Getting Data In

How to tell Splunk to get older data from System WMI

bogdan_nicolesc
Communicator

This is my current WMI setup:

 

[WMI:WinLogSysTst]
disabled = 0
event_log_file = System
index = winlogsystst
interval = 5
server = localhost
current_only = 0

 

 

How can i tell it to get older data than when i made the input. I get only recent data and not old one.

Thnak you.

Labels (4)
Tags (1)

inventsekar
Ultra Champion

Hi @bogdan_nicolesc ...
current_only=0
will gather all events. 

current_onlyWhether or not to collect events that occur only when the Splunk platform runs. If events are generated when the Splunk platform is stopped, it will not attempt to index those events when it is started again. Set to 1 to collect events that occur only when it is running, and 0 to collect all events.0 (gather all events)



Good details can be found at the docs:

https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/MonitorWMIdata

 

 

Tags (1)
0 Karma

bogdan_nicolesc
Communicator

I have read all that info, but i get nothing. What am i doing wrong?

0 Karma

inventsekar
Ultra Champion

well, you have to provide us a lot more details..

1. are you able to read other logs from this windows box?

2. do you have heavy forwarder or not? 

3. do you have UF installed on the windows box or not?

4. this wmi configuration, where you use? on indexer or heavyforwarder or UF? which conf file?

5. after adding/updating this wmi, did you restart splunk service on UF?

0 Karma

bogdan_nicolesc
Communicator

I don't know how to respond to your questions but:

It is an old, free licence,  version of Splunk.

It's V 6.4.11 Build 0691276baf18, installed on the machine where i want to get the data from.

I ried to modify >wmi.conf< file from >Splunk\etc\apps\search\local and added< with stanza >current_only = 0< with no improvement.

1. are you able to read other logs from this windows box? - i get Security logs from WMI, if that is what you are asking.


2. do you have heavy forwarder or not? - It is full instalation of Splunk, with all bells and wihtsles, i guess that is heavy forwarder.

3. do you have UF installed on the windows box or not? - if it is what i said at 2., is still relevant?

4. this wmi configuration, where you use? on indexer or heavyforwarder or UF? which conf file? - i will try my best to answer to this one: it is WMI.conf from Splunk\etc\apps\search\local

5. after adding/updating this wmi, did you restart splunk service on UF? - i did modify  it with closed splunk ...

Also, i get this too:

Data could not be written: /nobody/search/inputs/WinEventLog://System/start_from: oldest

tring to add it from "Local event log collection".

0 Karma

inventsekar
Ultra Champion

1. may i know why you use the old version of free splunk, when you could have the recent versions of free splunk (because, the old versions might have issues(particularly windows) and the recent versions are generally patched)

2. i think you need to update the inputs.conf on the windows box(to collect wmi on a remote windows box only we should use wmi.conf)


For our ref, this answer is from page reply by @yannK : 

Only a windows splunk or Universal Forwarder can monitor WMI on local or remote windows server. (they use the windows local libraries, and need to be member of the correct AD group)

0 Karma

bogdan_nicolesc
Communicator

1. may i know why you use the old version of free splunk [...] - you should never ask such a silly question :)). But on a serious note, i'm using it because newer versions require newer windows. Not all versions run on Win7. And because of that, i don't have anymore the option of a user, which leads me to this error:

Data could not be written: /nobody/search/inputs/WinEventLog://System/start_from: oldest

I think /nobody reffers to the fact that user option is taken out and that's why i can't write this:

\Splunk\etc\apps\search\default\inputs.conf

from Splunk Web interface.

2. i think you need to update the inputs.conf on the windows box - i am leaving inputs.conf from D:\Program Files\Splunk\etc\apps\search\default\inputs.conf clear and use this instead D:\Program Files\Splunk\etc\apps\search\local\wmi.conf as i have more control over it, and my initial question was what stanza can i use in this file so i can get older data in, as current_only = 0 is doing nothing. I get the same recent items in. Would have been nice if i had this simple solution to write a stanza in that file and get all information. In the same WMI i get my Windows Security Logs too. I like this solution beacuse i can get different Windows Logs into different indexes. And now i think i can set inputs.conf to send different logs data to diffrent indexes?!? Am i correct?

- Now a bit of a backstory/history: When i tried the first time to pull this magic trick, i don't really now how or why, but i managed to double the data. That means that i managed somehow to index the same data twice. I wasn't very happy, in fact, i was very upset about the fact that i have to spelunking thru same data ... Twice.

So i deleted the oricginal index and started again. The second time, wasn't that easy as the first time, as i got the above mentioned /nobody error.

I don't like the workaround solution, in fact, i much dislike it because it's not an elegant solution, but what can i do ... it is what it is and is working.

3. The links you provided is no longer work correctly, the send me to homepage of documentation.

Cheers 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...