Splunk was collecting event before but suddenly it stopped collecting events. I have restarted Splunk several times. I see the following message being logged in splunkd.log:
11-02-2010 15:53:02.028 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-wmi.exe"" WMI - Unable to read from the WMI checkpoint storage: Error executing: select value from keyvaluepairs_t where primarykey=?1; Msg=unable to open database file
Splunk stores the information regarding what it is monitoring in the wmi_checkpoint file that is stored in %SPLUNK_HOME%\var\lib\splunk\persistentstorage. The error is encountered when wmi_checkpoint is corrupted or inaccessible. Check the following:
if you have virus scan enabled, stop it "completely" and see if this resolves the issue.
Check if you have any permission issue. Make sure the account starting Splunk services has a full control to %SPLUNK_HOME% directory.
If it is corrupted, once you move wmi_checkpoint from %SPLUNK_HOME%\var\lib\splunk\persistentstorage Splunk will reindex. Please note that this can cause Splunk to reindex Windows Event Log pulled via wmi.
If none of the above is identified as a problem, then contact Support by submitting diag and %SPLUNK_HOME%\var\lib\splunk\persistentstorage.