Monitor missing WMI events pull Windows Server

rossikwan · ‎08-08-2012

Hi all,

I have below Splunk setup for the various kind of servers events,

Main indexer: Linux Redhat installed with Splunk indexer, search head, (for UNIX UF, Linux UF, syslog, etc)
Domain joined Windows server with Splunk UF installed (for WMI pull events, shared files, etc)

Since I would like to monitor the missing status of the UNIX & Linux UF, the "missing forwarders search" in Splunk Deployment Monitor app is working fine for those hosts received from UF. It does a really great job at all.

But, since most of the Windows WMI events is pulled from the Windows Server (with UF), and that's mean the "missing forwarder search" isn't represent for the WMI host missing status.

Could anyone help that any hints to check the missing Windows host in this WMI inputs?

P.S. I am thinking that use "diff" to compare the list of hosts for WMI events in 2 period of time, and I think there should have a faster & elegant way for this. Thanks in advance.

sdaniels · ‎08-09-2012

Yes, you can alert on any host that hasn't sent data in a certain period of time. The example in the link below is checking every 60 seconds but it's easy to modify.

http://splunk-base.splunk.com/answers/7466/alert-if-no-log-messages

Monitor missing WMI events pull Windows Server

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM