So I have been doing some scripted input for WMI data and have discovered that Splunk has this functionality already built in (so I don't need to use scripts to access WMI data).
However, I assumed that the "interval" parameter would accept cron time as this is how it functions across other conf files.
It appears that isn't the case as my cron for taking data at 6,11 and 16:00 hours was interpreted as every second (The cron statement was = 0 6,11,16 * * *). The statement was a copy and paste from inputs.conf where I had the input scripted.
Is this a bug / oversight or is WMI.Conf deliberately designed to not use cron functionality?
I have been using the above on SplunkUniversalForwarders on remote machines to collect and forward the WMI data.
Oh wow, I'd completely forgotten about this question! Yeah the cron statement will still function if you drop off values. WMI.conf just doesn't support it atm, I think this ended up as an ER somewhere 🙂 Thanks though!