Getting Data In

How to resolve "error getting attributes of path "C:\pagefile.sys"" after pushing configurations to servers?

vr2312
Contributor

I have pushed configurations to at least 15 servers. 12 servers out of these 15 are returning with these errors, whereas the remaining 3 servers are sending us logs.

The "Pagefile.sys" is not even being monitored neither none of the files from the C:/ Drive are being monitored.

Splunk Forwarder Version 6.5.0 is being used in all the hosts.

Can anyone please guide me on what could be the issue behind these error messages ?

11-04-2016 02:52:41.855 -0400 WARN  FilesystemChangeWatcher - error getting attributes of path "C:\pagefile.sys": The process cannot access the file because it is being used by another process.
11-02-2016 18:31:09.033 -0400 WARN  FilesystemChangeWatcher - error getting attributes of path "C:\pagefile.sys": The process cannot access the file because it is being used by another process.
11-02-2016 18:26:53.852 -0400 WARN  FilesystemChangeWatcher - error getting attributes of path "C:\pagefile.sys": The process cannot access the file because it is being used by another process.
11-02-2016 18:22:20.253 -0400 WARN  FilesystemChangeWatcher - error getting attributes of path "C:\pagefile.sys": The process cannot access the file because it is being used by another process.
0 Karma
1 Solution

vr2312
Contributor

Found the culprit.

The servers not sending the data had another outputs.conf that was conflicting with the configurations. I had to delete the configuration file and re-deploy the apps to the host.

And a forwarder restart fixed the issue once the configurations are updated and running.

View solution in original post

0 Karma

vr2312
Contributor

Found the culprit.

The servers not sending the data had another outputs.conf that was conflicting with the configurations. I had to delete the configuration file and re-deploy the apps to the host.

And a forwarder restart fixed the issue once the configurations are updated and running.

0 Karma

jconger
Splunk Employee
Splunk Employee

On one of the servers that is failing, use btool to get a consolidated list of what Splunk is trying to monitor.

splunk.exe cmd btool inputs list
0 Karma

vr2312
Contributor

Hello @jconger

This is the output of the command.

Part 1

[MonitorNoHandle]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[SSL]
_rcvbuf = 1572864
allowSslRenegotiation = true
baseline = 0
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
sslQuietShutdown = false
sslVersions = ,-ssl2
[WinEventLog]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[WinEventLog://Application]
_rcvbuf = 1572864
baseline = 0
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = wineventlog
interval =
renderXml = false
start_from = oldest
[WinEventLog://Security]
_rcvbuf = 1572864
baseline = 0
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="5156"
blacklist4 = EventCode="5447"
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 1
host = ABC
index = wineventlog
interval =
renderXml = false
start_from = oldest
[WinEventLog://Setup]
_rcvbuf = 1572864
baseline = 0
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = wineventlog
interval =
renderXml = false
start_from = oldest
[WinEventLog://System]
_rcvbuf = 1572864
baseline = 0
checkpointInterval = 5
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = wineventlog
interval =
renderXml = false
start_from = oldest
[WinHostMon://Application]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Application
[WinHostMon://Computer]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Computer
[WinHostMon://Disk]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Disk
[WinHostMon://Driver]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Driver
[WinHostMon://NetworkAdapter]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = NetworkAdapter
[WinHostMon://OperatingSystem]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = OperatingSystem
[WinHostMon://Process]
_rcvbuf = 1572864
baseline = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Process
[WinHostMon://Processor]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Processor
[WinHostMon://Roles]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Roles
[WinHostMon://Service]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = Service
[WinNetMon]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[WinNetMon://inbound]
_rcvbuf = 1572864
baseline = 0
direction = inbound
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval =
[WinNetMon://outbound]
_rcvbuf = 1572864
baseline = 0
direction = outbound
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval =
[WinPrintMon]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[WinPrintMon://driver]
_rcvbuf = 1572864
baseline = 1
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = driver
[WinPrintMon://port]
_rcvbuf = 1572864
baseline = 1
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = port
[WinPrintMon://printer]
_rcvbuf = 1572864
baseline = 1
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 600
type = printer
[WinRegMon]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[WinRegMon://default]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
hive = .

host = ABC
index = windows
interval =
proc = .*
type = rename|set|delete|create
[WinRegMon://hkcu_run]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
hive = \REGISTRY\USER\.\Software\Microsoft\Windows\CurrentVersion\Run\.
host = ABC
index = windows
interval =
proc = .*
type = set|create|delete|rename
[WinRegMon://hklm_run]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
hive = \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.*
host = ABC
index = windows
interval =
proc = .*
type = set|create|delete|rename
[admon]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[admon://default]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
monitorSubtree = 1
[batch://D:\Program Files\SplunkUniversalForwarder\var\spool\splunk]
_rcvbuf = 1572864
baseline = 0
crcSalt =
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
move_policy = sinkhole
[batch://D:\Program Files\SplunkUniversalForwarder\var\spool\splunk...stash_new]
_rcvbuf = 1572864
baseline = 0
crcSalt =
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
move_policy = sinkhole
queue = stashparsing
sourcetype = stash_new
[blacklist:D:\Program Files\SplunkUniversalForwarder\etc\auth]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[default]
_rcvbuf = 1572864
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
[fschange:D:\Program Files\SplunkUniversalForwarder\etc]
_rcvbuf = 1572864
baseline = 0
delayInMills = 100
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
filesPerDelay = 10
followLinks = false
fullEvent = false
hashMaxSize = -1
host = ABC
index = default
interval =
pollPeriod = 600
recurse = true
sendEventMaxSize = -1
signedaudit = true
[http]
_rcvbuf = 1572864
allowSslCompression = true
allowSslRenegotiation = true
baseline = 0
dedicatedIoThreads = 2
disabled = 1
enableSSL = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
maxSockets = 0
maxThreads = 0
port = 8088
sslVersions = ,-ssl2
useDeploymentServer = 0
[monitor:///Data/logs/
/eimheartbeat.log]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval =
source = generic-syslog
sourcetype = syslog
[monitor://C:\Program*\Common*\microsoft*\Web*Extensions*\logs*.]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
queue = parsingQueue
sourcetype = sharepoint
[monitor://C:\Windows\System32\DHCP]
_rcvbuf = 1572864
baseline = 0
crcSalt =
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval =
sourcetype = DhcpSrvLog
whitelist = DhcpSrvLog

[monitor://C:\Windows\WindowsUpdate.log]
_rcvbuf = 1572864
baseline = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval =
sourcetype = WindowsUpdateLog
[monitor://C:\inetpub\logs\LogFiles\W**.]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
queue = parsingQueue
sourcetype = MSWindows:2008R2:IIS
[monitor://C:\inetpub\logs\LogFiles\W3SVC1\
.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = iis
interval =
queue = parsingQueue

0 Karma

vr2312
Contributor

Part 2

[monitor://D:\LOGS\SPLOGS*.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
sourcetype = sharepoint
[monitor://D:\Logs\eBusinesslogs\Ebizlog_file.log]
_rcvbuf = 1572864
baseline = 0
crcSalt =
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval =
sourcetype = ebiz
[monitor://D:\Program Files\SplunkUniversalForwarder\etc\splunk.version]
_TCP_ROUTING = *
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _internal
interval =
sourcetype = splunk_version
[monitor://D:\Program Files\SplunkUniversalForwarder\var\log\splunk]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _internal
interval =
[monitor://D:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage_summary.log]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _telemetry
interval =
[monitor://D:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log]
_TCP_ROUTING = *
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _internal
interval =
[monitor://D:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunk*.log]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _internal
interval =
[monitor://D:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log]
_TCP_ROUTING = *
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = _internal
interval =
[monitor://D:\Sites\APPSSEC\Coit\App_Data\Logs*.xml]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
sourcetype = sharepoint
[monitor://D:\Sites\INTQSAPPS\coit\App_Data\Logs*.xml]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
sourcetype = sharepoint
[monitor://D:\logfiles\W3SVC**.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = iis
interval =
queue = parsingQueue
sourcetype = iis
[monitor://D:\logs\IISLogs\W3SVC**.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = iis
interval =
queue = parsingQueue
sourcetype = iis
[monitor://D:\logs\eBusinesslogs\Ebizlog_file.log]
_rcvbuf = 1572864
baseline = 0
crcSalt =
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval =
sourcetype = ebiz
[monitor://D:\logs\iislogfiles\W3SV**.]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
queue = parsingQueue
sourcetype = iis
[monitor://D:\logs\splogfiles\
.]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = sharepoint
interval =
queue = parsingQueue
sourcetype = sharepoint
[monitor://D:\software\IRP_FACT_BACK_OFFICE_MANAGER\Log\
.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval =
sourcetype = irp
[monitor://d:\inetpub\irp\log*.log]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval =
sourcetype = irp
[perfmon]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval = 300
[perfmon://CPU]
_rcvbuf = 1572864
baseline = 0
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 7200
object = Processor
useEnglishOnly = true
[perfmon://LogicalDisk]
_rcvbuf = 1572864
baseline = 0
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 10
object = LogicalDisk
useEnglishOnly = true
[perfmon://Memory]
_rcvbuf = 1572864
baseline = 0
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
interval = 7200
object = Memory
useEnglishOnly = true
[perfmon://Network]
_rcvbuf = 1572864
baseline = 0
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 10
object = Network Interface
useEnglishOnly = true
[perfmon://PhysicalDisk]
_rcvbuf = 1572864
baseline = 0
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 10
object = PhysicalDisk
useEnglishOnly = true
[perfmon://Process]
_rcvbuf = 1572864
baseline = 0
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 10
object = Process
useEnglishOnly = true
[perfmon://System]
_rcvbuf = 1572864
baseline = 0
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = perfmon
instances = *
interval = 10
object = System
useEnglishOnly = true
[powershell]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[powershell2]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[script]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval = 60.0
start_by_shell = false
[script://D:\Program Files\SplunkUniversalForwarder\bin\scripts\splunk-wmi.path]
_rcvbuf = 1572864
baseline = 0
disabled = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval = 10000000
persistentQueueSize = 200MB
queue = winparsing
source = wmi
sourcetype = wmi
[script://D:\Program Files\SplunkUniversalForwarder\etc/apps/app_rmwindow_TA/bin/delsplunkta.bat]
_rcvbuf = 1572864
baseline = 0
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = main
interval = 7200
sourcetype = rmsplunkta

0 Karma

vr2312
Contributor

Part 3

[script://D:\Program Files\SplunkUniversalForwarder\etc\apps\wbg_Splunk_TA_windows\bin\win_installed_apps.bat]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 86400
sourcetype = Script:InstalledApps
[script://D:\Program Files\SplunkUniversalForwarder\etc\apps\wbg_Splunk_TA_windows\bin\win_listening_ports.bat]
_rcvbuf = 1572864
baseline = 0
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = windows
interval = 3600
sourcetype = Script:ListeningPorts
[splunktcp]
_rcvbuf = 1572864
acceptFrom = *
baseline = 0
connection_host = ip
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
route = has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue
[tcp]
_rcvbuf = 1572864
acceptFrom = *
baseline = 0
connection_host = dns
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =
[udp]
_rcvbuf = 1572864
baseline = 0
connection_host = ip
disabled = 1
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = ABC
index = default
interval =

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...