On a new Splunk install on a Windows server, I followed the "HOWTO Enable WMI Access for Non-Admin Domain Users" instructions. But when running the suggested test (splunk cmd splunk-wmi -wql "select * from win32_service" -namespace \
However, when the Splunk service account is NOT a domain admin and I run the Splunk Troubleshooting guide's WBEMTEST, it successfully returns WMI results. The only way I can force an error with WBEMTEST is to use "identify" instead of "impersonate" on the Impersonation Level (Error: "Access denied, impersonation level too low").
Why would the Splunk WMI query fail when WBEMTEST succeeds?
Martin, did you ever resolve this issue?
Thanks Michael