Documentation > Splunk > Admin Manual > wmi.conf

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Add data and configure inputs
Set up forwarding and receiving
Configure event processing
Configure event timestamping
Configure indexed field extraction
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

wmi.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

wmi.conf

The following are the spec and example files for wmi.conf.

wmi.conf.spec

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5 
#
# This file contains possible attribute/value pairs for configuring WMI access from Splunk.  
#
# There is a wmi.conf in $SPLUNK_HOME\etc\system\default\.  To set custom configurations, 
# place a wmi.conf in $SPLUNK_HOME\etc\system\local\. For examples, see 
# wmi.conf.example.  You must restart Splunk to enable configurations.
# 
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

#########################################################################################
#----GLOBAL SETTINGS-----
#########################################################################################

[settings]
* The settings stanza specifies various runtime parameters.
* The entire stanza and every parameter within it is optional. 
* If the stanza is missing, Splunk assumes system defaults.

initial_backoff = <integer>
* How long to wait (in seconds) before retrying the connection to the WMI provider after the first connection error.
* If connection errors continue, the wait time doubles until it reaches max_backoff.
* Defaults to 5.

max_backoff = <integer>
* Maximum time (in seconds) to attempt reconnect.
* Defaults to 20.

max_retries_at_max_backoff = <integer>
* Try to reconnect this many times once max_backoff is reached.
* If reconnection fails after max_retries, give up forever (until restart).
* Defaults to 2.

checkpoint_sync_interval = <integer>
* Minimum wait time (in seconds) for state data (event log checkpoint) to be written to disk.
* Defaults to 2.

#########################################################################################
#----INPUT-SPECIFIC SETTINGS-----
#########################################################################################

[WMI:$NAME]
* There are two types of WMI stanzas:
 * Event log: for pulling event logs. You must set the event_log_file attribute.
 * WQL: for issuing raw WQL requests. You must set the wql attribute.
 * Do not use both the event_log_file or the wql attributes.  Use one or the other.

server = <comma-separated list>
* A comma-separated list of servers from which to get data.
* If missing, defaults to local machine.

interval = <integer>
* How often (in seconds) to poll for new data.
* Not optional.
* No default.

disabled = 0 | 1
* 1 to disable, 0 to enable.
* If missing, defautls to 0.

hostname = <host>
* All results generated by this stanza will appear to have arrived from this host.
* Optional.  If missing, will detect the host automatically.

current_only = 0 | 1
* Default value,  current_only = 0
* When current_only is 1 -
*    For event log stanzas, this will only capture events that occur while Splunk is running.
*    For WQL stanzas, event notification query is expected.  The queried class must support sending events.
*    An example event notification query that watches for process creation:
*    SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'.
* When current_only is 0
*    For event log stanzas, all the events from the checkpoint are gathered. If there is no checkpoint, all events
*    starting from the oldest events are retrieved.
*    For WQL stanzas, the query is executed and results are retrieved. The query is a non-notification query.
*    For example - Select * Win32_Process where caption = "explorer.exe"

* Event log-specific attributes:

event_log_file = <Application, System, etc>
* Use this instead of WQL to specify sources.
* Specify a comma-separated list of log files to poll.
* No default.

* WQL-specific attributes:

wql = <string>
* Use this if you are not using event_log_file.
* Specify wql to extract data from WMI provider.
* For example, select * from Win32_PerfFormattedData_PerfProc_Process where Name = "splunkd".

namespace = <string>
* The namespace where the WMI provider resides.
* Defaults to root\cimv2.
* The namespace spec can either be relative (root\cimv2) or absolute (\\server\root\cimv2).
* If the server attribute is present, you cannot specify an absolute namespace.

wmi.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5 
#
# This is an example wmi.conf.  These settings are used to control inputs from WMI providers.
# Refer to wmi.conf.spec and the documentation at splunk.com for more information about this file. 
#
# To use one or more of these configurations, copy the configuration block into wmi.conf 
# in $SPLUNK_HOME\etc\system\local\.  You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

# This stanza specifies runtime parameters. 

[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 2
checkpoint_sync_interval = 2

# These stanzas pull event logs from the local system.

[WMI:LocalApplication]
interval = 10
event_log_file = Application
disabled = 0

[WMI:LocalSystem]
interval = 10
event_log_file = System
disabled = 0

[WMI:LocalSecurity]
interval = 10
event_log_file = Security
disabled = 0

# These stanzas gather performance data from the local system.

[WMI:LocalPhysicalDisk]
interval = 1
wql = select Name, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime from Win32_PerfFormattedData_PerfDisk_PhysicalDisk
disabled = 0

[WMI:LocalMainMemory]
interval = 10
wql = select CommittedBytes, AvailableBytes, PercentCommittedBytesInUse, Caption from Win32_PerfFormattedData_PerfOS_Memory
disabled = 0

[WMI:LocalSplunkdProcess]
interval = 1
wql = select * from Win32_PerfFormattedData_PerfProc_Process where Name = "splunkd"
disabled = 0

# Listen from three event log channels, capturing log events that occur only
# while Splunk is running.  Gather data from three servers.

[WMI:TailApplicationLogs]
interval = 10
event_log_file = Application, Security, System
server = srv1, srv2, srv3
disabled = 0
current_only = 1

# Listen for process-creation events on a remote machine

[WMI:ProcessCreation]
interval = 1
server = remote-machine
wql = select * from __InstanceCreationEvent within 1 where TargetInstance isa 'Win32_Process'
disabled = 0
current_only = 1

# Receive events whenever someone plugs/unplugs a USB device to/from the computer

[WMI:USBChanges]
interval = 1
wql = select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'
disabled = 0
current_only = 1
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Wmiconf"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!