Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

WMI not working on one system

mcbradford
Contributor
‎03-02-2012 07:54 AM

I have installed the UF on 4 systems, but one is giving me the following error...

03-02-2012 10:46:33.860 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk)
03-02-2012 10:46:41.122 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: SELECT Name, FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk)
03-02-2012 10:46:48.447 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface)
03-02-2012 10:46:55.708 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process)
03-02-2012 10:47:04.070 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface)
03-02-2012 10:47:11.384 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process)
03-02-2012 10:47:19.247 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: SELECT Name, FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk)
03-02-2012 10:47:27.078 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process)
03-02-2012 10:47:34.887 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: SELECT Name, FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk)
03-02-2012 10:47:42.203 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface)
03-02-2012 10:47:50.034 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: SELECT Name, FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk)
03-02-2012 10:47:57.866 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface)
03-02-2012 10:48:05.131 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process)

Three of the systems have identical hardware/software.

inoputs.conf

[default]
host = anna-LT

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 1
source = wmi
sourcetype = wmi

wmi.conf

[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 0
checkpoint_sync_interval = 2

[WMI:LocalPhysicalDisk]
interval = 10
wql = select Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
disabled = 0

[WMI:LocalProcesses]
interval = 30
wql = select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process
disabled = 0

[WMI:Memory]
interval = 5
wql = select PagesPerSec, AvailableMBytes, CommittedBytes, PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory
disabled = 0

[WMI:LocalNetwork]
interval = 10
wql = select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface
disabled = 0

[WMI:CPUTime]
interval = 3
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
disabled = 0

[WMI:FreeDiskSpace]
interval = 120
wql = SELECT Name, FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
disabled = 0

Not sure what the problem is? I have uninstalled, restarted, reinstalled????

Tags (1)
0 Karma
Reply

segu
Explorer
‎02-11-2015 12:33 AM

Seems to be a problem with backslashes:

PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk cmd splunk-wmi -wql 'SELECT PercentProcessorTime,PercentUserT
ime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name=\"_Total\"' -namespace \\localhost\root\cimv2
***SPLUNK*** index= source="WMI:unspecified" sourcetype="WMI:unspecified"

---splunk-wmi-end-of-event---
20150211091552.843920
PercentProcessorTime=38
PercentUserTime=17
wmi_type=unspecified

---splunk-wmi-end-of-event---

Clean shutdown completed.

PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk cmd splunk-wmi -wql 'SELECT PercentProcessorTime,PercentUserT
ime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"' -namespace \\localhost\root\cimv2
ERROR WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid."
 HRESULT=80041017) (.: SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE N
ame=_Total)
ERROR WMI - Giving up attempt to connect to WMI provider after maximum number of retries at maximum backoff time (.: SEL
ECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name=_Total)

Clean shutdown completed.
0 Karma
Reply

mcbradford
Contributor
‎03-02-2012 11:38 AM

Looks like wmi is corrupted 😞 . I have tried several recovery options. Looks like a restore 😞

0 Karma
Reply

rdevine
Path Finder
‎03-02-2012 08:39 AM

Just out of curiosity can you run wmi queries yourself on the system that isn't working?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...