Content Pack for Monitoring Microsoft Windows

Content Pack for Monitoring Microsoft Windows

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Content Pack for Monitoring Microsoft Windows. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Data requirements for the Content Pack for Monitoring Microsoft Windows

The IT Service Intelligence (ITSI) Content Pack for Monitoring Microsoft Windows requires that you install the Splunk Add-on for Windows and configure it to collect and send data to your deployment.

While configuring the Splunk Add-on for Windows, use metrics based indexes. Event indexes are also supported.

Prerequisite

Install a universal forwarder or heavy forwarder on any host that you want to send data to your ITSI or ITE Work deployment. See About forwarding and receiving in the Splunk Enterprise Forwarding Data manual to learn how to install and configure forwarders.

Install the Splunk Add-on for Microsoft Windows

Use the following table as reference to install the Splunk Add-on for Windows on your deployment:

App Installation link Search heads Indexers Forwarders
Splunk Add-on for Windows Install the Splunk Add-on for Windows x x x

Create indexes

The Content Pack for Monitoring Microsoft Windows requires the following 2 indexes for indexing and showing the event data coming from the Splunk Add-on for Windows:

  • perfmon (required if performance monitoring data is ingested in events index)
  • windows

For instructions to create indexes in Splunk Enterprise, see Create events indexes. For Splunk Cloud, contact Splunk Support to set up, manage, and maintain their cloud index parameters. See Manage Splunk Cloud Platform indexes.

Configure the inputs.conf file for Windows OS performance collection

To allow centralized management of multiple forwarders, create a custom app and use a deployment server or another management solution.

Once you deploy the inputs.conf file to one or more Windows servers, use the Search and Reporting app to confirm that your hosts are receiving data.

These steps are required for all Windows servers you monitor.

Configure the add-on to collect metrics data and send to your Splunk deployment

WinHostMon data is ingested in the events index. The Splunk Add-on for Windows doesn't provide a metrics version of that source.

  • Download the Splunk Add-on for Windows from Splunkbase.
  • From a command shell, place the add-on in the $SPLUNK_HOME/etc/apps directory.
  • Create an inputs.conf file in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/. If this file already exists, merge the stanzas in the next step.
  • Paste the following stanzas into the configuration file to generate the KPIs for the content pack: 
    [WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index = windows

[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index = windows

[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index = windows

[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 60
object = Processor
useEnglishOnly = true
mode = single
index = itsi_im_metrics

## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 60
object = LogicalDisk
useEnglishOnly = true
mode = single
index = itsi_im_metrics

## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 60
object = PhysicalDisk
useEnglishOnly = true
mode = single
index = itsi_im_metrics

## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
interval = 60
object = Memory
useEnglishOnly = true
mode = single
index = itsi_im_metrics

## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size  
disabled = 0
instances = *
interval = 60
object = Network Interface
useEnglishOnly = true
mode = single
index = itsi_im_metrics
  • You can also create your own custom metrics index and ingest the data in that index. Replace itsi_im_metrics with the name of your custom metrics index. For more information, see Create metrics indexes.

    • Configure the add-on to collect events data and send to your Splunk deployment

  • Download the Splunk Add-on for Windows from Splunkbase.
  • From a command shell, place the add-on in the $SPLUNK_HOME/etc/apps directory.
  • Create an inputs.conf file in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/. If this file already exists, merge the stanzas in the next step.
  • Paste the following stanzas into the configuration file to generate the KPIs for the content pack: 
    [WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index = windows

[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index = windows

[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index = windows

[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 60
object = Processor
useEnglishOnly = true
mode = multikv
index = perfmon

## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 60
object = LogicalDisk
useEnglishOnly = true
mode = multikv
index = perfmon

## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 60
object = PhysicalDisk
useEnglishOnly = true
mode = multikv
index = perfmon

## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
interval = 60
object = Memory
useEnglishOnly=true
mode = multikv
index = perfmon

## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size  
disabled = 0
instances = *
interval = 60
object = Network Interface
useEnglishOnly = true
mode = multikv
index = perfmon
    • Last modified on 08 November, 2022
    PREVIOUS
    Release notes for the Content Pack for Monitoring Microsoft Windows     		  NEXT
    Install and configure the Content Pack for Monitoring Microsoft Windows

    This documentation applies to the following versions of Content Pack for Monitoring Microsoft Windows: 1.1.0

    Was this documentation topic helpful?


    You must be logged into splunk.com in order to post comments. Log in now.

    Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

    0 out of 1000 Characters