Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: All configurations not appearing in Event Log ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All configurations not appearing in Event Log Collection list
I have splunk running on a Windows Server 2008. I have configured splunk to access our DC remotely for event logs. I am working to placing forwarders in the remote locations, but until then. I have some servers not appearing the list and I can't access the configuration to change settings. Any help would be appreciated.
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After doing more research I have found another who is reporting the same problem I am having only better. See question "WMI event logs manager".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
C:\Program Files\Splunk\etc\apps\search\wmi.conf this doesnt seem right, its missing a \local. should be:
C:\Program Files\Splunk\etc\apps\search\local\wmi.conf
Also from the machine that you are trying to grab the data from, try running wbemtest and see if you can retrieve logs from the other hosts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info, however the problem isn't getting the log data into splunk, the problem is that the tasks that are configured do not appear on the configuation page in the Splunk> web UI. I have 9 remote event logs tasks appearing, in the wmi.conf file I have 21. I would very much like to manage these from the Web UI and not from the conf file. Any ideas as the issue of this symptom? Thanks for all the imputs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same Domain. One collection task per server I don't see all the jobs in the collection task list.
Look at Splunk> errors, I know why I am not getting data server names have changed, I don't know why some are not appearing in the collection task list. Can not edit them through the web page if they don't appear. Have changed the # of items to display with no luck.
Can I edit the wmi.conf file and am I looking at the right one? C:\Program Files\Splunk\etc\apps\search\wmi.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jkittle, are you using one event log collection, specifying additional hosts, or do you have a collection for each DC? Are all of the domain controllers members of the same domain?
Also, please check "Search >> Searches & Reports >> Errors >> Splunk errors last 24 hours" for any errors from the splunk server related to your missing DC's.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
