Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Deploying wmi.conf for windows universal forwarder...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need a little help with the ability to deploy wmi.conf to my clients.
As I understand the wmi.conf must go into the /etc/system/local folder on the windows client. How do I put this file in there OR tell splunk to look in the /etc/apps/[deployment-client app] folder which gets put there properly, for the wmi.conf file?
Splunk 4.3.1 with deployment-server, have about 30 windows universal forwarders with proper serverclass.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I apologize for being late to the party, as it were.
Use your deployment server properly and create an app for the WMI stuff. In this case, we'll call it winsvr-localwmi. Place your wmi.conf in the default directory:
$SPLUNK_HOME/etc/apps/deployment-apps/winsvr-localwmi/default
If you don't have the input defined, you'll need an inputs.conf in the same directory:
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
Lastly, be sure your universal forwards restart after the change, or you might end up scratching your head. I made a server class for all my Windows machines. Since my Splunk installation is all RHEL, all my Windows boxes are UFs only.
I put this in my serverclass.conf:
[serverClass:Forwarder_Universal_Windows]
blacklist.0 = *
disabled = 0
filterType = blacklist
machineTypes = windows-intel,windows-x64
restartSplunkd = True
Posting this anyway because I hate finding answers more than once. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I apologize for being late to the party, as it were.
Use your deployment server properly and create an app for the WMI stuff. In this case, we'll call it winsvr-localwmi. Place your wmi.conf in the default directory:
$SPLUNK_HOME/etc/apps/deployment-apps/winsvr-localwmi/default
If you don't have the input defined, you'll need an inputs.conf in the same directory:
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
Lastly, be sure your universal forwards restart after the change, or you might end up scratching your head. I made a server class for all my Windows machines. Since my Splunk installation is all RHEL, all my Windows boxes are UFs only.
I put this in my serverclass.conf:
[serverClass:Forwarder_Universal_Windows]
blacklist.0 = *
disabled = 0
filterType = blacklist
machineTypes = windows-intel,windows-x64
restartSplunkd = True
Posting this anyway because I hate finding answers more than once. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A great idea that work perfectly!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WOW iunderwood this works perfectly. Thank you very much.
CX Day is Coming!
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
