on the weekend i messed up the Splunk Installation whith the try to move the Database to a different place. But because i'm just starting using splunk a quick reinstall got it back working... well all except Remote eventlog Collection (via WMI)
I created a new Data Input selected only the Application log on teh remote server, but nothing happens.
I checked with Splunk\bin>splunk-wmi -wql "select * from win32_service" -namespace \server\root\cimv2 if teh WMI Permissions are right and data came in just fine.
Then i tried it with renaming the wmi_checkpoint file (to force a reindex), but even after a restart nothing happens.
Any suggestion how to fix this is appreciated.
ok... so far i have no luck.
12/21/10 4:12:01.588 PM
12-21-2010 16:12:01.588 INFO IndexProcessor - rtsearch connection terminated, filter = '[ AND index::main wmi ]', _actionStreams = 0
12/21/10 4:10:40.885 PM
12-21-2010 16:10:40.885 INFO IndexProcessor - rtsearch connection established, filter = '[ AND index::main wmi ]', _activeStreams = 1, queue_size = 10000, blocking = FALSE
It's like there isn't even an attempt to read the eventlogs from the remote machine.
I am assuming that you read this article.
Also, check that you anti-virus program is not restricting the file as well. I would recommend that you run the following search to look for any additional errors.
Check to see what are the WMI errors. I would be curious to know.