We have Splunk indexer running on Windows 2008 server with domain account. Domain account what used to run the service has admin rights on all the windows servers in the environments.
What i am trying to achieve is this. I need to get win32_operatingsystem class details of remote windows server where forwarder is not installed. Is there any way we can do this via splunk? basically and on - demand search as there are 1000s of windows servers across the environment.
Thanks for the replies...
What i am trying to do is building a dashboard for our Windows Server support group. The source of the dashboard would different logs from different monitoring systems (like HP SiteScope). Along with these details the support group also wants to see the last reboot time(there is no forwarder present on these windows servers). I do not really want to index the last reboot details from WMI class but more of getting that data real time and show it on the board. If this is not directly possible, is there a way we can trigger a script via a splunk search and get result?
You can configure your indexer to collect data from remote systems over WMI by going to Settings -> Data Inputs -> Remote event log collection or Remote performance monitoring.
That will index that data, not do an ad-hoc search... and I'm not sure how many hosts one indexer can support on the side, but 1000s seems a bit much. If you really can't roll out forwarders to those systems you could have a bunch of heavy forwarders running that do the remote WMI calls and forward the data to your indexers.