I have configured my UF WMI.conf file as below
[WMI:LocalAdmins]
interval = 3600
index = myindex
wql = SELECT * FROM Win32_GroupUser
disabled = 0
On Splunk 6.2.3 version, I am getting details of LocalGroups from the server where UF is installed. Where as on another Splunk Indexer with 6.4.2 version, I am getting events with all domains in our enterprise.
How can I just get the local system group details? Can I specify domain here?
Data-
1# : Correct One
GroupComponent=\\Server1\root\cimv2:Win32_Group.Domain="Server1",Name="Administrators"
2# : Incorrect One
GroupComponent=\\Server1\root\cimv2:Win32_Group.Domain="NA",Name="Administrators"
NA is one of the domain server
↧