All Apps and Add-ons

Why is "WinHostMon://Application" input no longer working in 6.3?

ostendrh
Engager

When the "WinHostMon://Application" input is used in Splunk Enterprise 6.3 it appears to be ignored by the forwarder and no data is collected.

1 Solution

rostendorf_splu
Splunk Employee
Splunk Employee

"WinHostMon://Application" input was deprecated in 6.3.

The Windows host monitor input has been modified to no longer monitor the state of installed applications.

Due to a bug in the system call that Splunk Enterprise uses to monitor application state, the Windows Installer service attempts to reconfigure all installed applications. In some cases this also appeared to cause performance issues.

When you upgrade, any Windows host monitoring input stanzas that reference the "Application" attribute will no longer function.

To get application state data, use the Windows Event Log monitor and search for Event ID Nos. 11707 (for installation) or 11724 (for uninstallation/removal.)

It may also be possible to use a powershell scripted input (Get-WmiObject -Class Win32_Product | Format-List -Property Name,InstallDate,InstallLocation,PackageCache,Vendor,Version,IdentifyingNum) or WMIC (wmic product get name,version,installdate).

This issue was reported in the following link:
The Windows Host Monitoring input no longer monitors application state

View solution in original post

rostendorf_splu
Splunk Employee
Splunk Employee

"WinHostMon://Application" input was deprecated in 6.3.

The Windows host monitor input has been modified to no longer monitor the state of installed applications.

Due to a bug in the system call that Splunk Enterprise uses to monitor application state, the Windows Installer service attempts to reconfigure all installed applications. In some cases this also appeared to cause performance issues.

When you upgrade, any Windows host monitoring input stanzas that reference the "Application" attribute will no longer function.

To get application state data, use the Windows Event Log monitor and search for Event ID Nos. 11707 (for installation) or 11724 (for uninstallation/removal.)

It may also be possible to use a powershell scripted input (Get-WmiObject -Class Win32_Product | Format-List -Property Name,InstallDate,InstallLocation,PackageCache,Vendor,Version,IdentifyingNum) or WMIC (wmic product get name,version,installdate).

This issue was reported in the following link:
The Windows Host Monitoring input no longer monitors application state

diegodora
New Member

Hi , i have the same problem.
How did you resolved?
Thanks a lot!

0 Karma

bwouters
Path Finder

@rostendorf, the link doesn't seem to work anymore? Can you edit it to the correct location?

0 Karma

rvany
Communicator

To find these things just have a look in the docs for the version mentioned (v6.3) and goto "Release Notes - Deprecated Features". At the bottom you find the following link

There's additional info for NOT using Get-WmiObject -class Win32_Product(https://support.microsoft.com/en-gb/help/974524/event-log-message-indicates-that-the-windows-install...) as it does the same as WinHostMon://Applicationdid: reconfiguring applications.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...