Getting Data In

Universal fowarder and WMI

tympaniplayer
Path Finder

I want to configure the universal fowarder to poll WMI data and forward it to my indexer. I understand that I need a wmi.config file for the universal fowarder, however I do not know what to put it in it.

I want to be able to poll the following that is the same as the windows app.

WMI: Memory
WMI: LocalPhysicalDisk
WMI: CPU Time
WMI: LocalNetwork

Thanks in advance!

Tags (2)
1 Solution

imrago
Contributor
[WMI:LocalPhysicalDisk]
interval = 3600
wql = select Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
index = default
disabled = 0

[WMI:LocalProcesses]
interval = 3600
wql = select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process
index = default
disabled = 0

[WMI:Memory]
interval = 3600
wql = select PagesPerSec, AvailableMBytes, CommittedBytes, PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory
index = default
disabled = 0

[WMI:LocalNetwork]
interval = 3600
wql = select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface
index = default
disabled = 0

[WMI:CPUTime]
interval = 3600
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
index = default
disabled = 0

View solution in original post

marellasunil
Communicator

Hi,
Can I add sourcetype to each stanza? bec when I am adding "sourcetype = wmi_moniter", I am not able to see any data if I am searching using "sourcetype = wmi_moniter"

0 Karma

vaibhavbeohar
Path Finder

Thanks for your reply but how do i get 64 windows servers WMI data in splunk, do i need to change query like "wql = select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface"

DO i need to make win64 ???

Thanks,

0 Karma

watsm10
Communicator

No, you can leave it as win32

0 Karma

vaibhavbeohar
Path Finder

What do you mean by interval = 3600 , its in second or what? and also how do get 64 windows servers WMI data in splunk(Splunk is running in linux box)

0 Karma

yannK
Splunk Employee
Splunk Employee

Only a windows splunk or Universal Forwarder can monitor WMI on local or remote windows server. (they use the windows local libraries, and need to be member of the correct AD group)

0 Karma

chrismor
Explorer

Really stupid question, sorry but where does wmi.conf have to be put?

0 Karma

yannK
Splunk Employee
Splunk Employee

or in an app if you deploy your configuration in apps.
$SPLUNK_HOME/etc/apps//local/

0 Karma

tympaniplayer
Path Finder

ect/system/local

0 Karma

imrago
Contributor
[WMI:LocalPhysicalDisk]
interval = 3600
wql = select Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
index = default
disabled = 0

[WMI:LocalProcesses]
interval = 3600
wql = select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process
index = default
disabled = 0

[WMI:Memory]
interval = 3600
wql = select PagesPerSec, AvailableMBytes, CommittedBytes, PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory
index = default
disabled = 0

[WMI:LocalNetwork]
interval = 3600
wql = select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface
index = default
disabled = 0

[WMI:CPUTime]
interval = 3600
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
index = default
disabled = 0

vaibhavbeohar
Path Finder

Hi, I have configure all the above configuration in wmi.conf and i am getting data in my indexer except WMI:LocalProcesses , I am not able to get Local process in my indexer.

0 Karma

tympaniplayer
Path Finder

All i needed to do was restart. Thanks!

0 Karma

imrago
Contributor

you could add the following two lines to inputs.conf, change someindexname to something else and restart the UF

[default]
index = someindexname

0 Karma

tympaniplayer
Path Finder

I seem to not be receiving the WMI data though.

0 Karma

tympaniplayer
Path Finder

yeah I put the interval down considerably and yes the connection is in place, it is receiving perfmon data. Thanks for all your help

0 Karma

imrago
Contributor

try to change the interval from 3600 to something smaller, to get the sample more frequently

Is the connection in place between UF and the indexer?

there is a useful app: en-US/app/SplunkDeploymentMonitor/all_forwarders

0 Karma

tympaniplayer
Path Finder

is there anything I need to do to enable this to forward the data?

0 Karma

tympaniplayer
Path Finder

you are the awesome thanks so much!

0 Karma

rajinigv
New Member

hi..
can u just help me out of this.. iam unable to understand that answer.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...