Executing WMI Queries

WMI (Windows Management Instrumentation) is the Microsoft implementation of WBEM (Web Based Enterprise Management) that provides users with information about the status of local or remote computer systems.

TrueSight Operations Management - Monitoring Studio can execute WMI queries on your system and consolidate them within your TrueSight Operations Management environment. It can also query the WMI repository for monitor type and instance information. You can for example request the WMI that returns all the objects representing shut-down events from your desktop system.

This function is only available on Windows hosts. It can be remotely used from PATROL Agents running on Windows only.

To analyze a WMI query

1.	Access the Monitoring Studio Configuration panel, as explained in the Configure Monitors chapter.

2.	In the Monitors section, click the WMI button.

3.	The WMI panel is displayed. Provide the connection credentials and define the WMI query settings.

4.	Provide the WMI Query information:

WMI_Settings

WMI Query — Settings

▪	Namespace: Enter the WMI namespace (Example: root\cimv2). A namespace is a logical group of related monitor types representing a specific technology or area of management.

▪	WQL Query: Enter your query (Example: SELECT * FROM Win32 process). If you need help to build your WMI query, download WMI CIM Studio, which is one of the WMI Administrative tools on the Microsoft site.

▪	Timeout (seconds): Specify the time in seconds after which the query will be stopped (Default: 30 seconds). If the query times out, the Status attribute of the Studio WMI Query Monitor Type will be set to 2 (Failed) and an alarm will be triggered in TrueSight Operations Management.

▪

Report Errors in Group's "Collection Error Count": Select this option to have the Collection Error Count attribute of the Group reflect possible alerts triggered upon the WMI query execution. The Collection Error Count attribute of the Group reports on the collection errors of all Monitors, associated to the Group, for which this option is available and selected, providing a global view of the collection errors for the whole Group.

Basic WMI Queries
Queries may be issued against WMI resources using WMI Query Language (WQL). WQL is a subset of SQL designed to retrieve information from WMI. A simple example of a WMI query would be: SELECT * FROM Win32_Process. This retrieves all attributes (the * is used as a wildcard) for all processes currently running on the computer. Win32_Process is the name of the WMI class for Windows processes.
WMI queries of this type are often issued from a script using Windows Script Host or from any technology or tool that can access WMI. Queries retrieve specific information from instances of WMI resources or execute methods against instances to perform such actions as stopping services, or starting processes.

Keyword	Example code	Description
SELECT	SELECT *	Specifies what properties are returned. Typically * is used to simply retrieve all.
FROM	FROM __InstanceCreationEvent	Specifies the event class to query. This will be the extrinsic or intrinsic event class.
WHERE	WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'notepad.exe'	Filters the results. For intrinsic events, it will usually include the ISA keyword to specify the class of the TargetInstance. Note: WMI queries support dot characters in the WHERE statement.

5.	Define the Monitor Settings:

Monitoring_Settings

WMI Query — Monitor Settings

▪	Internal ID: Enter an ID to identify the managed WMI query instance in TrueSight Operations Management.

▪	Display Name: Enter a name to identify the managed WMI query instance in TrueSight Operations Management.

▪	Optional — Polling Interval: Set the frequency at which the data collection will be performed. Default is 2 minutes.

▪	Optional — Alert Actions: Define the action(s) Monitoring Studio needs to perform when the thresholds for this WMI query instance is breached.

6.	Optional — Define the Content Processing rules you wish to apply to the WMI query output:

Content_Processing

WMI Query — Content Processing

▪	String Searches: Define the search criteria for a specific string you wish to find or not find in the WMI query output.

▪	Numeric Extractions: Define any numeric value to be extracted from the WMI query output.

7.	Click the Add to List button to complete the creation of the WMI query instance.

8.	Click Close.