Getting Data In

Why is a large amount of WMI data being indexed (6 GB) from Windows servers and how do I prevent this?

marellasunil
Communicator

Hi,

I have installed forwarders on Windows servers to fetch Windows logs both "Windows event logs" and "PerfMon". I am receiving a large amount of data from each server, around 6 GB. I have configured wmi.conf & outputs.conf in the deployment server and added clients (Windows server). Though I mentioned below queries in wmi.conf, I am receiving around 6 GB of data, which is breaching my license usage. Would WMI data be 6 GB? How can I resolve this issue? I do not want 6 GB data to be monitored.

[WMI:FreeDiskSpace]
interval= 60
wql = SELECT FreeMegabytes, Name, PercentDiskTime, PercentFreeSpace, DiskBytesPersec, CurrentDiskQueueLength FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
disabled = 0
index = fmi_prod

[WMI:CPUTime]
interval = 60
wql = SELECT PercentProcessorTime, PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
disabled = 0
index = fmi_prod

[WMI:LocalMainMemory]
interval = 60
wql = SELECT CommittedBytes, AvailableBytes, AvailableMBytes, PercentCommittedBytesInUse, Caption from Win32_PerfFormattedData_PerfOS_Memory
disabled = 0
index = fmi_prod
0 Karma
1 Solution

marellasunil
Communicator

Sorted out the issue
Need to edit the state from enabled to disabled at
SERVERNAMEcProgram FilesSplunkUniversalForwarderetcappsSplunk_TA_windowslocalapp.conf

Your app.conf after making above changes should have the below stanza:

[install]
state = disabled

Once done, restart Splunk

View solution in original post

marellasunil
Communicator

Sorted out the issue
Need to edit the state from enabled to disabled at
SERVERNAMEcProgram FilesSplunkUniversalForwarderetcappsSplunk_TA_windowslocalapp.conf

Your app.conf after making above changes should have the below stanza:

[install]
state = disabled

Once done, restart Splunk

Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...