https://community.splunk.com/t5/Getting-Data-In/WMI-queries-using-the-LightWeightFowarder-hammering-each-server/m-p/66564#M13379 <P>Each WMI query will have it's own configuration, and you can adjust the interval independently.</P> <P><BR /> <B>Configure via the Manager:</B></P> <P>In the Manager, choose Data Inputs, then WMI Collections. Each WMI input will have its own entry there, with the polling intervals shown.</P> <P>Click on the name, e.g. <CODE>LocalProcesses</CODE>, wait for the page to display, and change the option <CODE>Poll Every</CODE> at the bottom of the screen to your desired interval. Click Save.</P> <P><BR /> <B>or, Configure via the Config Files:</B></P> <P>First, look at the default configuration in <CODE>$SPLUNK_HOME\etc\apps\windows\default\wmi.conf</CODE> to see the default configuration. Make particular note of the stanza names and the <CODE>interval</CODE> setting.</P> <P>Then, create a new file or edit the existing <CODE>$SPLUNK_HOME\etc\apps\windows\local\wmi.conf</CODE> (<I>local</I> vs. <I>default</I>).</P> <P>In that file, create a new stanza matching each of the settings you want to override, e.g.:</P> <PRE><CODE>[WMI:LocalProcesses] interval = 600 </CODE></PRE> Fri, 08 Oct 2010 04:48:57 GMT southeringtonp 2010-10-08T04:48:57Z https://community.splunk.com/t5/Getting-Data-In/WMI-queries-using-the-LightWeightFowarder-hammering-each-server/m-p/66563#M13378 <P>I am being told that was the default. I am seeing over 2 Billion WMI records, most (1.6 B) are from WMI:LocalProcesses, they look like a record for every process running on every windows server every second. Seems like a rediculus load on each server plus the overworked Splunk Linux server. (no polling WMI is setup on then Indexer) </P> <P>WMI:LocalProcesses | 1,642,530,389 WMI:LocalNetwork | 171,412,864 WMI:FreeDiskSpace | 164,186,039 WMI:LocalPhysicalDisk | 44,962,006 WMI:Memory | 43,502,032 WMI:CPUTime | 43,461,901</P> <P>I would like to change the WMI queries to once every 10 minutes, not ever second. And not effic the eventlogging. </P> <P>Which "interval" line is the correct one to fix this? </P> <P>Thanks, Bill </P> Fri, 08 Oct 2010 02:21:19 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-queries-using-the-LightWeightFowarder-hammering-each-server/m-p/66563#M13378 billconnell 2010-10-08T02:21:19Z https://community.splunk.com/t5/Getting-Data-In/WMI-queries-using-the-LightWeightFowarder-hammering-each-server/m-p/66564#M13379 <P>Each WMI query will have it's own configuration, and you can adjust the interval independently.</P> <P><BR /> <B>Configure via the Manager:</B></P> <P>In the Manager, choose Data Inputs, then WMI Collections. Each WMI input will have its own entry there, with the polling intervals shown.</P> <P>Click on the name, e.g. <CODE>LocalProcesses</CODE>, wait for the page to display, and change the option <CODE>Poll Every</CODE> at the bottom of the screen to your desired interval. Click Save.</P> <P><BR /> <B>or, Configure via the Config Files:</B></P> <P>First, look at the default configuration in <CODE>$SPLUNK_HOME\etc\apps\windows\default\wmi.conf</CODE> to see the default configuration. Make particular note of the stanza names and the <CODE>interval</CODE> setting.</P> <P>Then, create a new file or edit the existing <CODE>$SPLUNK_HOME\etc\apps\windows\local\wmi.conf</CODE> (<I>local</I> vs. <I>default</I>).</P> <P>In that file, create a new stanza matching each of the settings you want to override, e.g.:</P> <PRE><CODE>[WMI:LocalProcesses] interval = 600 </CODE></PRE> Fri, 08 Oct 2010 04:48:57 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-queries-using-the-LightWeightFowarder-hammering-each-server/m-p/66564#M13379 southeringtonp 2010-10-08T04:48:57Z