Documentation forServer & Application Monitor

Performance Counter Monitors

As described in Work with component monitors, SAM includes several "component monitor types" that use various methods to focus on elements such as services, logs, or processes. Performance Counter Monitors are component monitors that tally specific elements of applications, Windows services, SolarWinds services, logs, processes, and so on.

For example, the following templates include component monitors which are Performance Counter Monitors that count various values:

Note the following details that apply to most component monitors categorized as Performance Counter Monitors:

  • The statistic displayed for a component monitor in the Orion Web Console is either:
  • Performance counters are assumed to exist within the root/CIMV2 namespace.
  • You can configure a preferred Fetching Method to collect data from target nodes.

If you create a custom Performance Counter Monitor in the Component Monitor Wizard, you'll be prompted to provide several values, as described next.


A default description of the monitor, which you can add to or replace. The variable to access this field is ${UserDescription}.

Component Type

Identifies the component type as a Performance Counter Monitor.

Enable Component

Determines whether the component is enabled. Disabling a component leaves it in the application in a deactivated state not influencing either SolarWinds SAM application availability or status.

Credential for Monitoring

Select a Windows credential that can access the target node with rights to do what the component monitor needs to do. This is typically a Windows administrator-level credential.

Count statistic as difference

This option changes the statistic to be the difference in counter values between polling cycles. It only applies to monitors whose counter value increases consistently during each polling interval. Examples of when this option is not applicable include cases such as the following:

  • Counter values sometimes increase and sometimes decrease from one polling interval to another (typical behavior for many counters)
  • Counter values consistently decrease from one polling interval to another

If this option is not applicable, negative data values are replaced with zero (0). The counter monitor shows 0 as the statistic data value in related widgets and 0 as the value on statistic data charts for this interval.


Enter the name of the performance counter. For example: Processor Time.


Enter the instance name of the performance counter. For example: _Total.

If the performance counter has multiple instances, you can monitor each instance separately by creating a Performance Counter Monitor for each instance. For example, the performance counter % Processor Time has two instances if you have a dual-CPU system: 0 for the first CPU and 1 for the second CPU. You can create a separate Performance Counter Monitor to monitor each instance of the counter.


Enter the category of the performance counter.

All performance counters are assumed to exist within the root/CIMV2 namespace. For example: Processor.

Convert Value

Select the Convert Value check box to open the Formula box where you can manipulate the returned value with a variety of mathematical possibilities. Choose common functions from drop-down lists to manipulate the returned value, or select the Custom Conversion option to set a Convert values in data transformations for SAM component monitors.

Fetching Method

Configure the method used to gather data. For details, see Choose a fetching method for Performance Counter Monitors in SAM.

WinRM Authentication Mechanism

If the SAM WinRM toggle is enabled for application polling on the Orion server and target nodes, select an authentication method for the connection. The default setting is Negotiate.

  • Default: Specifies the transport to use for WS-Management protocol requests and responses: HTTP or HTTPS. The default is HTTP.
  • Digest: User name and password are required. The client sends a request with authentication data to an authenticating server, usually a domain controller. If the client is authenticated, then the server receives a Digest session key to authenticate subsequent requests from the client.
  • Negotiate: The client sends a request to the server to determine the protocol to use for Simple and Protected Negotiation (SPNEGO) authentication, which can be either:
    • Kerberos for domain accounts, or
    • NTLM for local computer accounts
  • Basic: User name and password are required, as sent via HTTP or HTTPS in a domain or workgroup.
  • Kerberos: User name and password are required for mutual authentication between the client and server, using encrypted keys. The client account must be a domain account in the same domain as the server. When a client uses default credentials, Kerberos is the authentication method if the connection string is not one of the following: localhost,, or [::1].
  • NtlmDomain: User name and password are required for NTLM authentication. The client proves its identity by sending a user name, password, and domain name.
  • CredSssp: User name and password are optional. The Credential Security Support Provider (CredSSP) lets an application delegate the user credentials from the client to the target server for remote authentication. The client is authenticated over the encrypted channel by using the SPNEGO protocol with either Kerberos or NTLM.

    Portions excerpted from the WinRM Glossary (© 2020, Microsoft Corp., available at, obtained on March 13, 2020).

Statistic Threshold

Specify a threshold that indicates a warning or critical level was breached. Logical operators are in the drop-down field, followed by a blank field where you can enter a value for the threshold. For example: Less than 15 for warning, Less than 5 for critical. See Application Monitor Thresholds.

User Notes

Add notes for easy reference. You can access this field by using the variable, ${UserNotes}.