Deployment Architecture

Universal forwarder and WMI

brentsinawski
Explorer

I have a question about how to get a universal forwarder to send the data I would normally recieve from WMI. I am trying to get remote performace monitoring from the universal forwarders. I currently have 3 servers with universal forwarders installed on them and one indexer. After the initial install I can't seem to change any setting with the universal forwarders. Should I add the servers to the event log collection with WMI? And if i were to do that would the data be sent through the Universal Forwarders? All of the servers are Windows based.

Tags (2)
0 Karma

cyue_splunk
Splunk Employee
Splunk Employee

You can copy the wmi.conf file from the Windows App to UF's etc/system/local, then you'll get more WMI performance events, such as WMI: CPUTime, WMI: Memory, etc.

cyue_splunk
Splunk Employee
Splunk Employee

one more thing: inputs.conf and wmi.conf will both pull Windows Event logs with two different sourcetypes, you might want to diable one of them to avoid duplicated events. The Windows app dashboard uses input from inputs.conf, so I suggest to disable the inputs from wmi.conf, events with sourcetypes: [WMI:LocalApplication], [WMI:LocalSystem], [WMI:LocalSecurity]

0 Karma

brentsinawski
Explorer

Thanks, that worked perfectly.

0 Karma

hartfoml
Motivator

Are you getting any data at all from the UF to the indexer?

If so are you trying to use deployment server to send configuration for WMI to UF

If you just want to setup WMI on just the three UF systems and they are already sending logs then just setup a WMI.CONF file in the etc/system/local directory the WMI.conf file will tell the UF what to collect.

Use this type of stanza in the WMI.conf file

[WMI:CPUTime]

interval = 5

disabled = 0

server = localhost

wql = SELECT PercentProcessorTime, PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name = "_Total"

hartfoml
Motivator

Sure anything I can do to help.

Post a queston if you have something specifice you need help with.

0 Karma

tympaniplayer
Path Finder

would love to get some help with this from you hartfoml if you wouldnt mind.

0 Karma

brentsinawski
Explorer

Thanks for the help!

0 Karma

hartfoml
Motivator

Send me an email if you need anything else. I have set this exact thing up in my environment and am very familiar. Glad to help if I can.

0 Karma

brentsinawski
Explorer

Yeah I am recieving data from the UF just not everything I'm wanting.
By the end of the year we will be using Splunk to monitor over 300 servers so we are just testing and configuring right now.

I will give that a try.

Thank you,

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...