How to pull logs using WMI with a Splunk universal...

rishabhey2016 · ‎04-26-2016

In reference to the following link:
https://answers.splunk.com/answers/26743/can-i-index-wmi-from-a-splunk-instance-running-on-linux.htm...
I want to know that How to pulls log using WMI by Splunk universal forwarder?

javiergn · ‎04-27-2016

I'm guessing you installed the UF on Windows therefore you have several ways to do this.
My preferred one would be to use a powershell input and collect WMI this way.
Example:

inputs.conf
Windows 8 and 2012 using Get-CimInstance

[powershell://CollectProcessInfoFromWmi]
script = Get-CimInstance Win32_Process | Select-Object Field1, Field2, Field3
schedule = 0 */5 * ? * *
sourcetype = Windows:MyWmiData

PRE Windows 8 and 2012 using Get-WmiObject

[powershell://CollectProcessInfoFromWmi]
script = Get-WmiObject -Class Win32_Process | Select-Object Field1, Field2, Field3
schedule = 0 */5 * ? * *
sourcetype = Windows:MyWmiData

See the following links for more info:

http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/MonitorWindowsdatawithPowerShellscripts
https://technet.microsoft.com/en-us/library/hh849824.aspx
https://technet.microsoft.com/en-us/library/jj590758(v=wps.630).aspx

javiergn · ‎05-09-2016

Hi, did you get this working at all?

How to pull logs using WMI with a Splunk universal forwarder?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

How to pull logs using WMI with a Splunk universal forwarder?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud