Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with my Windows Management Instrumentation (WMI) entry?

jip31
Motivator
‎09-28-2018 07:59 AM

hi

i have created a WMI entry in wmi.conf

wql = SELECT Model FROM Win32_ComputerSystem

When I execute it with WMI explorer, i get results.

But, I get no results in my Splunk query even if i play with the time token.

What is the problem please??

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎09-28-2018 11:44 AM

I use this as my wmi.conf, and the last line for systeminfo works like a charm.

# WMI FOR appdev INDEX
#replace the index = line with the correct index 
#place this file in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local

[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 0
checkpoint_sync_interval = 2

## Processes
[WMI:LocalProcesses]
interval = 120
wql = Select IDProcess,PrivateBytes,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process
index = wmi
disabled = 0


## Scheduled Jobs

## Use the Win32_ScheduledJob  class. Note that this class can only return jobs that are created using either a script or AT.exe. 
## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard.
[WMI:ScheduledJobs]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob
index = wmi

## Services

## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx
## Lists all services registered on the system,if they are running,and the status
[WMI:Service]
disabled = 0
## Run once an hour
interval = 3600
wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
index = wmi


## Update
[WMI:InstalledUpdates]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering
index = wmi


## Uptime
[WMI:Uptime]
disabled = 0
## Run once an hour
interval = 3600
wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System
index = wmi

## index = wmi


## Version
[WMI:Version]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem
index = wmi

## Model
[WMI:SystemInfo]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Model, Manufacturer, SystemType FROM Win32_ComputerSystem
index = wmi


9/28/18

2:43:16.791 PM

20180928144316.791677
Manufacturer=LENOVO
Model=7033A1U
SystemType=x64-based PC
wmi_type=SystemInfo

host = DATLTS11954 index = wmi source = WMI:SystemInfo sourcetype = WMI:SystemInfo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎09-28-2018 11:44 AM

I use this as my wmi.conf, and the last line for systeminfo works like a charm.

# WMI FOR appdev INDEX
#replace the index = line with the correct index 
#place this file in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local

[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 0
checkpoint_sync_interval = 2

## Processes
[WMI:LocalProcesses]
interval = 120
wql = Select IDProcess,PrivateBytes,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process
index = wmi
disabled = 0


## Scheduled Jobs

## Use the Win32_ScheduledJob  class. Note that this class can only return jobs that are created using either a script or AT.exe. 
## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard.
[WMI:ScheduledJobs]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob
index = wmi

## Services

## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx
## Lists all services registered on the system,if they are running,and the status
[WMI:Service]
disabled = 0
## Run once an hour
interval = 3600
wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
index = wmi


## Update
[WMI:InstalledUpdates]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering
index = wmi


## Uptime
[WMI:Uptime]
disabled = 0
## Run once an hour
interval = 3600
wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System
index = wmi

## index = wmi


## Version
[WMI:Version]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem
index = wmi

## Model
[WMI:SystemInfo]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Model, Manufacturer, SystemType FROM Win32_ComputerSystem
index = wmi


9/28/18

2:43:16.791 PM

20180928144316.791677
Manufacturer=LENOVO
Model=7033A1U
SystemType=x64-based PC
wmi_type=SystemInfo

host = DATLTS11954 index = wmi source = WMI:SystemInfo sourcetype = WMI:SystemInfo

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...