Monitor missing WMI events pull Windows Server

rossikwan — Thu, 09 Aug 2012 06:47:39 GMT

Hi all,

I have below Splunk setup for the various kind of servers events,

Main indexer: Linux Redhat installed with Splunk indexer, search head, (for UNIX UF, Linux UF, syslog, etc)
Domain joined Windows server with Splunk UF installed (for WMI pull events, shared files, etc)

Since I would like to monitor the missing status of the UNIX & Linux UF, the "missing forwarders search" in Splunk Deployment Monitor app is working fine for those hosts received from UF. It does a really great job at all.

But, since most of the Windows WMI events is pulled from the Windows Server (with UF), and that's mean the "missing forwarder search" isn't represent for the WMI host missing status.

Could anyone help that any hints to check the missing Windows host in this WMI inputs?

P.S. I am thinking that use "diff" to compare the list of hosts for WMI events in 2 period of time, and I think there should have a faster & elegant way for this. Thanks in advance.

Re: Monitor missing WMI events pull Windows Server

sdaniels — Thu, 09 Aug 2012 11:31:08 GMT

Yes, you can alert on any host that hasn't sent data in a certain period of time. The example in the link below is checking every 60 seconds but it's easy to modify.

http://splunk-base.splunk.com/answers/7466/alert-if-no-log-messages

topic Re: Monitor missing WMI events pull Windows Server in Getting Data In

Monitor missing WMI events pull Windows Server

Re: Monitor missing WMI events pull Windows Server