topic Re: WMI source/sourcetype problem in Getting Data In

WMI source/sourcetype problem

msallman — Thu, 13 May 2010 22:05:43 GMT

We are having a problem getting the Windows app to display wmi data. It seems that the wmi data we are getting is being indexed with source=script & sourcetype=exec, so none of the Windows app dashboards/views for wmi work.

We seem to have the correct stanzas for wmi in props.conf and transforms.conf, but no luck...

Any ideas?

Thanks, Mike

Re: WMI source/sourcetype problem

Lowell — Thu, 13 May 2010 23:45:14 GMT

Hmm.. Think we need more info here. Which version of splunk are you running? Do you have the windows app installed and have you done the setup for the windows app?

Re: WMI source/sourcetype problem

Voltaire — Fri, 14 May 2010 05:52:44 GMT

Does the windows forwarder use an admin account to start the Splunk* services? Have you tried running the WBEMTEST on the LWF ?

Follow these steps to test the configuration of the Splunk server and the remote machine: 1. Log into the machine Splunk runs with the same account you strat the splunkd and splunkweb services or as the user Splunk runs as. 2. Click Start -> Run and type wbemtest. The wbemtest application starts. 3. Click Connect and type \\root\cimv2, replacing with the name of the remote server. Click Connect. If you are unable to connect, there is a problem with the authentication between the machines. 4. If you are able to connect, click Query and type select * from win32_service. Click Apply. After a short wait, you should see a list of running services. If this does not work, then the authentication works, but the user Splunk is running as does not have enough privileges to run that operation.

Do you see any ouptput in your splunkd.log to isolate the problem(s) ?

Good Luck

Re: WMI source/sourcetype problem

oreoshake — Fri, 14 May 2010 06:59:38 GMT

Try running C:\Program Files\Splunk>bin\splunk.exe cmd btool --debug wmi list

That will show if any configs are clobbering other settings

Re: WMI source/sourcetype problem

msallman — Fri, 14 May 2010 19:29:02 GMT

Voltaire, thanks for the suggestion, but the wmi data seems to be getting into Splunk just fine (other than being indexed "wrong").

Re: WMI source/sourcetype problem

msallman — Mon, 28 Sep 2020 09:12:28 GMT

oreoshake, thanks. That's good to know. I'll have to read up on that feature. Below is a (very) brief snip of what it output. Everything showed "windows" in the first column, so I assume there are no problems there.

C:>splunk cmd btool --debug wmi list
windows [WMI:FreeDiskSpace]
windows disabled = 0
windows interval = 300
windows server = localhost
windows wql = SELECT FreeMegabytes, Name, PercentDiskTime, PercentFreeSpace, DiskBytesPersec, CurrentDiskQueueLength FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk

Re: WMI source/sourcetype problem

msallman — Fri, 14 May 2010 19:46:04 GMT

That sure came out looking ugly! 😛

Re: WMI source/sourcetype problem

oreoshake — Sat, 15 May 2010 06:10:22 GMT

Hmm, maybe you have a transform changing the sourcetype. I'd run the same command but replace wmi with props and search for those values. Or check the props.conf on your indexer?