What data the Splunk Add-on for Windows collects

The Splunk Add-on for Windows collects the following data:

• CPU statistics.
• Memory usage and availability by process and host.
• Disk usage including average read/write speed, disk queue length, and available disk space by host.
• Network usage including average bytes transferred per second and total network data transferred over time, by host.
• Windows Update patch history, including successful and unsuccessful updates, by host and Knowledge Base (KB) number.
• Longest and most frequent logins, by host and user name.
• Unsuccessful logins, by host and user name.
• All event logs.
• Information on Security IDentifiers (SIDs) and Globally Unique IDentifiers (GUIDs).
• Information on Windows services that either failed, or failed to start.
• Information on how Windows hosts were shut down.
• Information on successful privilege escalations, by user name.

Index usage and creation

The Splunk Add-on for Windows creates three indexes to store its data when installed:

• windows: For DHCP, Windows Update logs, Windows network, host, printer, and Registry monitoring.
• wineventlog: For all Windows Event Log channels.
• perfmon: For all Windows Performance Monitoring events.

When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. You can install the add-on onto the indexer to set those indexes up automatically.