We are having a problem getting the Windows app to display wmi data. It seems that the wmi data we are getting is being indexed with source=script & sourcetype=exec, so none of the Windows app dashboards/views for wmi work.
We seem to have the correct stanzas for wmi in props.conf and transforms.conf, but no luck...
Any ideas?
Thanks, Mike
Try running C:\Program Files\Splunk>bin\splunk.exe cmd btool --debug wmi list
That will show if any configs are clobbering other settings
Hmm, maybe you have a transform changing the sourcetype. I'd run the same command but replace wmi with props and search for those values. Or check the props.conf on your indexer?
That sure came out looking ugly! 😛
oreoshake, thanks. That's good to know. I'll have to read up on that feature. Below is a (very) brief snip of what it output. Everything showed "windows" in the first column, so I assume there are no problems there.
C:>splunk cmd btool --debug wmi list
windows [WMI:FreeDiskSpace]
windows disabled = 0
windows interval = 300
windows server = localhost
windows wql = SELECT FreeMegabytes, Name, PercentDiskTime, PercentFreeSpace, DiskBytesPersec, CurrentDiskQueueLength FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
Does the windows forwarder use an admin account to start the Splunk* services? Have you tried running the WBEMTEST on the LWF ?
Follow these steps to test the configuration of the Splunk server and the remote machine: 1. Log into the machine Splunk runs with the same account you strat the splunkd and splunkweb services or as the user Splunk runs as. 2. Click Start -> Run and type wbemtest. The wbemtest application starts. 3. Click Connect and type \\root\cimv2, replacing with the name of the remote server. Click Connect. If you are unable to connect, there is a problem with the authentication between the machines. 4. If you are able to connect, click Query and type select * from win32_service. Click Apply. After a short wait, you should see a list of running services. If this does not work, then the authentication works, but the user Splunk is running as does not have enough privileges to run that operation.
Do you see any ouptput in your splunkd.log to isolate the problem(s) ?
Good Luck
V
Voltaire, thanks for the suggestion, but the wmi data seems to be getting into Splunk just fine (other than being indexed "wrong").
Hmm.. Think we need more info here. Which version of splunk are you running? Do you have the windows app installed and have you done the setup for the windows app?