I am being told that was the default. I am seeing over 2 Billion WMI records, most (1.6 B) are from WMI:LocalProcesses, they look like a record for every process running on every windows server every second. Seems like a rediculus load on each server plus the overworked Splunk Linux server. (no polling WMI is setup on then Indexer)
WMI:LocalProcesses | 1,642,530,389
WMI:LocalNetwork | 171,412,864
WMI:FreeDiskSpace | 164,186,039
WMI:LocalPhysicalDisk | 44,962,006
WMI:Memory | 43,502,032
WMI:CPUTime | 43,461,901
I would like to change the WMI queries to once every 10 minutes, not ever second. And not effic the eventlogging.
Which "interval" line is the correct one to fix this?
Thanks, Bill
... View more