I have installed the windows universal forwarder onto an XP machine which is forwarding it's data across to a Windows 7 machine running Splunk with the 'Windows' app installed.
It appears that the Windows application relies on a lot of WMI data however the Universal Forwarder does not appear to pass this data through.
Does anyone know a way to achieve this?
I have looked into getting the primary Splunk instance on Windows 7 to collect WMI remotely but that will only work if I have a Windows domain setup which I dont.
Any other ideas?
I would like to investigate the possibilities of windows splunking for a client and more information would be great.
I assume that the Windows 7 system is your indexer. If that is the case all you need to do is set your UFC to send the data you wish to collect. If you give an example of what data you want to collect I can send you an example.
If you haven't read this... it might provide you with the direction you are looking for.
If you are using the Windows 7 system to "relay" your data to another system that is your Splunk indexer, then you need to follow step #8 in this document.
I had previously read that link but must have missed some crucial parts as I now have some rudimentary indexing occuring on the XP machine with the universal forwarder.
One thing I noticed though is that the indexer Windows 7 machine seems to be indexing WMI data locally however all the stanzas in
are all disabled however WMI is still being indexed.
interval = 3
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32PerfFormattedDataPerfOSProcessor WHERE Name="Total"
index = default
disabled = 1
Also I have searched all other .conf files and none contain the stanza [WMI:CPUTime] however it is being indexed which is very odd.
So by copying the wmi.conf from the windows 7 machine to the xp machine and enabling each stanza got everything working.
Thankyou for pointing me in the right direction.
I don't want to hijack this thread but I'm having a similar issue and thought you may be able to tell me where I'm going wrong.
I have splunk deployed on a debian VM and it seems to be running fine (collects syslog data etc). No problems there.
Now I want to collect info from my windows machines. I installed the universal forwarder on my domain controller using the 'local' context as the remote context failed. This is because on a domain controller there is no such thing as a local account/permission which the 'remote' context install requires. Annoying but collecting data from one server is fine for now - I only have another three windows machines so can install a forwarder on them too.
Splunk is now receiving data from the domain controller but I have two issues:
It seems data is not being collected in the right way. Where have I gone wrong?
Justin, I'd suggest you post this as a new question in Splunk Answers. You have two distinct issues, that really don't relate to this thread/answer.