I want to configure the universal fowarder to poll WMI data and forward it to my indexer. I understand that I need a wmi.config file for the universal fowarder, however I do not know what to put it in it.
I want to be able to poll the following that is the same as the windows app.
WMI: Memory
WMI: LocalPhysicalDisk
WMI: CPU Time
WMI: LocalNetwork
Thanks in advance!
[WMI:LocalPhysicalDisk]
interval = 3600
wql = select Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
index = default
disabled = 0
[WMI:LocalProcesses]
interval = 3600
wql = select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process
index = default
disabled = 0
[WMI:Memory]
interval = 3600
wql = select PagesPerSec, AvailableMBytes, CommittedBytes, PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory
index = default
disabled = 0
[WMI:LocalNetwork]
interval = 3600
wql = select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface
index = default
disabled = 0
[WMI:CPUTime]
interval = 3600
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
index = default
disabled = 0
Hi,
Can I add sourcetype to each stanza? bec when I am adding "sourcetype = wmi_moniter", I am not able to see any data if I am searching using "sourcetype = wmi_moniter"
Thanks for your reply but how do i get 64 windows servers WMI data in splunk, do i need to change query like "wql = select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface"
DO i need to make win64 ???
Thanks,
No, you can leave it as win32
What do you mean by interval = 3600 , its in second or what? and also how do get 64 windows servers WMI data in splunk(Splunk is running in linux box)
Only a windows splunk or Universal Forwarder can monitor WMI on local or remote windows server. (they use the windows local libraries, and need to be member of the correct AD group)
local windows event log, install Universal Forwarder (use wizard or ....\local\inputs.conf )
http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata
remote windows boxes using WMI ( edit ...\local\wmi.conf)
http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/ConsiderationsfordecidinghowtomonitorWindowsd...
Really stupid question, sorry but where does wmi.conf have to be put?
or in an app if you deploy your configuration in apps.
$SPLUNK_HOME/etc/apps/
ect/system/local
[WMI:LocalPhysicalDisk]
interval = 3600
wql = select Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
index = default
disabled = 0
[WMI:LocalProcesses]
interval = 3600
wql = select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process
index = default
disabled = 0
[WMI:Memory]
interval = 3600
wql = select PagesPerSec, AvailableMBytes, CommittedBytes, PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory
index = default
disabled = 0
[WMI:LocalNetwork]
interval = 3600
wql = select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface
index = default
disabled = 0
[WMI:CPUTime]
interval = 3600
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
index = default
disabled = 0
Hi, I have configure all the above configuration in wmi.conf and i am getting data in my indexer except WMI:LocalProcesses , I am not able to get Local process in my indexer.
All i needed to do was restart. Thanks!
you could add the following two lines to inputs.conf, change someindexname to something else and restart the UF
[default]
index = someindexname
I seem to not be receiving the WMI data though.
yeah I put the interval down considerably and yes the connection is in place, it is receiving perfmon data. Thanks for all your help
try to change the interval from 3600 to something smaller, to get the sample more frequently
Is the connection in place between UF and the indexer?
there is a useful app: en-US/app/SplunkDeploymentMonitor/all_forwarders
is there anything I need to do to enable this to forward the data?
you are the awesome thanks so much!
hi..
can u just help me out of this.. iam unable to understand that answer.