Documentation forServer & Application Monitor
Monitoring your applications and environment is a key capability of Hybrid Cloud Observability and is also available in a standalone module, Server & Application Monitor (SAM). Hybrid Cloud Observability and SAM are built on the self-hosted SolarWinds Platform.

WMI Monitors

As described in Work with component monitors, SAM includes several "component monitor types" that use various methods to focus on elements such as services, logs, or processes. WMI Monitors are component monitors that use WMI communication to obtain the result of a WMI Query Language (WQL) query. The typical result retrieves the performance data calculated by WMI providers such as the Windows OS or Microsoft Exchange Server.

One example of a WMI Monitor is the DFS Volume State component monitor in the Distributed File System (DFS) template that assesses the status and overall performance of a Microsoft DFS service.

Note the following details that apply to most component monitors categorized as WMI Monitors:

  • All WQL queries are run within the root/CIMV2 namespace.
  • Named instances of SQL Server may have custom class names that do not match the predefined SAM templates, so you'll need to manually change the class name in any WMI Monitor collecting data for a named SQL Server instance. For example, if a named instance is "NAMED,” change Win32_PerfFormattedData_MSSQLSERVER_SQLServerBufferManager to Win32_PerfFormattedData_MSSQLNAMED_SQLNAMEDServerBufferManager.
  • The statistic displayed for this type of component monitor in the SolarWinds Platform Web Console is either:

If you create a custom WMI Monitor in the Component Monitor Wizard, you'll be prompted to provide several values, as described next.

Field descriptions


A default description of the monitor, which you can add to or replace. The variable to access this field is ${UserDescription}.

Enable Component

Determines whether the component is enabled. Disabling the component leaves it in the application in a deactivated state not influencing either SolarWinds SAM application availability or status.

Credential for Monitoring

Select a Windows credential with WMI rights on the target node. This is typically a Windows administrator-level credential.

Click a credential in the list, or use the <Inherit credential from node> option. If the credential you need is not in the credentials list, add it in the SAM Credentials Library.

Fetching Method

Configure the method used to gather data:

WinRM Authentication Mechanism

If the SAM WinRM toggle is enabled for application polling on the SolarWinds Platform server and target nodes, select an authentication method for the connection. The default setting is Negotiate.

  • Default: Specifies the transport to use for WS-Management protocol requests and responses: HTTP or HTTPS. The default is HTTP.
  • Digest: User name and password are required. The client sends a request with authentication data to an authenticating server, usually a domain controller. If the client is authenticated, then the server receives a Digest session key to authenticate subsequent requests from the client.
  • Negotiate: The client sends a request to the server to determine the protocol to use for Simple and Protected Negotiation (SPNEGO) authentication, which can be either:
    • Kerberos for domain accounts, or
    • NTLM for local computer accounts
  • Basic: User name and password are required, as sent via HTTP or HTTPS in a domain or workgroup.
  • Kerberos: User name and password are required for mutual authentication between the client and server, using encrypted keys. The client account must be a domain account in the same domain as the server. When a client uses default credentials, Kerberos is the authentication method if the connection string is not one of the following: localhost,, or [::1].
  • NtlmDomain: User name and password are required for NTLM authentication. The client proves its identity by sending a user name, password, and domain name.
  • CredSssp: User name and password are optional. The Credential Security Support Provider (CredSSP) lets an application delegate the user credentials from the client to the target server for remote authentication. The client is authenticated over the encrypted channel by using the SPNEGO protocol with either Kerberos or NTLM.

    Portions excerpted from the WinRM Glossary (© 2020, Microsoft Corp., available at

WMI Namespace

Specify the namespace where all WQL queries are run. The default value is root\CIMV2.

WQL Query

Type the WQL query you want to run on the target node. This is typically a performance counter query, but it can be any WQL query. All WQL queries are run within the root/CIMV2 namespace.

The WQL query for this monitor returns a numeric value. It will not report errors.

Count Statistic as Difference

This option changes the statistic to be the difference in counter values between polling cycles. It only applies to monitors whose counter value increases consistently during each polling interval. Examples of when this option is not applicable include cases such as the following:

  • Counter values sometimes increase and sometimes decrease from one polling interval to another (typical behavior for many counters)
  • Counter values consistently decrease from one polling interval to another

If this option is not applicable, negative data values are replaced with zero (0). The counter monitor shows 0 as the statistic data value in related widgets and 0 as the value on statistic data charts for this interval.

Convert Value

Select the "Yes, convert returned value" option to display fields where you can select a common function or enter a custom formula. The Custom Conversion option provides basic arithmetic operators (+, -, *, /), plus built-in mathematical functions for more advanced conversions. See Convert values in data transformations for SAM component monitors.

Statistic Warning Threshold

Specify a threshold that indicates a warning level was breached. Logical operators are in the drop down list, followed by a blank field where you can enter a value. For example: Less than 15 for warning, Less than 5 for critical. See Application Monitor Thresholds.

User Notes

Add notes for easy reference. You can access this field by using the variable, ${UserNotes}.