Getting Data In

Windows Universal Forwarder and WMI data

phoenixdigital
Builder

Hi All,

I have installed the windows universal forwarder onto an XP machine which is forwarding it's data across to a Windows 7 machine running Splunk with the 'Windows' app installed.

It appears that the Windows application relies on a lot of WMI data however the Universal Forwarder does not appear to pass this data through.

Does anyone know a way to achieve this?

I have looked into getting the primary Splunk instance on Windows 7 to collect WMI remotely but that will only work if I have a Windows domain setup which I dont.

Any other ideas?

I would like to investigate the possibilities of windows splunking for a client and more information would be great.

Tags (2)
0 Karma
1 Solution

gekoner
Communicator

PHXDigital,

I assume that the Windows 7 system is your indexer. If that is the case all you need to do is set your UFC to send the data you wish to collect. If you give an example of what data you want to collect I can send you an example.
If you haven't read this... it might provide you with the direction you are looking for.
http://www.splunk.com/base/Documentation/4.2.2/Data/MonitorWMIdata

If you are using the Windows 7 system to "relay" your data to another system that is your Splunk indexer, then you need to follow step #8 in this document.
http://www.splunk.com/base/Documentation/latest/Deploy/DeployaWindowsdfmanually

View solution in original post

0 Karma

justinfielding
New Member

I don't want to hijack this thread but I'm having a similar issue and thought you may be able to tell me where I'm going wrong.

I have splunk deployed on a debian VM and it seems to be running fine (collects syslog data etc). No problems there.

Now I want to collect info from my windows machines. I installed the universal forwarder on my domain controller using the 'local' context as the remote context failed. This is because on a domain controller there is no such thing as a local account/permission which the 'remote' context install requires. Annoying but collecting data from one server is fine for now - I only have another three windows machines so can install a forwarder on them too.

Splunk is now receiving data from the domain controller but I have two issues:

  1. The data shows up as coming from two different hosts. Performance data shows up coming from 'FRED' whereas event log data shows up from 'fred'.
  2. None of the 'Windows App' reports or searches work because the sources don't match up. For example the performance searches are looking for source="wmi:cpu" but data coming in from the server is tagged with source=Perfmon:CPU Load

It seems data is not being collected in the right way. Where have I gone wrong?

0 Karma

gekoner
Communicator

Justin, I'd suggest you post this as a new question in Splunk Answers. You have two distinct issues, that really don't relate to this thread/answer.

0 Karma

gekoner
Communicator

PHXDigital,

I assume that the Windows 7 system is your indexer. If that is the case all you need to do is set your UFC to send the data you wish to collect. If you give an example of what data you want to collect I can send you an example.
If you haven't read this... it might provide you with the direction you are looking for.
http://www.splunk.com/base/Documentation/4.2.2/Data/MonitorWMIdata

If you are using the Windows 7 system to "relay" your data to another system that is your Splunk indexer, then you need to follow step #8 in this document.
http://www.splunk.com/base/Documentation/latest/Deploy/DeployaWindowsdfmanually

0 Karma

phoenixdigital
Builder

Also I have searched all other .conf files and none contain the stanza [WMI:CPUTime] however it is being indexed which is very odd.

So by copying the wmi.conf from the windows 7 machine to the xp machine and enabling each stanza got everything working.

Thankyou for pointing me in the right direction.

0 Karma

phoenixdigital
Builder

I had previously read that link but must have missed some crucial parts as I now have some rudimentary indexing occuring on the XP machine with the universal forwarder.

One thing I noticed though is that the indexer Windows 7 machine seems to be indexing WMI data locally however all the stanzas in
C:\Program Files\Splunk\etc\apps\windows\default\wmi.conf
are all disabled however WMI is still being indexed.

ie


[WMI:CPUTime]
interval = 3
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
index = default
disabled = 1

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...