hi
i have created a WMI entry in wmi.conf
wql = SELECT Model FROM Win32_ComputerSystem
When I execute it with WMI explorer, i get results.
But, I get no results in my Splunk query even if i play with the time token.
What is the problem please??
I use this as my wmi.conf, and the last line for systeminfo works like a charm.
# WMI FOR appdev INDEX
#replace the index = line with the correct index
#place this file in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local
[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 0
checkpoint_sync_interval = 2
## Processes
[WMI:LocalProcesses]
interval = 120
wql = Select IDProcess,PrivateBytes,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process
index = wmi
disabled = 0
## Scheduled Jobs
## Use the Win32_ScheduledJob class. Note that this class can only return jobs that are created using either a script or AT.exe.
## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard.
[WMI:ScheduledJobs]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob
index = wmi
## Services
## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx
## Lists all services registered on the system,if they are running,and the status
[WMI:Service]
disabled = 0
## Run once an hour
interval = 3600
wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
index = wmi
## Update
[WMI:InstalledUpdates]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering
index = wmi
## Uptime
[WMI:Uptime]
disabled = 0
## Run once an hour
interval = 3600
wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System
index = wmi
## index = wmi
## Version
[WMI:Version]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem
index = wmi
## Model
[WMI:SystemInfo]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Model, Manufacturer, SystemType FROM Win32_ComputerSystem
index = wmi
9/28/18
2:43:16.791 PM
20180928144316.791677
Manufacturer=LENOVO
Model=7033A1U
SystemType=x64-based PC
wmi_type=SystemInfo
host = DATLTS11954 index = wmi source = WMI:SystemInfo sourcetype = WMI:SystemInfo
I use this as my wmi.conf, and the last line for systeminfo works like a charm.
# WMI FOR appdev INDEX
#replace the index = line with the correct index
#place this file in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local
[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 0
checkpoint_sync_interval = 2
## Processes
[WMI:LocalProcesses]
interval = 120
wql = Select IDProcess,PrivateBytes,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process
index = wmi
disabled = 0
## Scheduled Jobs
## Use the Win32_ScheduledJob class. Note that this class can only return jobs that are created using either a script or AT.exe.
## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard.
[WMI:ScheduledJobs]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob
index = wmi
## Services
## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx
## Lists all services registered on the system,if they are running,and the status
[WMI:Service]
disabled = 0
## Run once an hour
interval = 3600
wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
index = wmi
## Update
[WMI:InstalledUpdates]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering
index = wmi
## Uptime
[WMI:Uptime]
disabled = 0
## Run once an hour
interval = 3600
wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System
index = wmi
## index = wmi
## Version
[WMI:Version]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem
index = wmi
## Model
[WMI:SystemInfo]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Model, Manufacturer, SystemType FROM Win32_ComputerSystem
index = wmi
9/28/18
2:43:16.791 PM
20180928144316.791677
Manufacturer=LENOVO
Model=7033A1U
SystemType=x64-based PC
wmi_type=SystemInfo
host = DATLTS11954 index = wmi source = WMI:SystemInfo sourcetype = WMI:SystemInfo