We are getting a lot of errors from the splunkd.log about a failing splunk-wmi.exe. Here is the exact error:
ERROR ExecProcessor - message from ""D:\Program Files\Splunk\bin\splunk-wmi.exe"" WMI - Unable to connect to WMI namespace "root\cimv2" (attempt to connect took 0 microseconds) (error="One of the parameters to the call is not correct." HRESULT=80041008)
This seems to be happening on mostly the 2k servers but not all of them, and the 2k8 servers are fine. Also the failing servers, when I run the following command I get the same result:
splunk-wmi.exe -wql "select PagesPerSec, AvailableMBytes, CommittedBytes, PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory"
Also when I ran that query using "wbemtest" on one of the failing servers, I get an invalid class error (80041010). Why would this error be different from splunk? We also tried restarting winmgmt and deleting the repository but that didn't change anything. Does the missing class just mean that server does not have the required wmi object and that wql cannot be run there. If so what would be a different wql we could run to get the cputime and memory? Also is there a way to blacklist the windows app in the serverclass.conf by specifying the os type?
Thanks
Win 2k Server is not supported by Splunk 4.x. Probably that's the reason why Win2k8 works while Win2k does not.
http://www.splunk.com/base/Documentation/latest/Installation/Systemrequirements
Unfortunately, blacklist in serverclass.conf only accepts IP Address, HostName, or ClinetName which is set in deploeyemtclient.conf. "machineTypes" can specify window, linux, etc, but not win2k or win2k8. If you specify ClientName in deploymentclient.conf and make use of it to identify which os, you can use blacklist to specify hosts by the os types.
http://www.splunk.com/base/Documentation/latest/Admin/Definedeploymentclasses
http://www.splunk.com/base/Documentation/latest/Admin/Configuredeploymentclients
Win 2k Server is not supported by Splunk 4.x. Probably that's the reason why Win2k8 works while Win2k does not.
http://www.splunk.com/base/Documentation/latest/Installation/Systemrequirements
Unfortunately, blacklist in serverclass.conf only accepts IP Address, HostName, or ClinetName which is set in deploeyemtclient.conf. "machineTypes" can specify window, linux, etc, but not win2k or win2k8. If you specify ClientName in deploymentclient.conf and make use of it to identify which os, you can use blacklist to specify hosts by the os types.
http://www.splunk.com/base/Documentation/latest/Admin/Definedeploymentclasses
http://www.splunk.com/base/Documentation/latest/Admin/Configuredeploymentclients
Not the answer I was hoping for but does explain everything. Specifying the clientName in deploymentclient.conf although probably the better solution later if other app need to be disabled is really no different than blacklisting each server in serverclass.conf. Thanks for your reply.