Content Pack for Windows Dashboards and Reports

Content Pack for Windows Dashboards and Reports

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Get Windows server data

The Content Pack for Windows Dashboards and Reports provides visibility into the health and performance of your Microsoft Windows Server and Active Directory environments. The content pack relies on data collected by the Splunk Add-on for Windows to populate the dashboards and reports provided by the content pack.

The Splunk Add-on for Windows is required in order to access data from the following resources:

  • All hosts that run Active Directory Domain Services, including domain controllers and DNS servers.
  • All Windows hosts from which you want Windows data.
  • All indexers.
  • All search heads.

Download the Splunk Add-on for Windows

Perform the following high-level steps to download the Splunk Add-on for Windows:

  1. Download the Splunk Add-on for Windows from Splunkbase and save it to an accessible place on the deployment server.
  2. When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
  3. Unarchive the file to an accessible location.

For more detailed instructions, see Install the Splunk Add-on for Windows in the Splunk Add-on for Windows manual.

Configure the Splunk Add-on for Windows

Perform the following high-level steps to configure the Splunk Add-on for Windows:

You must complete these steps for Windows perfmon data to be used in dashboards.

  1. In the location where you unarchived the downloaded app file, locate the Splunk_TA_windows directory.
  2. Create a local subdirectory within the Splunk_TA_windows directory.
  3. Copy the inputs.conf file in the default subdirectory to the local directory.
  4. Edit the disabled and mode attributes in the inputs.conf file. You can optionally add an index attribute to use specific indexes.

Microsoft Windows event logs that are rendered in XML format will not populate in the Content Pack for Windows Dashboards and Reports.

Version 5.0.1 and higher of the Splunk Add-on for Windows collects data in multikv mode by default. This mode has a different event format over the existing single mode. The Content Pack for Windows Dashboards and Reports only supports single mode. You must change the value of the mode parameter to single in the perfmon stanzas in /Splunk_TA_windows/default/inputs.conf on forwarder.

You can refer to the following example input stanzas:

[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
 
## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 10
mode = single
object = LogicalDisk
useEnglishOnly=true
 
## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 10
mode = single
object = PhysicalDisk
useEnglishOnly=true
 
## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
interval = 10
mode = single
object = Memory
useEnglishOnly=true
 
## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 0
instances = *
interval = 10
mode = single
object = Network Interface
useEnglishOnly=true
 
## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 10
mode = single
object = Process
useEnglishOnly=true
 
## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 10
mode = single
object = Processor Information
useEnglishOnly=true
 
## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 0
instances = *
interval = 10
mode = single
object = System
useEnglishOnly=true

You can either create the default Windows index as mentioned in the section Create the required Indexes, or you can create your own custom index and then update the event types as mentioned in the section Update configuration files to use custom indexes. If you use the default Windows index, you must add index parameters with the values in the following table, located in /Splunk_TA_windows/default/inputs.conf on the forwarder.

Input staza Indexes Event types
[WinEventLog://Application], [WinEventLog://Security], [WinEventLog://System], [WinEventLog://ForwardedEvents] wineventlog wineventlog_index_windows
[monitor://$WINDIR\System32\DHCP], [monitor://$WINDIR\WindowsUpdate.log], [script://.\bin\win_listening_ports.bat], [script://.\bin\win_installed_apps.bat], [script://.\bin\win_timesync_status.bat], [script://.\bin\win_timesync_configuration.bat],

[WinHostMon://Computer], [WinHostMon://Process], [WinHostMon://Processor], [WinHostMon://NetworkAdapter], [WinHostMon://Service], [WinHostMon://OperatingSystem], [WinHostMon://Disk], [WinHostMon://Driver], [WinHostMon://Roles], [WinPrintMon://printer], [WinPrintMon://driver], [WinPrintMon://port], [WinNetMon://inbound], [WinNetMon://outbound]

windows windows_index_windows
[perfmon://CPU], [perfmon://LogicalDisk], [perfmon://PhysicalDisk], [perfmon://Memory], [perfmon://Network], [perfmon://Process], [perfmon://ProcessorInformation], [perfmon://System] perfmon perfmon_index_windows
[admon://default], [WinRegMon://default], [WinRegMon://hkcu_run], [WinRegMon://hklm_run] windows windows_index_windows
[monitor://$WINDIR\debug\netlogon.log], [MonitorNoHandle://$WINDIR\System32\Dns\dns.log],

[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1], [powershell://Replication-Stats], [script://.\bin\runpowershell.cmd nt6-health.ps1], [powershell://AD-Health][script://.\bin\runpowershell.cmd nt6-siteinfo.ps1], [powershell://Siteinfo] [script://.\bin\runpowershell.cmd dns-zoneinfo.ps1], [script://.\bin\runpowershell.cmd dns-health.ps1], [admon://default]

msad msad_index_windows

Save the inputs.conf in the local subdirectory. The following is an example inputs.conf staza:


[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = perfmon
 
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index = wineventlog
 
[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 0
index = windows
 
[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:SiteInfo
interval=3600
disabled=0
index = msad

Create the required Indexes

The Content Pack for Windows Dashboards and Reports requires the following four indexes for indexing and displaying the incoming data from the Splunk Add-on for Windows:

  • msad
  • perfmon
  • windows
  • wineventlog

Refer to the following links to learn how to create indexes:

  • For Splunk Enterprise users, see Create events indexes in the Managing Indexers and Clusters of Indexers manual.
  • For Splunk Cloud Platform users, contact Splunk Support to set up, manage, and maintain the cloud index parameters. See Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual.

You can also use custom indexes to ingest the data by updating the relevant event types. Refer to the section Update configuration files to use custom indexes for more details.

Update configuration files to use custom indexes

Perform the following steps to update configuration files to use custom index(es):

  1. Copy the inputs.conf file from the default subdirectory /Splunk_TA_windows/default/ to the local directory folder /Splunk_TA_windows/local/ folder of the forwarder.
  2. Open the inputs.conf in the local subdirectory with a text editor.
  3. If you are using <<CUSTOM INDEX>> instead of TA_windows default indexes then add index = <<CUSTOM INDEX>> under stanzas as defined in the table above for the Windows default index(es). Refer to the previous table for Windows default indexes.

The following are examples of inputs stanzas:

[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 1
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = <<CUSTOM INDEX>>
 
[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index = <<CUSTOM INDEX>>
 
[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 1
index = <<CUSTOM INDEX>>

Update eventtypes.conf

Perform the following steps to update eventtypes.conf files to a custom index:

  1. Copy the eventtypes.conf file from the default subdirectory /DA-ITSI-CP-windows-dashboards/default/ to the local directory folder /DA-ITSI-CP-windows-dashboards/local/ folder on the search head.
  2. Open the eventtypes.conf in the local subdirectory with a text editor.
  3. If you are using <<CUSTOM INDEX>> instead of Windows default indexes, then update the eventtype definitions as shown in the following table:
Default index Custom index Updated eventtypes
perfmon <<CUSTOM INDEX 1>> [perfmon_index_windows], definition = index=perfmon OR index=<<CUSTOM INDEX 1>>
wineventlog <<CUSTOM INDEX 2>> [wineventlog_index_windows], definition = index=wineventlog OR index=<<CUSTOM INDEX 2>>
windows <<CUSTOM INDEX 3>> [windows_index_windows], definition = index=windows OR index=<<CUSTOM INDEX 3>>

Update configuration files to use the main index

Perform the following steps to update eventtypes.conf files to the main index:

  1. Copy the eventtypes.conf file from the default subdirectory /DA-ITSI-CP-windows-dashboards/default/ to the local directory folder /DA-ITSI-CP-windows-dashboards/local/ folder on the search head.
  2. Open the eventtypes.conf in the local subdirectory with a text editor.
  3. If you are using index=main instead of Windows default indexes, then update the eventtype definitions as shown in the following table:
Default index Main index Updated eventtypes
perfmon main [perfmon_index_windows], definition = index=perfmon OR index=main
wineventlog main [wineventlog_index_windows], definition = index=wineventlog OR index=main
windows main [windows_index_windows], definition = index=windows OR index=main
Last modified on 24 February, 2023
PREVIOUS
Migrate from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports
  NEXT
Get Active Directory data

This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.2.0, 1.2.1, 1.2.2, 1.3.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters