Skip to main content
Sumo Logic

Collect Logs for Windows Performance App

Configure a Collector and Source

To collect logs for the Windows Performance App, you will need:

  1. An Installed Collector.
  2. A Windows Performance Source, depending on your environment. Either one:
    1. Local Windows Performance Monitor Log Source
    2. Remote Windows Performance Monitor Log Source.

Add a Custom Query to the Windows Performance Source

To complete the configuration, you'll need to edit each Windows Performance Source you are using to collect logs to manually add a custom query.

  1. Go to Manage Data > Collection > Collection.
  2. Find the Collector and the Windows Performance Source.
  3. For the Source, click Edit.
    windows_performance_app_custom_query_513x433.png
  4. Under Perfmon Queries select the check boxes for these queries:
    • CPU
    • Physical Disk
    • Memory
    • Network
  5. Click Add Query.
    • For Name, enter CPU per Process.
    • For Query, enter select * from Win32_PerfFormattedData_PerfProc_Process.
  6. Click Save.

Sample Log Messages

instance of Win32_PerfFormattedData_PerfProc_Process
{
    CreatingProcessID = 2612;
    ElapsedTime = "3252";
    HandleCount = 756;
    IDProcess = 2580;
    IODataBytesPersec = "0";
    IODataOperationsPersec = "0";
    IOOtherBytesPersec = "0";
    IOOtherOperationsPersec = "0";
    IOReadBytesPersec = "0";
    IOReadOperationsPersec = "0";
    IOWriteBytesPersec = "0";
    IOWriteOperationsPersec = "0";
    Name = "explorer";
    PageFaultsPersec = 0;
    PageFileBytes = "38965248";
    PageFileBytesPeak = "48934912";
    PercentPrivilegedTime = "6";
    PercentProcessorTime = "7";
    PercentUserTime = "23";
    PoolNonpagedBytes = 53104;
    PoolPagedBytes = 410728;
    PriorityBase = 8;
    PrivateBytes = "38965248";
    ThreadCount = 27;
    VirtualBytes = "235999232";
    VirtualBytesPeak = "270917632";
    WorkingSet = "52269056";
    WorkingSetPeak = "56279040";
    WorkingSetPrivate = "23617536";
}
instance of Win32_PerfFormattedData_PerfOS_Memory
{
	AvailableBytes = "1238610176";
	AvailableKBytes = "1111924";
	AvailableMBytes = "1085";
	CacheBytes = "49934336";
	CacheBytesPeak = "155365376";
	CacheFaultsPersec = 0;
	CommitLimit = "4294033408";
	CommittedBytes = "1131204608";
	DemandZeroFaultsPersec = 175;
	FreeAndZeroPageListBytes = "630083584";
	FreeSystemPageTableEntries = 33555674;
	ModifiedPageListBytes = "46796800";
	PageFaultsPersec = 175;
	PageReadsPersec = 10;
	PagesInputPersec = 0;
	PagesOutputPersec = 0;
	PagesPersec = 0;
	PageWritesPersec = 3;
	PercentCommittedBytesInUse = 26;
	PoolNonpagedAllocs = 126788;
	PoolNonpagedBytes = "46321664";
	PoolPagedAllocs = 105056;
	PoolPagedBytes = "145367040";
	PoolPagedResidentBytes = "145051648";
	StandbyCacheCoreBytes = "0";
	StandbyCacheNormalPriorityBytes = "420179968";
	StandbyCacheReserveBytes = "88346624";
	SystemCacheResidentBytes = "49934336";
	SystemCodeResidentBytes = "2596864";
	SystemCodeTotalBytes = "7192576";
	SystemDriverResidentBytes = "5947392";
	SystemDriverTotalBytes = "5259264";
	TransitionFaultsPersec = 0;
	TransitionPagesRePurposedPersec = 0;
	WriteCopiesPersec = 0;
}

Query Samples

Hosts with low available memory

_sourceCategory=OS/Windows "Win32_PerfFormattedData_PerfOS_Memory" "AvailableBytes"
| parse regex "winbox = (?\S+)" nodrop
| if (isNull(dest_host) or dest_host="",_sourceHost,dest_host) as host
| kv regex "= (?:\"|)(.*?)(?:\"|);" keys "AvailableBytes" as aBytes
| timeslice 1m
| avg(aBytes) as AvgAvailableBytes by host,_timeslice
| int(AvgAvailableBytes/(1024*1024)) as AvgAvailMBytes   
| where AvgAvailMBytes < 100 
// 100MB is the threshold for this alert
| count as DataPoints by host   
| where DataPoints >10 
// another threshold: more than 10 minutes where the limit drops under the above threshold

Avg CPU Usage (%) by Host

_sourceCategory=OS/Windows "Win32_PerfFormattedData_PerfOS_Processor" "_Total"
| parse regex "winbox = (?<dest_host>\S+)" nodrop 
| if (isNull(dest_host) or dest_host="",_sourceHost,dest_host) as host
| kv regex "= (?:\"|)(.*?)(?:\"|);" keys "PercentProcessorTime" as procTime
| timeslice 1m
| avg(procTime) as AvgProcTime by host,_timeslice | sort - _timeslice | transpose row _timeslice column host