The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: splunk-wmi crashes regularly

Previous Topic: Setting timezone with the dynamic input header?  |   Next Topic: How do I remove Sources


Posts 1–7 of 7
1
posted by: ebrodsky  |  posts
date: July 15, 2008
permalink

Hello all... I hope someone can shed some light on this issue i'm having.

i am using WMI to pull event logs from several servers, but the splunk-wmi.exe process crashes fairly regularly. The event log reports something similar to:

wmi_type="WinEventLog:Application"
Message=Faulting application splunk-wmi.exe, version 0.0.0.0, faulting module splunk-wmi.exe, version 0.0.0.0, fault address 0x0005d670.

or

wmi_type="WinEventLog:Application"
Message=Faulting application splunk-wmi.exe, version 0.0.0.0, faulting module msvcr80.dll, version 8.0.50727.762, fault address 0x0000f870.

Has anyone run into this before?

2
posted by: gstemke  |  posts
date: July 15, 2008
permalink

Hi There,

Splunk WMI is a new feature with the 3.3 release. Would you mind sending your logs to support@splunk.com so that we can determine the cause of the crashes?

We need to look at your $SPLUNK_HOME\var\log\splunk directory.

If the directory is too large for an email attachment, you can send your initial email and a support engineer will instruct you on how to attach files to your case.

Additionally, it would be useful to see your $SPLUNK_HOME\etc\system\local\wmi.conf. I'd like to see what you are monitoring with WMI.

Cheers,
Gerad

3
posted by: ebrodsky  |  posts
date: July 17, 2008
permalink

Hi!
well, this hasn't happened in a couple of days, but i was able to pinpoint one way to reproduce it regularly: if the "interval" parameter is missing from a WMI stanza, the splunk-wmi process invariably crashes on launch.

However, i've greatly reduced the number of things i'm trying to pull via WMI since my original post. Right now i'm only pulling event logs from one server. As I add more things again, if it starts crashing, I'll be sure to send the logs.

Thanks!
Eugene

4
posted by: araitz  |  posts
date: July 17, 2008
permalink

Thanks, Eugene!

5
posted by: shammons  |  posts
date: January 27, 2009
permalink

I had the same error but the fault address was all zeros.

wmi_type="WinEventLog:Application"
Message=Faulting application splunk-wmi.exe, version 0.0.0.0, faulting module splunk-wmi.exe, version 0.0.0.0, fault address 0x00000000.

In order to fix my problem I had to add in a DEP exception for splunk-wmi because windows was blocking it. This was only after I upgraded from 3.3.4 to 3.4.5

6
posted by: araitz  |  posts
date: January 27, 2009
permalink

Also good to know, thanks!

7
posted by: ledio  |  posts
date: January 28, 2009
permalink

shammons, thank you for letting us know about the exception issue. Will be investigating that further and see what we can do to fix the problem.

Cheers,
Ledio Ago