topic Re: Why is WMI Input field data being truncated? in Getting Data In

Why is WMI Input field data being truncated?

dstaulcu — Thu, 26 Nov 2015 01:38:34 GMT

So I would like to implement a WMI based input via WMI.conf among a subset of Splunk Universal Forwarders. In this case, I'd like to log PnpSignedDrivers. Here is the input I have defined in WMI.conf

[WMI:Win32_PnPSignedDriver]
interval = 10
wql = SELECT Description, DeviceClass, DeviceID, DeviceName, DriverDate, DriverVersion, FriendlyName, InfName, IsSigned, Location, Manufacturer FROM Win32_PnPSignedDriver

I'm getting events BUT WMI object properties such as DeviceName seem to get truncated after the first word. For instance, in Splunk the corresponding event for the DeviceName of my network interface is "Broadcom", but the actual property value of the WMI object is "Broadcom 802.11n Network Adapter".

Am I doing something wrong is this a bug?

Re: Why is WMI Input field data being truncated?

dstaulcu — Thu, 26 Nov 2015 01:42:22 GMT

ah... just looked at _raw field and the full details are in there. I guess I need to tweak field default extractions somehow

Re: Why is WMI Input field data being truncated?

dstaulcu — Tue, 29 Sep 2020 07:59:59 GMT

Well.. Here's a field extraction if you need it...

WMI:Win32_PnPSignedDriver : EXTRACT-WMI:Win32_PnPSignedDriver

Inline

^(?<eventtime>\d+\.\d+)\s+Description=(?<Description>.*)\s+DeviceClass=(?<DeviceClass>.*)\s+DeviceID=(?<DeviceID>.*)\s+DeviceName=(?<DeviceName>.*)\s+DriverDate=(?<DriverDate>(NULL|\d{8}))(0{6}\.[*+]+)?\s+DriverVersion=(?<DriverVersion>.*)\s+FriendlyName=(?<FriendlyName>.*)\s+InfName=(?<InfName>.*)\s+IsSigned=(?<IsSigned>.*)\s+Location=(?<Location>.*)\s+Manufacturer=(?<Manufacturer>.*)\s+wmi_type=(?<wmi_type>.*)$

Re: Why is WMI Input field data being truncated?

alvn_sulendra — Tue, 21 Feb 2017 01:40:46 GMT

is there any way to put the value within quote? so that we don't need to update the field extraction if we add or remove field that we want to get.