Getting Data In

WMI.conf and Arrays: How do I instruct Splunk to report the array correctly?

richprescott
Path Finder

I'm pulling various Win32 classes via WMI.conf and am running into an issue when the value is an array. Below is an example of pulling IP-enabled adapters so that we have a record of IP, subnet, DNS, etc. However, the IPAddress is stored in an array IPAddress={192.168.1.1} and when WMI.conf tries to collect the information, it results in the value "unknown variant result type 8200".

How do I instruct Splunk to report the array correctly?


[WMI:NICInfo]
server = localhost
wql = Select * from Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
interval = 86400

Labels (1)
Tags (3)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

I would recommend a support case.

Splunk uses the WMI C/C++ API's to access WMI data. Those API's return results that get packaged up into an opaque object called a VARIANT. There are different types of VARIANTs for Strings, Integers, Arrays, etc. The application calling WMI must have logic to extract the data it wants out of each type of VARIANT it supports.

The information you provide here (cross-referenced with Google) suggests that a VARIANT of type 8200 is an array. It is possible that the code in Splunk that calls this API does not have the extraction logic for arrays. Such support (as a multi-valued field, perhaps) if it does not exist could be either a defect or an enhancement. Either way, a support case is the right place to start.

View solution in original post

michael_brunett
New Member

What is the outcome of this? I'm having the exact same issue now. Have you found a workaround?

0 Karma

dwaddle
SplunkTrust
SplunkTrust

I would recommend a support case.

Splunk uses the WMI C/C++ API's to access WMI data. Those API's return results that get packaged up into an opaque object called a VARIANT. There are different types of VARIANTs for Strings, Integers, Arrays, etc. The application calling WMI must have logic to extract the data it wants out of each type of VARIANT it supports.

The information you provide here (cross-referenced with Google) suggests that a VARIANT of type 8200 is an array. It is possible that the code in Splunk that calls this API does not have the extraction logic for arrays. Such support (as a multi-valued field, perhaps) if it does not exist could be either a defect or an enhancement. Either way, a support case is the right place to start.

richprescott
Path Finder

Thanks dwaddle.

0 Karma

dominiquevocat
SplunkTrust
SplunkTrust

so, 5 years later this still doesn't seem to work... any news?

0 Karma

cphair
Builder

I'm also curious about this. Any update?

0 Karma

Eric_Mcknight
Explorer

Reporting in from the future, OVER TEN YEARS LATER. 

It still doesn't work.

@dwaddle since, it has been over a decade since support tickets have been put in for this issue, any other resolutions?

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...