角色加上winfra-admin身分即可。
另外問題,當Splunk App for Windows Infrastructure明明有收到資料但Windows performance counters卻不幫你計算數目或顯示搜不到資料時,可能是TA底下的local/inputs.conf 內容有誤例如[perfmon://CPU]>>>[perfmon://Windows__Processor],須加上Windows__。