Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I getting this WMI DCOM error?

maverick
Splunk Employee
Splunk Employee
‎09-09-2011 11:21 AM

Currently, I'm using WMI to pull WinEvents from 17 Windows running on VMs. They are each the exact same and were built off the exact same VM template.

However, I am receiving an Application error WinEvent in my Splunk for 2 out of the 17 hosts that says DCOM is unable to communicate using the configured protocol, it looks like this:



Message=DCOM was unable to communicate with the computer <foo.bar.com> using any of the configured protocols.

Anyone ever see this before and/or know why this could be happening, especially since all the VMs are the same?

BTW, I know about using a Splunk Forwarder instead of WMI, but I just want to know if anyone can confirm this as a bug or some kind of Microsoft limitation or issue, or just a config issue maybe, etc.

Tags (4)
0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎09-09-2011 12:47 PM

I'm not sure I see this as an issue related to Splunk. The message appears to only impact some DCOM communication problem between two Windows hosts. I am not aware that Splunk leverages the DCOM service when collecting WMI inputs. Is there any misbehavior actually observed in Splunk?

Reply

hexx
Splunk Employee
Splunk Employee
‎09-12-2011 11:42 AM

I have to say, I remain unconvinced that this is Splunk-related. Innocent until proven guilty 🙂

0 Karma
Reply

offwire
New Member
‎09-12-2011 07:19 AM

Since Maverick posted this question on my behalf, there is no misbehavior actually observed in Splunk. I have added about 15 servers (all Windows 2008 R2, all built from the same VMWARE Server Template) but the Splunk Server (also built from this template) is only throwing this for 2 of the servers, which just of course happen to be my application servers. I am kind of at a loss for why there is a communication problem only between these 2 servers and the Splunk server.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...