Skip to main content
Sumo Logic

Collect Logs for the Windows Performance App

This page provides instructions for configuring log collection for the Windows Performance App, as well as example log files and queries.

Configure a Collector and Source

To collect logs for the Windows Performance App, you will need to configure an Installed Collector, and either a Local or Remote Windows Performance  Monitor Log Source.

To collect logs for the Windows Performance App, do the following:
  1. Install a collector as described in Installed Collector.
  2. Configure a Windows Performance Source, choosing the one appropriate for on your environment:

Add a Custom Query to the Windows Performance Source

To complete the configuration, you'll need to edit each Windows Performance Source (you are using to collect logs) to add a custom query.

  1. Go to Manage Data > Collection > Collection.
  2. Find the Collector and the Windows Performance Source.
  3. For the Source, click Edit.
    PerformQueries.png
  4. Under Perfmon Queries select the check boxes for these queries:
    • CPU
    • Physical Disk
    • Memory
    • Network
  5. Click Add Query.
    • For Name, enter CPU per Process.
    • For Query, enter select * from Win32_PerfFormattedData_PerfProc_Process.
  6. Click Save.

Sample Log Messages

instance of Win32_PerfFormattedData_PerfProc_Process
{
    CreatingProcessID = 2612;
    ElapsedTime = "3252";
    HandleCount = 756;
    IDProcess = 2580;
    IODataBytesPersec = "0";
    IODataOperationsPersec = "0";
    IOOtherBytesPersec = "0";
    IOOtherOperationsPersec = "0";
    IOReadBytesPersec = "0";
    IOReadOperationsPersec = "0";
    IOWriteBytesPersec = "0";
    IOWriteOperationsPersec = "0";
    Name = "explorer";
    PageFaultsPersec = 0;
    PageFileBytes = "38965248";
    PageFileBytesPeak = "48934912";
    PercentPrivilegedTime = "6";
    PercentProcessorTime = "7";
    PercentUserTime = "23";
    PoolNonpagedBytes = 53104;
    PoolPagedBytes = 410728;
    PriorityBase = 8;
    PrivateBytes = "38965248";
    ThreadCount = 27;
    VirtualBytes = "235999232";
    VirtualBytesPeak = "270917632";
    WorkingSet = "52269056";
    WorkingSetPeak = "56279040";
    WorkingSetPrivate = "23617536";
}
instance of Win32_PerfFormattedData_PerfOS_Memory
{
	AvailableBytes = "1238610176";
	AvailableKBytes = "1111924";
	AvailableMBytes = "1085";
	CacheBytes = "49934336";
	CacheBytesPeak = "155365376";
	CacheFaultsPersec = 0;
	CommitLimit = "4294033408";
	CommittedBytes = "1131204608";
	DemandZeroFaultsPersec = 175;
	FreeAndZeroPageListBytes = "630083584";
	FreeSystemPageTableEntries = 33555674;
	ModifiedPageListBytes = "46796800";
	PageFaultsPersec = 175;
	PageReadsPersec = 10;
	PagesInputPersec = 0;
	PagesOutputPersec = 0;
	PagesPersec = 0;
	PageWritesPersec = 3;
	PercentCommittedBytesInUse = 26;
	PoolNonpagedAllocs = 126788;
	PoolNonpagedBytes = "46321664";
	PoolPagedAllocs = 105056;
	PoolPagedBytes = "145367040";
	PoolPagedResidentBytes = "145051648";
	StandbyCacheCoreBytes = "0";
	StandbyCacheNormalPriorityBytes = "420179968";
	StandbyCacheReserveBytes = "88346624";
	SystemCacheResidentBytes = "49934336";
	SystemCodeResidentBytes = "2596864";
	SystemCodeTotalBytes = "7192576";
	SystemDriverResidentBytes = "5947392";
	SystemDriverTotalBytes = "5259264";
	TransitionFaultsPersec = 0;
	TransitionPagesRePurposedPersec = 0;
	WriteCopiesPersec = 0;
}

Query Samples

Hosts with low available memory

_sourceCategory=OS/Windows "Win32_PerfFormattedData_PerfOS_Memory" "AvailableBytes"
| parse regex "winbox = (?<dest_host>\S+)" nodrop
| if (isNull(dest_host) or dest_host="",_sourceHost,dest_host) as host
| kv regex "= (?:\"|)(.*?)(?:\"|);" keys "AvailableBytes" as aBytes
| timeslice 1m
| avg(aBytes) as AvgAvailableBytes by host,_timeslice
| int(AvgAvailableBytes/(1024*1024)) as AvgAvailMBytes   
| where AvgAvailMBytes < 100 
// 100MB is the threshold for this alert
| count as DataPoints by host   
| where DataPoints >10 
// another threshold: more than 10 minutes where the limit drops under the above threshold

Avg CPU Usage (%) by Host

_sourceCategory=OS/Windows "Win32_PerfFormattedData_PerfOS_Processor" "_Total"
| parse regex "winbox = (?<dest_host>\S+)" nodrop 
| if (isNull(dest_host) or dest_host="",_sourceHost,dest_host) as host
| kv regex "= (?:\"|)(.*?)(?:\"|);" keys "PercentProcessorTime" as procTime
| timeslice 1m
| avg(procTime) as AvgProcTime by host,_timeslice | sort - _timeslice | transpose row _timeslice column host