Splunk does not collect WMI events

elusive · ‎11-18-2010

Splunk was collecting event before but suddenly it stopped collecting events. I have restarted Splunk several times. I see the following message being logged in splunkd.log:

11-02-2010 15:53:02.028 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-wmi.exe"" WMI - Unable to read from the WMI checkpoint storage: Error executing: select value from keyvaluepairs_t where primarykey=?1; Msg=unable to open database file

elusive · ‎11-18-2010

Splunk stores the information regarding what it is monitoring in the wmi_checkpoint file that is stored in %SPLUNK_HOME%\var\lib\splunk\persistentstorage. The error is encountered when wmi_checkpoint is corrupted or inaccessible. Check the following:

if you have virus scan enabled, stop it "completely" and see if this resolves the issue.
Check if you have any permission issue. Make sure the account starting Splunk services has a full control to %SPLUNK_HOME% directory.
If it is corrupted, once you move wmi_checkpoint from %SPLUNK_HOME%\var\lib\splunk\persistentstorage Splunk will reindex. Please note that this can cause Splunk to reindex Windows Event Log pulled via wmi.

If none of the above is identified as a problem, then contact Support by submitting diag and %SPLUNK_HOME%\var\lib\splunk\persistentstorage.

Splunk does not collect WMI events

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Splunk does not collect WMI events

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience