Getting Data In

Why is no security data being indexed with my current WMI input?

rbal_splunk
Splunk Employee
Splunk Employee

I am trying to index Security Data from a remote location using the configuration below, but it nothing is getting indexed:

$SPLUNK_HOME/etc/system/local/wmi.conf

[WMI:testserver1 security log]
disabled = 0
event_log_file = Security
index = testindex2
interval = 5
server =testserver1

[WMI: testserver2 security log]
disabled = 0
event_log_file = Security
index = testindex2
interval = 5
server = testserver2
1 Solution

rbal_splunk
Splunk Employee
Splunk Employee

To make this work, we also enabled the scripted input for WMI. Also remember to set interval = 100 (or other lower value). Default value is very high.

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 100 

Also to check if the data is indexed we used this search below:

index= testindex2     

View solution in original post

rbal_splunk
Splunk Employee
Splunk Employee

To make this work, we also enabled the scripted input for WMI. Also remember to set interval = 100 (or other lower value). Default value is very high.

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 100 

Also to check if the data is indexed we used this search below:

index= testindex2     

rbal_splunk
Splunk Employee
Splunk Employee
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...