Getting Data In

I've installed Splunk on windows, and I see splunk-wmi.exe and splunk-regmon.exe programs. What are these? Can I turn them off?

elusive
Splunk Employee
Splunk Employee

Installed Splunk on Windows machine and in the task manager I see these two processes running by default. How can I disable it?

Tags (1)
1 Solution

elusive
Splunk Employee
Splunk Employee

splunk-wmi.exe and splunk-regmon.exe are instantiated by default by inputs.conf located in %SPLUNK_HOME%\etc\apps\search\default.

You can see this by running the following command: C:\Program Files\Splunk\bin>splunk list exec $SPLUNK_HOME\bin\scripts\splunk-admon.py $SPLUNK_HOME\bin\scripts\splunk-regmon.py $SPLUNK_HOME\bin\scripts\splunk-wmi.py

If you are sure that you will not be collecting events via wmi or monitor registry, then you can disable them. There are a few ways to disable:

  1. via CLI: a. cd \Progra~1\splunk\bin b. run the following command: splunk remove exec "$SPLUNK_HOME\bin\scripts\splunk-wmi.py" -auth admin:changeme

splunk remove exec "$SPLUNK_HOME\bin\scripts\splunk-regmon.py" -auth admin:changeme

If this does not work, try the following:

splunk _internal call "/servicesNS/nobody/search/data/inputs/script/%24SPLUNK_HOME%5Cbin%5Cscripts%5Csplunk-wmi.py/disable" -method POST -auth admin:changeme

splunk _internal call "/servicesNS/nobody/search/data/inputs/script/%24SPLUNK_HOME%5Cbin%5Cscripts%5Csplunk-regmon.py/disable" -method POST -auth admin:changeme

The above command should set in etc\search\local\inputs.conf: [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py] disabled = 1

  1. directly in the inputs.conf: The most simplest form is to create manually inputs.conf in etc\search\local and enter the following and save it: [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py] disabled = 1

Upon Splunk restart, you should not see splunk-regmon.exe and splunk-wmi.exe tasks running in the task manager.

  1. Deploying inputs.conf with above configuration to deployment client: When deploying via this method, make sure you copy the whole search app directory to $SPLUNK_HOME/etc/deployment-apps (default) and add the above inputs.conf in local directory and have it propagated.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Note the minimal install script:

http://answers.splunk.com/questions/434/can-i-auto-install-or-deploy-splunk-onto-all-my-remote-windo...

includes disabling these inputs. If you're trying to get a forwarder to do nothing on initial install, that's as close as we can reasonably get it.

0 Karma

elusive
Splunk Employee
Splunk Employee

splunk-wmi.exe and splunk-regmon.exe are instantiated by default by inputs.conf located in %SPLUNK_HOME%\etc\apps\search\default.

You can see this by running the following command: C:\Program Files\Splunk\bin>splunk list exec $SPLUNK_HOME\bin\scripts\splunk-admon.py $SPLUNK_HOME\bin\scripts\splunk-regmon.py $SPLUNK_HOME\bin\scripts\splunk-wmi.py

If you are sure that you will not be collecting events via wmi or monitor registry, then you can disable them. There are a few ways to disable:

  1. via CLI: a. cd \Progra~1\splunk\bin b. run the following command: splunk remove exec "$SPLUNK_HOME\bin\scripts\splunk-wmi.py" -auth admin:changeme

splunk remove exec "$SPLUNK_HOME\bin\scripts\splunk-regmon.py" -auth admin:changeme

If this does not work, try the following:

splunk _internal call "/servicesNS/nobody/search/data/inputs/script/%24SPLUNK_HOME%5Cbin%5Cscripts%5Csplunk-wmi.py/disable" -method POST -auth admin:changeme

splunk _internal call "/servicesNS/nobody/search/data/inputs/script/%24SPLUNK_HOME%5Cbin%5Cscripts%5Csplunk-regmon.py/disable" -method POST -auth admin:changeme

The above command should set in etc\search\local\inputs.conf: [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py] disabled = 1

  1. directly in the inputs.conf: The most simplest form is to create manually inputs.conf in etc\search\local and enter the following and save it: [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py] disabled = 1

Upon Splunk restart, you should not see splunk-regmon.exe and splunk-wmi.exe tasks running in the task manager.

  1. Deploying inputs.conf with above configuration to deployment client: When deploying via this method, make sure you copy the whole search app directory to $SPLUNK_HOME/etc/deployment-apps (default) and add the above inputs.conf in local directory and have it propagated.
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...