Refine your search:

Universal fowarder and WMI

1

I want to configure the universal fowarder to poll WMI data and forward it to my indexer. I understand that I need a wmi.config file for the universal fowarder, however I do not know what to put it in it.

I want to be able to poll the following that is the same as the windows app.

WMI: Memory WMI: LocalPhysicalDisk WMI: CPU Time WMI: LocalNetwork

Thanks in advance!

asked 06 Feb, 04:11

tympaniplayer's gravatar image

tympaniplayer
6515
accept rate: 66%

2 Answers:
oldestnewestmost voted
2 
[WMI:LocalPhysicalDisk]
interval = 3600
wql = select Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
index = default
disabled = 0

[WMI:LocalProcesses]
interval = 3600
wql = select Name, IDProcess, PrivateBytes, PercentProcessorTime from Win32_PerfFormattedData_PerfProc_Process
index = default
disabled = 0

[WMI:Memory]
interval = 3600
wql = select PagesPerSec, AvailableMBytes, CommittedBytes, PercentCommittedBytesInUse from Win32_PerfFormattedData_PerfOS_Memory
index = default
disabled = 0

[WMI:LocalNetwork]
interval = 3600
wql = select Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth from Win32_PerfFormattedData_Tcpip_NetworkInterface
index = default
disabled = 0

[WMI:CPUTime]
interval = 3600
wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
index = default
disabled = 0
link

answered 06 Feb, 04:42

imrago's gravatar image

imrago
68529
accept rate: 35%

you are the awesome thanks so much!

(06 Feb, 04:45) tympaniplayer

is there anything I need to do to enable this to forward the data?

(06 Feb, 04:59) tympaniplayer

try to change the interval from 3600 to something smaller, to get the sample more frequently

Is the connection in place between UF and the indexer?

there is a useful app: en-US/app/SplunkDeploymentMonitor/all_forwarders

(06 Feb, 05:27) imrago

yeah I put the interval down considerably and yes the connection is in place, it is receiving perfmon data. Thanks for all your help

(06 Feb, 05:45) tympaniplayer

I seem to not be receiving the WMI data though.

(06 Feb, 05:54) tympaniplayer

you could add the following two lines to inputs.conf, change someindexname to something else and restart the UF

[default] index = someindexname

(06 Feb, 05:54) imrago

All i needed to do was restart. Thanks!

(06 Feb, 12:40) tympaniplayer
0

Really stupid question, sorry but where does wmi.conf have to be put?

link

answered 09 Feb, 17:05

chrismor's gravatar image

chrismor
112
accept rate: 0%

ect/system/local

(10 Feb, 03:51) tympaniplayer

or in an app if you deploy your configuration in apps. $SPLUNK_HOME/etc/apps/<myapp>/local/

(10 Apr, 19:44) yannK
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×157
×98

Asked: 06 Feb, 04:11

Seen: 308 times

Last updated: 10 Apr, 19:44

Related questions

Enable WMI in universal forwarder

Universal Forwarder: WMI Hostname Config Ignored

Universal forwarder and WMI

Windows Universal Forwarder and WMI data

Universal Forwarder vs WMI for Windows App

Deploying wmi.conf for windows universal forwarders with deployment-server

Universal Fowarder support Apps

WMI - How many remote Windows can a Splunk WMI input support?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.