Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to resolve an "Invalid key in stanza [WMI:Patching]" error that occurs after defining a WMI input on universal forwarder?

FritzWittwer
Contributor
‎11-01-2016 02:47 PM

I have a WMI Input defined on a universal forwarder and I get the following error while starting Splunk, and of course nothing gets indexed from this input

**Checking prerequisites...
        Checking mgmt port [8089]: open
        Checking conf files for problems...
                Invalid key in stanza [WMI:Patching] in C:\Program Files\SplunkUniversalForwarder\etc\apps\its-440-Splunk_TA_windows_6_4_2\local\inputs.conf, line 292: wql  (value:  select 'Description'', HotfixID', 'InstalledOn' from 'Win32_QuickFixEngineering').**

I did not find any hints in the documentation, i also tried an example WQL query from the docs and got the same error.
I try the following Input:

[WMI:Patching]
interval = 10
wql = select Description, HotfixID, InstalledOn from Win32_QuickFixEngineering
disabled = 0
index = testing

the search is working:

C:\Program Files\SplunkUniversalForwarder\bin>splunk-wmi.exe -wql "select Description, HotfixID, InstalledOn from Win32_QuickFixEngineering"

***SPLUNK*** index= source="WMI:unspecified" sourcetype="WMI:unspecified"

---splunk-wmi-end-of-event---
20161101223526.526996
Description=Update
HotFixID=KB3176936
InstalledOn=8/25/2016
wmi_type=unspecified

---splunk-wmi-end-of-event---
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bshuler_splunk
Splunk Employee
Splunk Employee
‎11-02-2016 12:31 AM

The docs for this are here: http://docs.splunk.com/Documentation/Splunk/6.3.5/Admin/Wmiconf

It looks like you are doing it right, except you need those lines in a wmi.conf, not an inputs.conf

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bshuler_splunk
Splunk Employee
Splunk Employee
‎11-02-2016 12:31 AM

The docs for this are here: http://docs.splunk.com/Documentation/Splunk/6.3.5/Admin/Wmiconf

It looks like you are doing it right, except you need those lines in a wmi.conf, not an inputs.conf

0 Karma
Reply
Solved! Jump to solution

FritzWittwer
Contributor
‎11-02-2016 12:58 AM

upps, stupid me, thanks for pointing me towards the solution

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎11-01-2016 02:56 PM

A potential problem can be the space between "Program Files"..

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...