How to pull logs using WMI with a Splunk universal...

rishabhey2016 · ‎04-26-2016

In reference to the following link:
https://answers.splunk.com/answers/26743/can-i-index-wmi-from-a-splunk-instance-running-on-linux.htm...
I want to know that How to pulls log using WMI by Splunk universal forwarder?

javiergn · ‎04-27-2016

I'm guessing you installed the UF on Windows therefore you have several ways to do this.
My preferred one would be to use a powershell input and collect WMI this way.
Example:

inputs.conf
Windows 8 and 2012 using Get-CimInstance

[powershell://CollectProcessInfoFromWmi]
script = Get-CimInstance Win32_Process | Select-Object Field1, Field2, Field3
schedule = 0 */5 * ? * *
sourcetype = Windows:MyWmiData

PRE Windows 8 and 2012 using Get-WmiObject

[powershell://CollectProcessInfoFromWmi]
script = Get-WmiObject -Class Win32_Process | Select-Object Field1, Field2, Field3
schedule = 0 */5 * ? * *
sourcetype = Windows:MyWmiData

See the following links for more info:

http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/MonitorWindowsdatawithPowerShellscripts
https://technet.microsoft.com/en-us/library/hh849824.aspx
https://technet.microsoft.com/en-us/library/jj590758(v=wps.630).aspx

javiergn · ‎05-09-2016

Hi, did you get this working at all?

How to pull logs using WMI with a Splunk universal forwarder?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation