I have a WMI Input defined on a universal forwarder and I get the following error while starting Splunk, and of course nothing gets indexed from this input
**Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Invalid key in stanza [WMI:Patching] in C:\Program Files\SplunkUniversalForwarder\etc\apps\its-440-Splunk_TA_windows_6_4_2\local\inputs.conf, line 292: wql (value: select 'Description'', HotfixID', 'InstalledOn' from 'Win32_QuickFixEngineering').**
I did not find any hints in the documentation, i also tried an example WQL query from the docs and got the same error.
I try the following Input:
[WMI:Patching]
interval = 10
wql = select Description, HotfixID, InstalledOn from Win32_QuickFixEngineering
disabled = 0
index = testing
the search is working:
C:\Program Files\SplunkUniversalForwarder\bin>splunk-wmi.exe -wql "select Description, HotfixID, InstalledOn from Win32_QuickFixEngineering"
***SPLUNK*** index= source="WMI:unspecified" sourcetype="WMI:unspecified"
---splunk-wmi-end-of-event---
20161101223526.526996
Description=Update
HotFixID=KB3176936
InstalledOn=8/25/2016
wmi_type=unspecified
---splunk-wmi-end-of-event---
The docs for this are here: http://docs.splunk.com/Documentation/Splunk/6.3.5/Admin/Wmiconf
It looks like you are doing it right, except you need those lines in a wmi.conf, not an inputs.conf
The docs for this are here: http://docs.splunk.com/Documentation/Splunk/6.3.5/Admin/Wmiconf
It looks like you are doing it right, except you need those lines in a wmi.conf, not an inputs.conf
upps, stupid me, thanks for pointing me towards the solution
A potential problem can be the space between "Program Files"..