- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have pushed configurations to at least 15 servers. 12 servers out of these 15 are returning with these errors, whereas the remaining 3 servers are sending us logs.
The "Pagefile.sys" is not even being monitored neither none of the files from the C:/ Drive are being monitored.
Splunk Forwarder Version 6.5.0 is being used in all the hosts.
Can anyone please guide me on what could be the issue behind these error messages ?
11-04-2016 02:52:41.855 -0400 WARN FilesystemChangeWatcher - error getting attributes of path "C:\pagefile.sys": The process cannot access the file because it is being used by another process.
11-02-2016 18:31:09.033 -0400 WARN FilesystemChangeWatcher - error getting attributes of path "C:\pagefile.sys": The process cannot access the file because it is being used by another process.
11-02-2016 18:26:53.852 -0400 WARN FilesystemChangeWatcher - error getting attributes of path "C:\pagefile.sys": The process cannot access the file because it is being used by another process.
11-02-2016 18:22:20.253 -0400 WARN FilesystemChangeWatcher - error getting attributes of path "C:\pagefile.sys": The process cannot access the file because it is being used by another process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found the culprit.
The servers not sending the data had another outputs.conf that was conflicting with the configurations. I had to delete the configuration file and re-deploy the apps to the host.
And a forwarder restart fixed the issue once the configurations are updated and running.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found the culprit.
The servers not sending the data had another outputs.conf that was conflicting with the configurations. I had to delete the configuration file and re-deploy the apps to the host.
And a forwarder restart fixed the issue once the configurations are updated and running.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On one of the servers that is failing, use btool to get a consolidated list of what Splunk is trying to monitor.
splunk.exe cmd btool inputs list
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jconger
This is the output of the command.
Part 1
[MonitorNoHandle]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[SSL]
_rcvbuf = 1572864
allowSslRenegotiation = true
baseline = 0
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
sslQuietShutdown = false
sslVersions = ,-ssl2
[WinEventLog]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[WinEventLog://Application]
_rcvbuf = 1572864
baseline = 0
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = wineventlog
interval =
renderXml = false
start_from = oldest
[WinEventLog://Security]
_rcvbuf = 1572864
baseline = 0
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="5156"
blacklist4 = EventCode="5447"
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 1
host = ABC
index = wineventlog
interval =
renderXml = false
start_from = oldest
[WinEventLog://Setup]
_rcvbuf = 1572864
baseline = 0
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = wineventlog
interval =
renderXml = false
start_from = oldest
[WinEventLog://System]
_rcvbuf = 1572864
baseline = 0
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = wineventlog
interval =
renderXml = false
start_from = oldest
[WinHostMon://Application]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Application
[WinHostMon://Computer]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Computer
[WinHostMon://Disk]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Disk
[WinHostMon://Driver]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Driver
[WinHostMon://NetworkAdapter]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = NetworkAdapter
[WinHostMon://OperatingSystem]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = OperatingSystem
[WinHostMon://Process]
_rcvbuf = 1572864
baseline = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Process
[WinHostMon://Processor]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Processor
[WinHostMon://Roles]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Roles
[WinHostMon://Service]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Service
[WinNetMon]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[WinNetMon://inbound]
_rcvbuf = 1572864
baseline = 0
direction = inbound
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval =
[WinNetMon://outbound]
_rcvbuf = 1572864
baseline = 0
direction = outbound
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval =
[WinPrintMon]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[WinPrintMon://driver]
_rcvbuf = 1572864
baseline = 1
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = driver
[WinPrintMon://port]
_rcvbuf = 1572864
baseline = 1
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = port
[WinPrintMon://printer]
_rcvbuf = 1572864
baseline = 1
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = printer
[WinRegMon]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[WinRegMon://default]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
hive = .
host = ABC
index = windows
interval =
proc = .*
type = rename|set|delete|create
[WinRegMon://hkcu_run]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
hive = \REGISTRY\USER\.\Software\Microsoft\Windows\CurrentVersion\Run\.
host = ABC
index = windows
interval =
proc = .*
type = set|create|delete|rename
[WinRegMon://hklm_run]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
hive = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.*
host = ABC
index = windows
interval =
proc = .*
type = set|create|delete|rename
[admon]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[admon://default]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
monitorSubtree = 1
[batch://D:\Program Files\SplunkUniversalForwarder\var\spool\splunk]
_rcvbuf = 1572864
baseline = 0
crcSalt =
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
move_policy = sinkhole
[batch://D:\Program Files\SplunkUniversalForwarder\var\spool\splunk...stash_new]
_rcvbuf = 1572864
baseline = 0
crcSalt =
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
move_policy = sinkhole
queue = stashparsing
sourcetype = stash_new
[blacklist:D:\Program Files\SplunkUniversalForwarder\etc\auth]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[default]
_rcvbuf = 1572864
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
[fschange:D:\Program Files\SplunkUniversalForwarder\etc]
_rcvbuf = 1572864
baseline = 0
delayInMills = 100
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
filesPerDelay = 10
followLinks = false
fullEvent = false
hashMaxSize = -1
host = ABC
index = default
interval =
pollPeriod = 600
recurse = true
sendEventMaxSize = -1
signedaudit = true
[http]
_rcvbuf = 1572864
allowSslCompression = true
allowSslRenegotiation = true
baseline = 0
dedicatedIoThreads = 2
disabled = 1
enableSSL = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
maxSockets = 0
maxThreads = 0
port = 8088
sslVersions = ,-ssl2
useDeploymentServer = 0
[monitor:///Data/logs//eimheartbeat.log]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval =
source = generic-syslog
sourcetype = syslog
[monitor://C:\Program*\Common*\microsoft*\Web*Extensions*\logs*.]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
queue = parsingQueue
sourcetype = sharepoint
[monitor://C:\Windows\System32\DHCP]
_rcvbuf = 1572864
baseline = 0
crcSalt =
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval =
sourcetype = DhcpSrvLog
whitelist = DhcpSrvLog
[monitor://C:\Windows\WindowsUpdate.log]
_rcvbuf = 1572864
baseline = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval =
sourcetype = WindowsUpdateLog
[monitor://C:\inetpub\logs\LogFiles\W**.]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
queue = parsingQueue
sourcetype = MSWindows:2008R2:IIS
[monitor://C:\inetpub\logs\LogFiles\W3SVC1\.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = iis
interval =
queue = parsingQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Part 2
[monitor://D:\LOGS\SPLOGS*.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
sourcetype = sharepoint
[monitor://D:\Logs\eBusinesslogs\Ebizlog_file.log]
_rcvbuf = 1572864
baseline = 0
crcSalt =
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval =
sourcetype = ebiz
[monitor://D:\Program Files\SplunkUniversalForwarder\etc\splunk.version]
_TCP_ROUTING = *
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _internal
interval =
sourcetype = splunk_version
[monitor://D:\Program Files\SplunkUniversalForwarder\var\log\splunk]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _internal
interval =
[monitor://D:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage_summary.log]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _telemetry
interval =
[monitor://D:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log]
_TCP_ROUTING = *
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _internal
interval =
[monitor://D:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunk*.log]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _internal
interval =
[monitor://D:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log]
_TCP_ROUTING = *
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _internal
interval =
[monitor://D:\Sites\APPSSEC\Coit\App_Data\Logs*.xml]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
sourcetype = sharepoint
[monitor://D:\Sites\INTQSAPPS\coit\App_Data\Logs*.xml]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
sourcetype = sharepoint
[monitor://D:\logfiles\W3SVC**.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = iis
interval =
queue = parsingQueue
sourcetype = iis
[monitor://D:\logs\IISLogs\W3SVC**.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = iis
interval =
queue = parsingQueue
sourcetype = iis
[monitor://D:\logs\eBusinesslogs\Ebizlog_file.log]
_rcvbuf = 1572864
baseline = 0
crcSalt =
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval =
sourcetype = ebiz
[monitor://D:\logs\iislogfiles\W3SV**.]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
queue = parsingQueue
sourcetype = iis
[monitor://D:\logs\splogfiles\.]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
queue = parsingQueue
sourcetype = sharepoint
[monitor://D:\software\IRP_FACT_BACK_OFFICE_MANAGER\Log\.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval =
sourcetype = irp
[monitor://d:\inetpub\irp\log*.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval =
sourcetype = irp
[perfmon]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval = 300
[perfmon://CPU]
_rcvbuf = 1572864
baseline = 0
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 7200
object = Processor
useEnglishOnly = true
[perfmon://LogicalDisk]
_rcvbuf = 1572864
baseline = 0
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 10
object = LogicalDisk
useEnglishOnly = true
[perfmon://Memory]
_rcvbuf = 1572864
baseline = 0
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
interval = 7200
object = Memory
useEnglishOnly = true
[perfmon://Network]
_rcvbuf = 1572864
baseline = 0
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 10
object = Network Interface
useEnglishOnly = true
[perfmon://PhysicalDisk]
_rcvbuf = 1572864
baseline = 0
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 10
object = PhysicalDisk
useEnglishOnly = true
[perfmon://Process]
_rcvbuf = 1572864
baseline = 0
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 10
object = Process
useEnglishOnly = true
[perfmon://System]
_rcvbuf = 1572864
baseline = 0
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 10
object = System
useEnglishOnly = true
[powershell]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[powershell2]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[script]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval = 60.0
start_by_shell = false
[script://D:\Program Files\SplunkUniversalForwarder\bin\scripts\splunk-wmi.path]
_rcvbuf = 1572864
baseline = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval = 10000000
persistentQueueSize = 200MB
queue = winparsing
source = wmi
sourcetype = wmi
[script://D:\Program Files\SplunkUniversalForwarder\etc/apps/app_rmwindow_TA/bin/delsplunkta.bat]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval = 7200
sourcetype = rmsplunkta
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Part 3
[script://D:\Program Files\SplunkUniversalForwarder\etc\apps\wbg_Splunk_TA_windows\bin\win_installed_apps.bat]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 86400
sourcetype = Script:InstalledApps
[script://D:\Program Files\SplunkUniversalForwarder\etc\apps\wbg_Splunk_TA_windows\bin\win_listening_ports.bat]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 3600
sourcetype = Script:ListeningPorts
[splunktcp]
_rcvbuf = 1572864
acceptFrom = *
baseline = 0
connection_host = ip
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
route = has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue
[tcp]
_rcvbuf = 1572864
acceptFrom = *
baseline = 0
connection_host = dns
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[udp]
_rcvbuf = 1572864
baseline = 0
connection_host = ip
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
