Splunk Search

wmi how to do "where field in"

juniormint
Communicator

My goal is to get information on a list of processes. I think WMI is a decent way to do this, but keep getting a syntax error from the select below. Refactoring to have Name = "app1" or Name = "app2" etc works, but I'd rather understand why the below doesn't work.

[WMI:ProcessMemory]
interval=10
wql = select * from Win32_PerfFormattedData_PerfProc_Process Where Name in ("app1", "app2", "java")

Tags (2)
0 Karma
1 Solution

juniormint
Communicator

Windows Query Language (wql) does not appear to support where field in

View solution in original post

0 Karma

juniormint
Communicator

Windows Query Language (wql) does not appear to support where field in

0 Karma

juniormint
Communicator

yeah...I was just noticing...Windows Query Language (wql) does not appear to support it...grumble

0 Karma

somesoni2
Revered Legend

I believe WMI doesn't have IN clause.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...