Configure the Splunk App for Windows Infrastructure
After you install the Splunk App for Windows Infrastructure, you must configure it before it can be used.
When the Splunk App for Windows Infrastructure first runs, it checks your Splunk Enterprise environment to ensure that all data and supporting apps and add-ons that it needs are available. This process is known as the "First time run" process. The Splunk App for Windows Infrastructure does not let you use it until you have successfully installed the required supporting apps and all the data it needs is present on the instance you have installed it on.
You can run this process at any time after the initial run by selecting "Guided Setup" from the "Tools and Settings" menu within the app.
This process runs the moment you load the Splunk App for Windows Infrastructure for the first time.
To start the process, click the green Start button. The Splunk App for Windows Infrastructure loads the Prerequisites page and begins detecting basic prerequisites for the app.
The Splunk App for Windows Infrastructure detects the following prerequisites:
- The Splunk Enterprise version. Version numbers described in the platform and hardware requirements.
- App key value store status. As part of checking the Splunk Enterprise version, the app also checks to see if you have the app key value store enabled. If it is not enabled, it asks you to do so.
- The Splunk Add-on for Windows version. The app requires the Splunk Add-on for Windows (TA-Windows) to be installed on the same instance that it resides. See What are the other prerequisites? for supported version information.
- The Supporting Add-on for Active Directory version. The Splunk App for Windows Infrastructure needs the latest version of this required add-on installed on the same instance that it resides.
- Splunk user credentials. The app checks for the presence of the
winfra-adminrole for the user that has logged into the instance. If that role is not present, it asks you to add it.
If you have not satisfied one or more prerequisites, it appears in red with an 'X' next to it. The app provides assistance on how to correct the problem. This can range from downloading and installing add-ons, enabling app key value store, or configuring the logged in Splunk Enterprise user, for example.
To correct the problem:
- Follow the guidance provided. You might need to download and install an app or visit a different page within the Splunk Enterprise instance.
- Return to the Splunk App for Windows Infrastructure prerequisites setup page, if necessary.
- Click the "Redetect" button next to the "Prerequisites" title.
If you have satisfied the prerequisite, it then turns green. Once you satisfy all prerequisites, the "Next" button at the top of the page activates and turns green. Click this button to proceed to the next step of the setup process.
The second phase of the setup experience confirms that the data that the app needs to function is present. In this phase, the app checks for:
- Data from the Splunk App for Windows Infrastructure. The app confirms that data from your Windows servers exists on the indexer.
- Data from the Splunk Add-on for Windows. The app checks to see that Windows data has been gathered from the Windows servers in your deployment and is available.
- Data from the Splunk Supporting Add-on for Active Directory. This check confirms that the app sees Active Directory data coming in from the SA-LDAPsearch supporting add-on.
The app checks for a certain number of events that have occurred in the past 24 hours. If no events have occurred for a certain type, the app warns you of this and highlights the type in red. Other data types are not required for a successful deployment and appear as warnings in yellow.
When you encounter either an error or a warning, the likely case is that data is not coming in from the forwarders. To resolve this problem:
- Review your forwarder configurations and, if necessary, follow the steps in the previous data collection chapters in this manual to confirm that you have enabled the appropriate data inputs and that the forwarders send out that data.
- Once you have confirmed the forwarder setup, return to the Splunk App for Windows Infrastructure Check Data setup page.
- Click the "Redetect" button.
If you have corrected the problem successfully, the data type turns green. Once you have all data types flowing in successfully, the "Next" button at the top of the page activates and turns green. Click the button to proceed to the next step in the setup process.
This page displays the list of dashboard panels that come with the Splunk App for Windows Infrastructure. Each panel displays information about specific features for Microsoft Windows and Active Directory.
Based on the information that the app gathered earlier in the setup process, it activates or deactivates panels in each of the three panel groups:
- Windows: This panel group contains options based on incoming Windows data that the Splunk App for Windows Infrastructure detected in the setup process. The Splunk App for Windows Infrastructure enables these panels if it detects that Windows data has been collected.
- Active Directory: This panel group contains options based on incoming Active Directory data that the Splunk App for Windows Infrastructure detected in the setup process. The Splunk App for Windows Infrastructure enables these panels if it detects that Active Directory data has been collected.
You can perform the following actions on this page:
- You can enable an entire panel group by clicking the checkbox next to Windows or Active Directory checkboxes at the top of the page.
- You can select the individual panels you would like the app to display.
- You can deselect individual panels that you would not like the app to display.
- You can tell the app to perform the data detection process by clicking the Detect Features button at the bottom of the page.
- If you are satisfied with the feature set that the app has detected, click the green Next button to complete app setup.
Note: If there is no data present for a panel that you have enabled, the Splunk App for Windows Infrastructure displays the panel within the app but does not show any data on the page.
The "Detect Features" process runs automatically as part of the setup process when you first install the app. As it detects features, it displays a dialog box that shows you its progress:
During the process, the app:
- Detects for presence of data for its dashboard panels.
- Builds lookup tables that allow it to function properly.
You can stop this detection process if needed by clicking the "Cancel" button. It is a good idea, however, to allow the process to run at least once, especially if it is the first time that the app has run the process.
Once the process has completed, the app enables dashboard panels for all the features that it has detected data. Click the Close button to return to the "Customize Features" page.
After you customize dashboard panels for the app, it presents the "Success! Splunk App for Windows Infrastructure has been configured" page.
Here you have several choices:
- Click the green Windows Overview button to proceed to the Windows Overview page.
- Click Active Directory Overview to head over to the Active Directory Overview page.
- Click Home to proceed to the home page.
Log in and get started
This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.4.1, 1.4.2, 1.4.3, 1.4.4