Splunk® IT Essentials Work

Entity Integrations Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Collect Windows metrics and logs with the data collection script in ITE Work

Use the data collection script to configure data collection agents on Windows hosts you want to collect metrics and log data from.

The data collection script requires internet access. If you don't have internet access, configure data collection manually. For more information, see these topics:

If you haven't seen the requirements yet, see Windows integration requirements for ITE Work.

If you're using Splunk Cloud Platform, you need to enter specific information according to your cloud stack when you configure an integration. For more information, see Send data to Splunk Cloud Platform with ITE Work data collection agents.

To see which data the Windows integration sends to ITE Work, see Windows data you can collect with ITE Work.

Prerequisites

Requirement Description
Windows host See Windows operating system support.
Dependencies See Required Windows dependencies.
Administrator role

In Splunk Enterprise, you have to be a user with the admin role.

In Splunk Cloud Platform, you have to be a user with the sc_admin role.

Internet access The data collection script downloads a universal forwarder package from https://www.splunk.com/en_us/download/universal-forwarder.html.

Steps to configure the data collection script for Windows hosts

Follow these steps to configure and use the data collection script to collect Windows metrics and logs in ITE Work.

1. Specify configuration options

Configure data collection options for collecting metrics and logs from your host.

  1. From the ITE Work main menu, go to Configuration > Data Integrations.
  2. Click the Windows chicklet.
  3. Click Customize to select the metrics and log sources you want to collect data for.
    • The cpu and uptime metrics are selected by default, and cannot be deselected.
    • If you select cpu > Collect data for each CPU the metrics are stored for each CPU core so that you can split CPU usage by each core in the Analysis Workspace.
    • If you select cpu > Collect sum over all CPUs, only aggregate metrics are stored for CPU usage.
    • ITE Work creates a custom script for you to run on your host system based off of your data selections and customizations.
  4. (Optional) Add a custom source.
  5. When you're finished selecting metrics and log sources, click Save.
  6. Add Dimensions for easier troubleshooting, analysis, and filtering of entities. Dimensions are key/value pairs associated with an entity that you can use for searching and filtering during an investigation. Use the format dimension:value, such as env:prod or region:uswest. You can't delete dimensions the plug-in creates.
  7. Enter the Monitoring machine hostname or IP address of the Splunk Enterprise instance you want to send metrics and log data to.
  8. Enter the Receiver port of the machine you want to send log data to. You can use any port as receiver port. The recommended port is 9997 if it's available.
  9. For Install Location, specify the directory where you want the script to install the universal forwarder on the host.

2. Copy and paste the data collection script in a PowerShell window on the host

Deploy the script on your host to collect metrics and logs.

Follow these steps to deploy the script:

  1. Connect to the Windows host.
  2. Open a PowerShell window on the host.
  3. Paste the script into the PowerShell window on the host and run the script.
  4. When you run the script on a Windows system for the first time, you might receive a message stating that the universal forwarder was installed without creating an admin user. If this occurs, you have to manually create admin credentials. For information about creating admin credentials, see user-seed.conf in the Splunk Enterprise Admin Manual.

3. Verify your data connection

Verify your data connection to start monitoring your infrastructure. It can take up to about five minutes for your host to display in the user interface.

In the ITE Work user interface, go to Configuration > Entity Management and wait for new hosts to start appearing. Each host has the entity type Windows.

Last modified on 28 February, 2024
PREVIOUS
Windows data you can collect with ITE Work 		  NEXT
Manually collect metrics from a Windows host in ITSI

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters