topic Universal fowarder and WMI in Getting Data In

Universal fowarder and WMI

tympaniplayer — Mon, 06 Feb 2012 12:11:06 GMT

I want to configure the universal fowarder to poll WMI data and forward it to my indexer. I understand that I need a wmi.config file for the universal fowarder, however I do not know what to put it in it.

I want to be able to poll the following that is the same as the windows app.

WMI: Memory
WMI: LocalPhysicalDisk
WMI: CPU Time
WMI: LocalNetwork

Thanks in advance!

Re: Universal fowarder and WMI

imrago — Mon, 06 Feb 2012 12:42:50 GMT

[WMI:LocalPhysicalDisk]
interval = 3600
wql = select Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
index = default
disabled = 0

[WMI:LocalProcesses]
interval = 3600
wql = select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process
index = default
disabled = 0

[WMI:Memory]
interval = 3600
wql = select PagesPerSec, AvailableMBytes, CommittedBytes, PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory
index = default
disabled = 0

[WMI:LocalNetwork]
interval = 3600
wql = select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface
index = default
disabled = 0

[WMI:CPUTime]
interval = 3600
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
index = default
disabled = 0

Re: Universal fowarder and WMI

tympaniplayer — Mon, 06 Feb 2012 12:45:44 GMT

you are the awesome thanks so much!

Re: Universal fowarder and WMI

tympaniplayer — Mon, 06 Feb 2012 12:59:32 GMT

is there anything I need to do to enable this to forward the data?

Re: Universal fowarder and WMI

imrago — Mon, 06 Feb 2012 13:27:35 GMT

try to change the interval from 3600 to something smaller, to get the sample more frequently

Is the connection in place between UF and the indexer?

there is a useful app: en-US/app/SplunkDeploymentMonitor/all_forwarders

Re: Universal fowarder and WMI

tympaniplayer — Mon, 06 Feb 2012 13:45:55 GMT

yeah I put the interval down considerably and yes the connection is in place, it is receiving perfmon data. Thanks for all your help

Re: Universal fowarder and WMI

tympaniplayer — Mon, 06 Feb 2012 13:54:14 GMT

I seem to not be receiving the WMI data though.

Re: Universal fowarder and WMI

imrago — Mon, 06 Feb 2012 13:54:42 GMT

you could add the following two lines to inputs.conf, change someindexname to something else and restart the UF

[default]
index = someindexname

Re: Universal fowarder and WMI

tympaniplayer — Mon, 06 Feb 2012 20:40:02 GMT

All i needed to do was restart. Thanks!

Re: Universal fowarder and WMI

chrismor — Fri, 10 Feb 2012 01:05:07 GMT

Really stupid question, sorry but where does wmi.conf have to be put?

Re: Universal fowarder and WMI

tympaniplayer — Fri, 10 Feb 2012 11:51:35 GMT

ect/system/local

Re: Universal fowarder and WMI

yannK — Wed, 11 Apr 2012 02:44:33 GMT

or in an app if you deploy your configuration in apps.
$SPLUNK_HOME/etc/apps//local/

Re: Universal fowarder and WMI

vaibhavbeohar — Fri, 01 Jun 2012 07:27:38 GMT

What do you mean by interval = 3600 , its in second or what? and also how do get 64 windows servers WMI data in splunk(Splunk is running in linux box)

Re: Universal fowarder and WMI

yannK — Fri, 01 Jun 2012 14:34:10 GMT

Only a windows splunk or Universal Forwarder can monitor WMI on local or remote windows server. (they use the windows local libraries, and need to be member of the correct AD group)

local windows event log, install Universal Forwarder (use wizard or ....\local\inputs.conf )
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata
remote windows boxes using WMI ( edit ...\local\wmi.conf)
http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Re: Universal fowarder and WMI

vaibhavbeohar — Mon, 28 Sep 2020 11:53:57 GMT

Thanks for your reply but how do i get 64 windows servers WMI data in splunk, do i need to change query like "wql = select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface"

DO i need to make win64 ???

Thanks,

Re: Universal fowarder and WMI

vaibhavbeohar — Tue, 12 Jun 2012 06:05:04 GMT

Hi, I have configure all the above configuration in wmi.conf and i am getting data in my indexer except WMI:LocalProcesses , I am not able to get Local process in my indexer.

Re: Universal fowarder and WMI

watsm10 — Wed, 19 Feb 2014 12:14:12 GMT

No, you can leave it as win32

Re: Universal fowarder and WMI

marellasunil — Mon, 28 Sep 2020 18:54:27 GMT

Hi,
Can I add sourcetype to each stanza? bec when I am adding "sourcetype = wmi_moniter", I am not able to see any data if I am searching using "sourcetype = wmi_moniter"

Re: Universal fowarder and WMI

rajinigv — Fri, 25 Jan 2019 03:40:23 GMT

hi..
can u just help me out of this.. iam unable to understand that answer.