I have polled wmi query from windows 2000 to splunk, as there is not PerfFormattedData class. I use PerfRawData, but the cpu data in PerfRawData need some calculations so that it will give same result as PerfFormattedData. Can I modify splunk-wmi.exe or have any other method so the data input to splunk is right.
You can write new WQL queries in wmi.conf:
No you can't. Of course Splunk provides a large number of commands to evaluate and transform data when you view it instead of when you index it.
I know what is wql, my point is the calculation after polling value from wmi and before splunk access. I need the method which allow me to modify the data after generate from splunk-wmi.exe and before index by splunk. As the restricted environment, I can't use external program for the very last minute, so is splunk can provide a way to achieve my goal, for example, may I change some files so the splunk-wmi.exe can do calculation when it queries wql
Thanks