Splunk® Supported Add-ons

Splunk Add-on for Microsoft Windows

Performance reference for the Splunk Add-on for Windows

The following table provides the Search time performance metric for Windows TA version 9.0.0, where total ingested events were 6.4M.

Source type Search query Event count Search time in seconds
Perfmon:Process index=main sourcetype=Perfmon:Processor 100000 3.91
WMI:LocalProcesses index=main sourcetype=WMI:LocalProcesses 100000 2.90
WMI:LocalNetwork index=main sourcetype=WMI:LocalNetwork 100000 2.75
WMI:Service index=main sourcetype=WMI:Service 100000 7.83
MSAD:NT6:DNS index=main sourcetype=MSAD:NT6:DNS 100000 9.58
WMI:FreeDiskSpace index=main sourcetype=WMI:FreeDiskSpace 100000 2.61
PerfmonMk:ProcessorInformation index=main sourcetype=PerfmonMk:ProcessorInformation 100000 3.02
Script:ListeningPorts index=main sourcetype=Script:ListeningPorts 100000 2.56
WMI:LocalPhysicalDisk index=main sourcetype=WMI:LocalPhysicalDisk 100000 3.16
Script:NetworkConfiguration index=main sourcetype=Script:NetworkConfiguration 100000 2.52
WinEventLog index=main sourcetype=WinEventLog 100000 6.22
PerfmonMk:DFS_Replicated_Folders index=main sourcetype=PerfmonMk:DFS_Replicated_Folders 100000 5.28
MSAD:NT6:DNS-Health index=main sourcetype=MSAD:NT6:DNS-Health 100000 6.08
Perfmon:CPU index=main sourcetype=Perfmon:CPU 100000 3.01
XmlWinEventLog index=main sourcetype=XmlWinEventLog 100000 11.14
Perfmon:DFS_Replicated_Folders index=main sourcetype=Perfmon:DFS_Replicated_Folders 100000 2.54
PerfmonMk:System index=main sourcetype=PerfmonMk:System 100000 3.89
DhcpSrvLog index=main sourcetype=DhcpSrvLog 100000 5.38
WMI:ComputerSystem index=main sourcetype=WMI:ComputerSystem 100000 2.18
ActiveDirectory index=main sourcetype=ActiveDirectory 100000 13.27
PerfmonMk:PhysicalDisk index=main sourcetype=PerfmonMk:PhysicalDisk 100000 13.24
PerfmonMk:CPU index=main sourcetype=PerfmonMk:CPU 100000 3.09
PerfmonMk:LogicalDisk index=main sourcetype=PerfmonMk:LogicalDisk 100000 4.28
Script:TimesyncStatus index=main sourcetype=Script:TimesyncStatus 100000 9.25
WMI:InstalledUpdates index=main sourcetype=WMI:InstalledUpdates 100000 3.25
WMI:Uptime index=main sourcetype=WMI:Uptime 100000 2.74
WMI:Memory index=main sourcetype=WMI:Memory 100000 4.87
Perfmon:DNS index=main sourcetype=Perfmon:DNS 100000 2.72
Script:TimesyncConfiguration index=main sourcetype=Script:TimesyncConfiguration 100000 10.84
WindowsUpdateLog index=main sourcetype=WindowsUpdateLog 100000 3.69
Perfmon:Memory index=main sourcetype=Perfmon:Memory 100000 2.94
WMI:UserAccounts index=main sourcetype=WMI:UserAccounts 100000 4.82
Perfmon:System index=main sourcetype=Perfmon:System 100000 3.62
Perfmon:Network_Interface index=main sourcetype=Perfmon:Network_Interface 100000 2.60
PerfmonMk:Processor index=main sourcetype=PerfmonMk:Processor 100000 3.23
PerfmonMk:DNS index=main sourcetype=PerfmonMk:DNS 100000 6.22
WMI:Version index=main sourcetype=WMI:Version 100000 2.95
WinNetMon index=main sourcetype=WinNetMon 100000 2.97
WMI:WinEventLog:Application index=main sourcetype=WMI:WinEventLog:Application 100000 5.17
MSAD:NT6:Health index=main sourcetype=MSAD:NT6:Health 100000 3.11
WinRegistry index=main sourcetype=WinRegistry 100000 6.34
Perfmon:NTDS index=main sourcetype=Perfmon:NTDS 100000 3.13
MSAD:NT6:SiteInfo index=main sourcetype=MSAD:NT6:SiteInfo 100000 2.45
MSAD:NT6:DNS-Zone-Information index=main sourcetype=MSAD:NT6:DNS-Zone-Information 100000 4.85
Script:InstalledApps index=main sourcetype=Script:InstalledApps 100000 10.17
MSAD:NT6:Replication index=main sourcetype=MSAD:NT6:Replication 100000 2.29
WinHostMon index=main sourcetype=WinHostMon 100000 5.84
PerfmonMk:Network index=main sourcetype=PerfmonMk:Network 100000 3.87
MSAD:NT6:Netlogon index=main sourcetype=MSAD:NT6:Netlogon 100000 2.16
WMI:CPUTime index=main sourcetype=WMI:CPUTime 100000 3.88
WMI:ScheduledJobs index=main sourcetype=WMI:ScheduledJobs 100000 2.52
PerfmonMk:Memory index=main sourcetype=PerfmonMk:Memory 100000 4.46
Perfmon:Network index=main sourcetype=Perfmon:Network 100000 4.99
PerfmonMk:NTDS index=main sourcetype=PerfmonMk:NTDS 100000 14.08
Perfmon:PhysicalDisk index=main sourcetype=Perfmon:PhysicalDisk 100000 2.36
WMI:LogicalDisk index=main sourcetype=WMI:LogicalDisk 100000 4.54
win:bios index=main sourcetype=win:bios 100000 7.80
WMI:WinEventLog:Security index=main sourcetype=WMI:WinEventLog:Security 100000 17.16
Perfmon:LogicalDisk index=main sourcetype=Perfmon:LogicalDisk 100000 4.36
PerfmonMk:Process index=main sourcetype=PerfmonMk:Process 100000 4.36
Perfmon:ProcessorInformation index=main sourcetype=Perfmon:ProcessorInformation 100000 2.78
PerfmonMk:Network_Interface index=main sourcetype=PerfmonMk:Network_Interface 100000 4.97
WMI:WinEventLog:System index=main sourcetype=WMI:WinEventLog:System 100000 5.00
Perfmon:Processor index=main sourcetype=Perfmon:Processor 100000 2.45

The following table provides the average events per second (EPS) for the listed WinEventLog channels:

Log Name Number of Events Seconds (Classic) EPS (Classic) Seconds (XML) EPS (XML)
Application 50000 8.5 5882 9.75 5128
System 50000 9.5 5263 10.2 4901
Security 45377 13.33 3404 16 2836
Powershell 50000 7.33 6821 8 6250
Last modified on 13 November, 2024
Lookups for the Splunk Add-on for Windows   Common Information Model and Field Mapping Changes for the Splunk Add-on for Microsoft Windows

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters