WMI comes to Splunk

The Windows release of Splunk Preview debuts with WMI. So, what is WMI for all you splunkheads out there? It’s an OS interface which allows “instrumented components to provide information and notification”. WMI gives you the ability to query system instrumentation data such as system performance, event logs, end countless other events that occur on the system. It also has the capability of doing this agent-less from remote machines. The most exciting feature is the ability to do collection of Windows event logs from other machines on your network simultaneously. A Splunk install is not required on every single node that generates this data, and you don’t need to do anything special to facilitate this. Assuming you’ve set up proper authentication between the machines, of course. Setting up proper WMI security is a hot topic on its own.

From the standpoint of configuration and what WMI is capable of doing, in the context of Splunk, WMI can be used in two ways: to pull event logs and to query instrumentation data. Assuming that you have enough credentials to poll event logs agentlessly, you can simply specify host name and the log file you are interested in. This is an example of retrieving “Application” event logs from a remote machine named “remotehost”:

namespace = \\remotehost\root\cimv2
interval = 10
event_log_file = Application
disabled = 0

The other aspect of WMI warrants more explanation. To get data from WMI providers, you query them using WQL (WMI query language), which is a subset of SQL. Simply specify a query, and all fields returned by the provider will be automatically collated as an event. (Some queries return multiple results, and hence generate multiple events.) An example query will be select FreeMegabytes from Win32_PerfFormattedData_PerfDisk_LogicalDisk, which will poll free disk space from all logical disk partitions on the system.

This is an example config setup that gets runtime information for all running processes on a local machine every 30 seconds:

namespace = \\.\root\cimv2
interval = 30
wql = select * from Win32_PerfFormattedData_PerfProc_Process
disabled = 0

With this you can easily chart memory usage by process.

WMI Memory Usage by Process Name

The default install of the preview includes several preset performance queries. If you look at %SPLUNK_HOME%\etc\system\default\wmi.conf, you will find three default config stanzas. To see a list of what all is available for querying, google for “WMI classes” and browse the MSDN documentation. There is tons of stuff that you can splunk, including detailed memory usage, network utilization, disk usage, detailed process runtime information. Also, take a look at the WMI documentation.

Happy Splunking with WMI.


Posted by