Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to resolve an "Invalid key in stanza [WMI:Patching]" error that occurs after defining a WMI input on universal forwarder?

FritzWittwer
Contributor
‎11-01-2016 02:47 PM

I have a WMI Input defined on a universal forwarder and I get the following error while starting Splunk, and of course nothing gets indexed from this input

**Checking prerequisites...
        Checking mgmt port [8089]: open
        Checking conf files for problems...
                Invalid key in stanza [WMI:Patching] in C:\Program Files\SplunkUniversalForwarder\etc\apps\its-440-Splunk_TA_windows_6_4_2\local\inputs.conf, line 292: wql  (value:  select 'Description'', HotfixID', 'InstalledOn' from 'Win32_QuickFixEngineering').**

I did not find any hints in the documentation, i also tried an example WQL query from the docs and got the same error.
I try the following Input:

[WMI:Patching]
interval = 10
wql = select Description, HotfixID, InstalledOn from Win32_QuickFixEngineering
disabled = 0
index = testing

the search is working:

C:\Program Files\SplunkUniversalForwarder\bin>splunk-wmi.exe -wql "select Description, HotfixID, InstalledOn from Win32_QuickFixEngineering"

***SPLUNK*** index= source="WMI:unspecified" sourcetype="WMI:unspecified"

---splunk-wmi-end-of-event---
20161101223526.526996
Description=Update
HotFixID=KB3176936
InstalledOn=8/25/2016
wmi_type=unspecified

---splunk-wmi-end-of-event---
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bshuler_splunk
Splunk Employee
Splunk Employee
‎11-02-2016 12:31 AM

The docs for this are here: http://docs.splunk.com/Documentation/Splunk/6.3.5/Admin/Wmiconf

It looks like you are doing it right, except you need those lines in a wmi.conf, not an inputs.conf

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bshuler_splunk
Splunk Employee
Splunk Employee
‎11-02-2016 12:31 AM

The docs for this are here: http://docs.splunk.com/Documentation/Splunk/6.3.5/Admin/Wmiconf

It looks like you are doing it right, except you need those lines in a wmi.conf, not an inputs.conf

0 Karma
Reply
Solved! Jump to solution

FritzWittwer
Contributor
‎11-02-2016 12:58 AM

upps, stupid me, thanks for pointing me towards the solution

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎11-01-2016 02:56 PM

A potential problem can be the space between "Program Files"..

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...