Getting Data In

prevent duplicate events from WMI queries?

briguy
Engager

Hi All - I'm using the WMI input to gather some custom WMI data. Some of the queries (such as below) result in duplicate events being indexed since the same events are returned each time the query is run. The fix seems to be adding a where clause based on the current date, but I don't know of a way to do this. Starting to feel like I'm going to have to write something custom. Any ideas?

On a related note - is anyone using wmi permanent event subscription to gather wmi data, rather that using polling? Seems like it might be a better way to go.

[WMI:DotNetErrors] disabled = 0 interval = 5 server = localhost wql = Select * from Win32_NTLogEvent WHERE logfile='Application' and Type='error' and SourceName like '%.NET%'

Tags (2)
0 Karma
1 Solution

briguy
Engager

Hi gkanapathy, thanks for your answer.

On further search I found this Answer, which looks like the solution: http://answers.splunk.com/questions/577/how-do-you-filter-windows-event-log

View solution in original post

0 Karma

briguy
Engager

Hi gkanapathy, thanks for your answer.

On further search I found this Answer, which looks like the solution: http://answers.splunk.com/questions/577/how-do-you-filter-windows-event-log

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You should not use WMI to query for the eventlog like this.

You're better off just using the Splunk WMI Windows Event Log input, and leave "pure" WMI for collecting statistics. It doesn't let you filter by Type or Sourcename. You will have to do that in Splunk instead.

By far the best way to collect the WinEventLog data is to use the Splunk local WinEventLog input, not the WMI one, but the forwarder agent needs to run on the box where the log is written for that to work.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...