Getting Data In

I've installed Splunk on windows, and I see splunk-wmi.exe and splunk-regmon.exe programs. What are these? Can I turn them off?

Splunk Employee
Splunk Employee

Installed Splunk on Windows machine and in the task manager I see these two processes running by default. How can I disable it?

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

splunk-wmi.exe and splunk-regmon.exe are instantiated by default by inputs.conf located in %SPLUNK_HOME%\etc\apps\search\default.

You can see this by running the following command: C:\Program Files\Splunk\bin>splunk list exec $SPLUNK_HOME\bin\scripts\splunk-admon.py $SPLUNK_HOME\bin\scripts\splunk-regmon.py $SPLUNK_HOME\bin\scripts\splunk-wmi.py

If you are sure that you will not be collecting events via wmi or monitor registry, then you can disable them. There are a few ways to disable:

  1. via CLI: a. cd \Progra~1\splunk\bin b. run the following command: splunk remove exec "$SPLUNK_HOME\bin\scripts\splunk-wmi.py" -auth admin:changeme

splunk remove exec "$SPLUNK_HOME\bin\scripts\splunk-regmon.py" -auth admin:changeme

If this does not work, try the following:

splunk _internal call "/servicesNS/nobody/search/data/inputs/script/%24SPLUNK_HOME%5Cbin%5Cscripts%5Csplunk-wmi.py/disable" -method POST -auth admin:changeme

splunk _internal call "/servicesNS/nobody/search/data/inputs/script/%24SPLUNK_HOME%5Cbin%5Cscripts%5Csplunk-regmon.py/disable" -method POST -auth admin:changeme

The above command should set in etc\search\local\inputs.conf: [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py] disabled = 1

  1. directly in the inputs.conf: The most simplest form is to create manually inputs.conf in etc\search\local and enter the following and save it: [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py] disabled = 1

Upon Splunk restart, you should not see splunk-regmon.exe and splunk-wmi.exe tasks running in the task manager.

  1. Deploying inputs.conf with above configuration to deployment client: When deploying via this method, make sure you copy the whole search app directory to $SPLUNK_HOME/etc/deployment-apps (default) and add the above inputs.conf in local directory and have it propagated.

View solution in original post

Splunk Employee
Splunk Employee

Note the minimal install script:

http://answers.splunk.com/questions/434/can-i-auto-install-or-deploy-splunk-onto-all-my-remote-windo...

includes disabling these inputs. If you're trying to get a forwarder to do nothing on initial install, that's as close as we can reasonably get it.

0 Karma

Splunk Employee
Splunk Employee

splunk-wmi.exe and splunk-regmon.exe are instantiated by default by inputs.conf located in %SPLUNK_HOME%\etc\apps\search\default.

You can see this by running the following command: C:\Program Files\Splunk\bin>splunk list exec $SPLUNK_HOME\bin\scripts\splunk-admon.py $SPLUNK_HOME\bin\scripts\splunk-regmon.py $SPLUNK_HOME\bin\scripts\splunk-wmi.py

If you are sure that you will not be collecting events via wmi or monitor registry, then you can disable them. There are a few ways to disable:

  1. via CLI: a. cd \Progra~1\splunk\bin b. run the following command: splunk remove exec "$SPLUNK_HOME\bin\scripts\splunk-wmi.py" -auth admin:changeme

splunk remove exec "$SPLUNK_HOME\bin\scripts\splunk-regmon.py" -auth admin:changeme

If this does not work, try the following:

splunk _internal call "/servicesNS/nobody/search/data/inputs/script/%24SPLUNK_HOME%5Cbin%5Cscripts%5Csplunk-wmi.py/disable" -method POST -auth admin:changeme

splunk _internal call "/servicesNS/nobody/search/data/inputs/script/%24SPLUNK_HOME%5Cbin%5Cscripts%5Csplunk-regmon.py/disable" -method POST -auth admin:changeme

The above command should set in etc\search\local\inputs.conf: [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py] disabled = 1

  1. directly in the inputs.conf: The most simplest form is to create manually inputs.conf in etc\search\local and enter the following and save it: [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py] disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py] disabled = 1

Upon Splunk restart, you should not see splunk-regmon.exe and splunk-wmi.exe tasks running in the task manager.

  1. Deploying inputs.conf with above configuration to deployment client: When deploying via this method, make sure you copy the whole search app directory to $SPLUNK_HOME/etc/deployment-apps (default) and add the above inputs.conf in local directory and have it propagated.

View solution in original post