wmi.conf

wmi.conf

wmi.conf.spec

# Copyright (C) 2005-2009 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains possible attribute/value pairs for configuring WMI access from Splunk.  
#
# There is a wmi.conf in $SPLUNK_HOME\etc\system\default\.  To set custom configurations, 
# place a wmi.conf in $SPLUNK_HOME\etc\system\local\. For examples, see 
# wmi.conf.example.  You must restart Splunk to enable configurations.
# 
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.

#########################################################################################
#----GLOBAL SETTINGS-----
#########################################################################################

[settings]
* The settings stanza specifies various runtime parameters.
* The entire stanza and every parameter within it is optional. 
* If the stanza is missing, Splunk assumes system defaults.

initial_backoff = <integer>
* How long to wait (in seconds) before retrying the connection to the WMI provider after the first connection error.
* If connection errors continue, the wait time doubles until it reaches max_backoff.
* Defaults to 5.
	
max_backoff = <integer>
* Maximum time (in seconds) to attempt reconnect.
* Defaults to 20.
	
max_retries_at_max_backoff = <integer>
* Try to reconnect this many times once max_backoff is reached.
* If reconnection fails after max_retries, give up forever (until restart).
* Defaults to 2.
	
result_queue_size = <integer>
* Puts results from WMI provider(s) into a queue, then send to output.
* Defaults to 1000.
	
checkpoint_sync_interval = <integer>
* Minimum wait time (in seconds) for state data (event log checkpoint) to be written to disk.
* Defaults to 2.
	
heartbeat_interval = <integer>
* Heartbeat interval (in milliseconds) to test connection to WMI providers. 
* Defaults to 500.

proc_name = <string>

#########################################################################################
#----INPUT-SPECIFIC SETTINGS-----
#########################################################################################

[WMI:$NAME]
* There are two types of WMI stanzas:
 * Event log: for pulling event logs. You must set the event_log_file attribute.
 * WQL: for issuing raw WQL requests. You must set the WQL attribute.

server = <comma-separated list>
* A comma-separated list of servers from which to get data. 
* Defaults to local machine.

interval = <integer>
* How often to poll for new data. 
* Not optional.
* No default.

disabled = 0 | 1
* 1 to disable, 0 to enable.
* No default.
 
* Event log-specific attributes:
 
event_log_file = <Application, System, etc>
* Use this instead of WQL to specify sources.
* Specify a comma-separated list of log files to poll.
* No default.

* WQL-specific attributes:

wql = <string>
* Use this if you're not using event_log_file.
* Specify wql to extract data from WMI provider.
* For example, SELECT PercentDiskTime, AvgDiskQueueLength FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk
	
namespace = <string>
* Location of WMI providers.
* The namespace where the WMI provider resides. 
* Direct WQL queries.
* Defaults to root\.

wmi.conf.example

# Copyright (C) 2005-2009 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This is an example wmi.conf.  These settings are used to control inputs from WMI providers.
# Refer to wmi.conf.spec and the documentation at splunk.com for more information about this file. 
#
# To use one or more of these configurations, copy the configuration block into wmi.conf 
# in $SPLUNK_HOME\etc\system\local\.  You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.

[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 2
result_queue_size = 1000
checkpoint_sync_interval = 2
heartbeat_interval = 500

# Pull event logs from the local system

[WMI:LocalApplication]
interval = 10
event_log_file = Application
disabled = 1

[WMI:LocalSystem]
interval = 10
event_log_file = System
disabled = 1

[WMI:LocalSecurity]
interval = 10
event_log_file = Security
disabled = 1

# Gather performance data from the local system

[WMI:CPUTime]
interval = 5
wql = SELECT PercentProcessorTime FROM Win32_PerfFormattedData_PerfOS_Processor
disabled = 1

[WMI:Memory]
interval = 5
wql = SELECT CommittedBytes, AvailableMBytes, PagesPerSec FROM Win32_PerfFormattedData_PerfOS_Memory
disabled = 1

[WMI:LocalDisk]
interval = 5
wql = SELECT PercentDiskTime, AvgDiskQueueLength FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk
disabled = 1

[WMI:FreeDiskSpace]
interval = 5
wql = SELECT FreeMegabytes FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
disabled = 1

• Was this topic useful?
• Post a comment