Getting Data In

WMI source/sourcetype problem

msallman
Explorer

We are having a problem getting the Windows app to display wmi data. It seems that the wmi data we are getting is being indexed with source=script & sourcetype=exec, so none of the Windows app dashboards/views for wmi work.

We seem to have the correct stanzas for wmi in props.conf and transforms.conf, but no luck...

Any ideas?

Thanks, Mike

Tags (2)
0 Karma

oreoshake
Communicator

Try running C:\Program Files\Splunk>bin\splunk.exe cmd btool --debug wmi list

That will show if any configs are clobbering other settings

oreoshake
Communicator

Hmm, maybe you have a transform changing the sourcetype. I'd run the same command but replace wmi with props and search for those values. Or check the props.conf on your indexer?

0 Karma

msallman
Explorer

That sure came out looking ugly! 😛

0 Karma

msallman
Explorer

oreoshake, thanks. That's good to know. I'll have to read up on that feature. Below is a (very) brief snip of what it output. Everything showed "windows" in the first column, so I assume there are no problems there.

C:>splunk cmd btool --debug wmi list
windows [WMI:FreeDiskSpace]
windows disabled = 0
windows interval = 300
windows server = localhost
windows wql = SELECT FreeMegabytes, Name, PercentDiskTime, PercentFreeSpace, DiskBytesPersec, CurrentDiskQueueLength FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk

0 Karma

Voltaire
Communicator

Does the windows forwarder use an admin account to start the Splunk* services? Have you tried running the WBEMTEST on the LWF ?

Follow these steps to test the configuration of the Splunk server and the remote machine: 1. Log into the machine Splunk runs with the same account you strat the splunkd and splunkweb services or as the user Splunk runs as. 2. Click Start -> Run and type wbemtest. The wbemtest application starts. 3. Click Connect and type \\root\cimv2, replacing with the name of the remote server. Click Connect. If you are unable to connect, there is a problem with the authentication between the machines. 4. If you are able to connect, click Query and type select * from win32_service. Click Apply. After a short wait, you should see a list of running services. If this does not work, then the authentication works, but the user Splunk is running as does not have enough privileges to run that operation.

Do you see any ouptput in your splunkd.log to isolate the problem(s) ?

Good Luck

V

0 Karma

msallman
Explorer

Voltaire, thanks for the suggestion, but the wmi data seems to be getting into Splunk just fine (other than being indexed "wrong").

0 Karma

Lowell
Super Champion

Hmm.. Think we need more info here. Which version of splunk are you running? Do you have the windows app installed and have you done the setup for the windows app?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...