I have splunk running on a Windows Server 2008. I have configured splunk to access our DC remotely for event logs. I am working to placing forwarders in the remote locations, but until then. I have some servers not appearing the list and I can't access the configuration to change settings. Any help would be appreciated.
C:\Program Files\Splunk\etc\apps\search\wmi.conf this doesnt seem right, its missing a \local. should be:
Also from the machine that you are trying to grab the data from, try running wbemtest and see if you can retrieve logs from the other hosts.
Thanks for the info, however the problem isn't getting the log data into splunk, the problem is that the tasks that are configured do not appear on the configuation page in the Splunk> web UI. I have 9 remote event logs tasks appearing, in the wmi.conf file I have 21. I would very much like to manage these from the Web UI and not from the conf file. Any ideas as the issue of this symptom? Thanks for all the imputs.
Same Domain. One collection task per server I don't see all the jobs in the collection task list.
Look at Splunk> errors, I know why I am not getting data server names have changed, I don't know why some are not appearing in the collection task list. Can not edit them through the web page if they don't appear. Have changed the # of items to display with no luck.
Can I edit the wmi.conf file and am I looking at the right one? C:\Program Files\Splunk\etc\apps\search\wmi.conf
Jkittle, are you using one event log collection, specifying additional hosts, or do you have a collection for each DC? Are all of the domain controllers members of the same domain?
Also, please check "Search >> Searches & Reports >> Errors >> Splunk errors last 24 hours" for any errors from the splunk server related to your missing DC's.