Hi,
I have installed forwarders on Windows servers to fetch Windows logs both "Windows event logs" and "PerfMon". I am receiving a large amount of data from each server, around 6 GB. I have configured wmi.conf & outputs.conf in the deployment server and added clients (Windows server). Though I mentioned below queries in wmi.conf, I am receiving around 6 GB of data, which is breaching my license usage. Would WMI data be 6 GB? How can I resolve this issue? I do not want 6 GB data to be monitored.
[WMI:FreeDiskSpace]
interval= 60
wql = SELECT FreeMegabytes, Name, PercentDiskTime, PercentFreeSpace, DiskBytesPersec, CurrentDiskQueueLength FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
disabled = 0
index = fmi_prod
[WMI:CPUTime]
interval = 60
wql = SELECT PercentProcessorTime, PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
disabled = 0
index = fmi_prod
[WMI:LocalMainMemory]
interval = 60
wql = SELECT CommittedBytes, AvailableBytes, AvailableMBytes, PercentCommittedBytesInUse, Caption from Win32_PerfFormattedData_PerfOS_Memory
disabled = 0
index = fmi_prod
Sorted out the issue
Need to edit the state from enabled to disabled at
SERVERNAMEcProgram FilesSplunkUniversalForwarderetcappsSplunk_TA_windowslocalapp.conf
Your app.conf after making above changes should have the below stanza:
[install]
state = disabled
Once done, restart Splunk
Sorted out the issue
Need to edit the state from enabled to disabled at
SERVERNAMEcProgram FilesSplunkUniversalForwarderetcappsSplunk_TA_windowslocalapp.conf
Your app.conf after making above changes should have the below stanza:
[install]
state = disabled
Once done, restart Splunk