I am trying to index Security Data from a remote location using the configuration below, but it nothing is getting indexed:
$SPLUNK_HOME/etc/system/local/wmi.conf
[WMI:testserver1 security log]
disabled = 0
event_log_file = Security
index = testindex2
interval = 5
server =testserver1
[WMI: testserver2 security log]
disabled = 0
event_log_file = Security
index = testindex2
interval = 5
server = testserver2
To make this work, we also enabled the scripted input for WMI. Also remember to set interval = 100 (or other lower value). Default value is very high.
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 100
Also to check if the data is indexed we used this search below:
index= testindex2
To make this work, we also enabled the scripted input for WMI. Also remember to set interval = 100 (or other lower value). Default value is very high.
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 100
Also to check if the data is indexed we used this search below:
index= testindex2