I have installed the UF on 4 systems, but one is giving me the following error...
03-02-2012 10:46:33.860 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk)
03-02-2012 10:46:41.122 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: SELECT Name, FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk)
03-02-2012 10:46:48.447 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface)
03-02-2012 10:46:55.708 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process)
03-02-2012 10:47:04.070 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface)
03-02-2012 10:47:11.384 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process)
03-02-2012 10:47:19.247 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: SELECT Name, FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk)
03-02-2012 10:47:27.078 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process)
03-02-2012 10:47:34.887 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: SELECT Name, FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk)
03-02-2012 10:47:42.203 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface)
03-02-2012 10:47:50.034 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: SELECT Name, FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk)
03-02-2012 10:47:57.866 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface)
03-02-2012 10:48:05.131 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process)
Three of the systems have identical hardware/software.
inoputs.conf
[default]
host = anna-LT
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 1
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 1
source = wmi
sourcetype = wmi
wmi.conf
[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 0
checkpoint_sync_interval = 2
[WMI:LocalPhysicalDisk]
interval = 10
wql = select Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
disabled = 0
[WMI:LocalProcesses]
interval = 30
wql = select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process
disabled = 0
[WMI:Memory]
interval = 5
wql = select PagesPerSec, AvailableMBytes, CommittedBytes, PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory
disabled = 0
[WMI:LocalNetwork]
interval = 10
wql = select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface
disabled = 0
[WMI:CPUTime]
interval = 3
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
disabled = 0
[WMI:FreeDiskSpace]
interval = 120
wql = SELECT Name, FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
disabled = 0
Not sure what the problem is? I have uninstalled, restarted, reinstalled????
Seems to be a problem with backslashes:
PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk cmd splunk-wmi -wql 'SELECT PercentProcessorTime,PercentUserT
ime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name=\"_Total\"' -namespace \\localhost\root\cimv2
***SPLUNK*** index= source="WMI:unspecified" sourcetype="WMI:unspecified"
---splunk-wmi-end-of-event---
20150211091552.843920
PercentProcessorTime=38
PercentUserTime=17
wmi_type=unspecified
---splunk-wmi-end-of-event---
Clean shutdown completed.
PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk cmd splunk-wmi -wql 'SELECT PercentProcessorTime,PercentUserT
ime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"' -namespace \\localhost\root\cimv2
ERROR WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid."
HRESULT=80041017) (.: SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE N
ame=_Total)
ERROR WMI - Giving up attempt to connect to WMI provider after maximum number of retries at maximum backoff time (.: SEL
ECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name=_Total)
Clean shutdown completed.
Looks like wmi is corrupted 😞 . I have tried several recovery options. Looks like a restore 😞
Just out of curiosity can you run wmi queries yourself on the system that isn't working?