https://community.splunk.com/t5/Getting-Data-In/Windows-splunk-wmi-exe/m-p/743083#M118075 <P>Hi,<BR />Windows UF stopped sending events. I saw this event in _internal index<BR />'<SPAN class="">message</SPAN> <SPAN class="">from</SPAN><SPAN> ""</SPAN><SPAN class="">C:\Program</SPAN> <SPAN class="">Files\SplunkUniversalForwarder\bin\splunk-wmi.exe</SPAN><SPAN>"" </SPAN><SPAN class="">Clean</SPAN> <SPAN class="">shutdown</SPAN> <SPAN class="">completed.</SPAN>'</P><P><SPAN>The UF version is&nbsp;9.2.1<BR /></SPAN><BR />What does it mean, and how&nbsp;<SPAN>to avoid it from happening again?</SPAN></P><P>&nbsp;</P> Mon, 31 Mar 2025 11:54:27 GMT zafar 2025-03-31T11:54:27Z https://community.splunk.com/t5/Getting-Data-In/Windows-splunk-wmi-exe/m-p/743083#M118075 <P>Hi,<BR />Windows UF stopped sending events. I saw this event in _internal index<BR />'<SPAN class="">message</SPAN> <SPAN class="">from</SPAN><SPAN> ""</SPAN><SPAN class="">C:\Program</SPAN> <SPAN class="">Files\SplunkUniversalForwarder\bin\splunk-wmi.exe</SPAN><SPAN>"" </SPAN><SPAN class="">Clean</SPAN> <SPAN class="">shutdown</SPAN> <SPAN class="">completed.</SPAN>'</P><P><SPAN>The UF version is&nbsp;9.2.1<BR /></SPAN><BR />What does it mean, and how&nbsp;<SPAN>to avoid it from happening again?</SPAN></P><P>&nbsp;</P> Mon, 31 Mar 2025 11:54:27 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-splunk-wmi-exe/m-p/743083#M118075 zafar 2025-03-31T11:54:27Z https://community.splunk.com/t5/Getting-Data-In/Windows-splunk-wmi-exe/m-p/743084#M118076 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/308953">@zafar</a>&nbsp;,</P><P>wmi is a way to extract events from a remote windows system, are you speaking of UF stopping events of the receiver or of monitored system?</P><P>could you better describe how this Uf is working?</P><P>Ciao.</P><P>Giuseppe</P> Mon, 31 Mar 2025 11:58:52 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-splunk-wmi-exe/m-p/743084#M118076 gcusello 2025-03-31T11:58:52Z https://community.splunk.com/t5/Getting-Data-In/Windows-splunk-wmi-exe/m-p/743085#M118077 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/308953">@zafar</a>,</P><P>The event you're seeing indicates that the WMI Input on your Universal Forwarder (UF) has performed a clean shutdown. This typically happens when the Splunk service is stopped/restarted OR can be if you have your WMI input setup on an interval - in which case it is notifying you that it has completed.</P><P>Here are some steps you can take to investigate further:</P><OL><LI><STRONG>Check your ingested data:&nbsp;</STRONG>Are you actually missing any WMI events from the UF?&nbsp;</LI><LI><STRONG>Check the Splunk Service:</STRONG> Ensure that the Splunk service is running on the Windows machine. You can check this in the Windows Services console or by running the following command in a command prompt: <EM><STRONG>sc query SplunkForwarder</STRONG></EM></LI><LI><STRONG>Review the Splunkd.log:</STRONG> Look for any errors or warnings related to the splunk-wmi.exe in the Splunkd.log file, located in the $SPLUNK_HOME\var\log\splunk directory.</LI><LI><STRONG>Check for Resource Issues:</STRONG> Make sure the Windows machine has sufficient resources (CPU, memory, disk space) to run the Splunk UF. Insufficient resources can lead to unexpected shutdowns or process halting.</LI><LI><STRONG>Review Scheduled Restarts:</STRONG> If you have any scheduled tasks or scripts that restart the Splunk service or Windows machine, ensure they are configured correctly and not causing unintended shutdowns.</LI></OL><P>If you continue to experience issues, please provide more details about your environment, including the Splunk version, operating system, and any relevant configuration settings. This will help in further troubleshooting.</P><DIV><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span> <STRONG>Did this answer help you?</STRONG> If so, please consider:</P><UL><LI>Adding kudos to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P></DIV> Mon, 31 Mar 2025 13:22:33 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-splunk-wmi-exe/m-p/743085#M118077 livehybrid 2025-03-31T13:22:33Z https://community.splunk.com/t5/Getting-Data-In/Windows-splunk-wmi-exe/m-p/743256#M118087 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/308953">@zafar</a>&nbsp;,</P><P>good for you, see next time!</P><P>let me know if I can help you more, or, please, accept one answer for the other people of Community.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 02 Apr 2025 14:25:12 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-splunk-wmi-exe/m-p/743256#M118087 gcusello 2025-04-02T14:25:12Z