wmi.conf

wmi.conf

The following are the spec and example files for wmi.conf.

wmi.conf.spec

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.0 
#
# This file contains possible attribute/value pairs for configuring WMI access from Splunk.  
#
# There is a wmi.conf in $SPLUNK_HOME\etc\system\default\.  To set custom configurations, 
# place a wmi.conf in $SPLUNK_HOME\etc\system\local\. For examples, see 
# wmi.conf.example.  You must restart Splunk to enable configurations.
# 
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

#########################################################################################
#----GLOBAL SETTINGS-----
#########################################################################################

[settings]
	* The settings stanza specifies various runtime parameters.
	* The entire stanza and every parameter within it is optional. 
	* If the stanza is missing, Splunk assumes system defaults.

initial_backoff = <integer>
	* How long to wait (in seconds) before retrying the connection to the WMI provider after the first connection error.
	* If connection errors continue, the wait time doubles until it reaches max_backoff.
	* Defaults to 5.
	
max_backoff = <integer>
	* Maximum time (in seconds) to attempt reconnect.
	* Defaults to 20.
	
max_retries_at_max_backoff = <integer>
	* Try to reconnect this many times once max_backoff is reached.
	* If reconnection fails after max_retries, give up forever (until restart).
	* Defaults to 2.
	
result_queue_size = <integer>
	* Puts results from WMI provider(s) into a queue, then send to output.
	* Defaults to 1000.
	
checkpoint_sync_interval = <integer>
	* Minimum wait time (in seconds) for state data (event log checkpoint) to be written to disk.
	* Defaults to 2.
	
heartbeat_interval = <integer>
	* Heartbeat interval (in milliseconds) to test connection to WMI providers. 
	* Defaults to 500.

#########################################################################################
#----INPUT-SPECIFIC SETTINGS-----
#########################################################################################

[WMI:$NAME]
	* There are two types of WMI stanzas:
 		* Event log: for pulling event logs. You must set the event_log_file attribute.
 		* WQL: for issuing raw WQL requests. You must set the WQL attribute.

server = <comma-separated list>
	* A comma-separated list of servers from which to get data. 
	* Defaults to local machine.

interval = <integer>
	* How often to poll for new data. 
	* Not optional.
	* No default.

disabled = <1/0>
	* 1 to disable, 0 to enable.
	* No default.
 
* Event log-specific attributes:
 
event_log_file = <Application, System, etc>
	* Use this instead of WQL to specify sources.
	* Specify a comma-separated list of log files to poll.
	* No default.

* WQL-specific attributes:

wql = <string>
	* Use this if you're not using event_log_file.
	* Specify wql to extract data from WMI provider.
	* For example, select * from Win32_PerfFormattedData_PerfProc_Process where Name = "splunkd".
	
namespace = <string>
	* Location of WMI providers.
	* The namespace where the WMI provider resides. 
	* Direct WQL queries.
	* Defaults to root\.

wmi.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.0 
#
# This is an example wmi.conf.  These settings are used to control inputs from WMI providers.
# Refer to wmi.conf.spec and the documentation at splunk.com for more information about this file. 
#
# To use one or more of these configurations, copy the configuration block into wmi.conf 
# in $SPLUNK_HOME\etc\system\local\.  You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

# This stanza specifies runtime parameters. 

[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 2
result_queue_size = 1000
checkpoint_sync_interval = 2
heartbeat_interval = 500

# These stanzas pull event logs from the local system.

[WMI:LocalApplication]
interval = 10
event_log_file = Application
disabled = 0

[WMI:LocalSystem]
interval = 10
event_log_file = System
disabled = 0

[WMI:LocalSecurity]
interval = 10
event_log_file = Security
disabled = 0

# These stanzas gather performance data from the local system.

[WMI:LocalPhysicalDisk]
interval = 1
wql = select Name, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
disabled = 0

[WMI:LocalMainMemory]
interval = 10
wql = select CommittedBytes, AvailableBytes, PercentCommittedBytesInUse, Caption from Win32_PerfFormattedData_PerfOS_Memory
disabled = 0

[WMI:LocalSplunkdProcess]
interval = 1
wql = select * from Win32_PerfFormattedData_PerfProc_Process where Name = "splunkd"
disabled = 0

• Was this topic useful?
• Post a comment