- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Universal forwarder and WMI
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Universal forwarder and WMI
I have a question about how to get a universal forwarder to send the data I would normally recieve from WMI. I am trying to get remote performace monitoring from the universal forwarders. I currently have 3 servers with universal forwarders installed on them and one indexer. After the initial install I can't seem to change any setting with the universal forwarders. Should I add the servers to the event log collection with WMI? And if i were to do that would the data be sent through the Universal Forwarders? All of the servers are Windows based.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can copy the wmi.conf file from the Windows App to UF's etc/system/local, then you'll get more WMI performance events, such as WMI: CPUTime, WMI: Memory, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
one more thing: inputs.conf and wmi.conf will both pull Windows Event logs with two different sourcetypes, you might want to diable one of them to avoid duplicated events. The Windows app dashboard uses input from inputs.conf, so I suggest to disable the inputs from wmi.conf, events with sourcetypes: [WMI:LocalApplication], [WMI:LocalSystem], [WMI:LocalSecurity]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, that worked perfectly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you getting any data at all from the UF to the indexer?
If so are you trying to use deployment server to send configuration for WMI to UF
If you just want to setup WMI on just the three UF systems and they are already sending logs then just setup a WMI.CONF file in the etc/system/local directory the WMI.conf file will tell the UF what to collect.
Use this type of stanza in the WMI.conf file
[WMI:CPUTime]
interval = 5
disabled = 0
server = localhost
wql = SELECT PercentProcessorTime, PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name = "_Total"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure anything I can do to help.
Post a queston if you have something specifice you need help with.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
would love to get some help with this from you hartfoml if you wouldnt mind.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Send me an email if you need anything else. I have set this exact thing up in my environment and am very familiar. Glad to help if I can.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah I am recieving data from the UF just not everything I'm wanting.
By the end of the year we will be using Splunk to monitor over 300 servers so we are just testing and configuring right now.
I will give that a try.
Thank you,
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
