Content Pack for Windows Dashboards and Reports

Content Pack for Windows Dashboards and Reports

This documentation does not apply to the most recent version of Content Pack for Windows Dashboards and Reports. For documentation on the most recent version, go to the latest release.

Install and configure the Content Pack for Windows Dashboards and Reports

Perform the following high-level steps to install and configure the Content Pack for Windows Dashboards and Reports:

  1. Create the required Indexes.
  2. Install and configure the Splunk Add-on for Windows.
  3. Install and configure the Splunk Supporting Add-on for Active Directory.
  4. Install the content pack.
  5. Run the saved searches to build the lookups.

Prerequisites

Review the following prerequisites before installing the content pack:

  • Enable the App Key-Value Store in your environment where the content pack is installed.
  • Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.

Create the required Indexes

The Content Pack for Windows Dashboards and Reports requires the following four indexes for indexing and displaying the incoming data from the Splunk Add-on for Windows:

  • msad
  • perfmon
  • windows
  • wineventlog

Refer to the following links to learn how to create indexes:

  • For Splunk Enterprise users, see Create events indexes in the Managing Indexers and Clusters of Indexers manual.
  • For Splunk Cloud Platform users, contact Splunk Support to set up, manage, and maintain the cloud index parameters. See Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual.

Install and configure the Splunk Add-on for Windows

The content pack relies on data from the Splunk Add-on for Windows. The add-on collects the computer, groups, security, DNS, organizational, and domain data from your Windows server hosts.

To learn how to install and configure the add-on, see Install the Splunk Add-on for Windows in the Splunk Add-on for Windows manual.

For information about getting data in from the Splunk Add-on for Windows for the content pack, see Get Windows server data.

The following table shows where to install the Splunk Add-on for Windows in your distributed environment:

Package Search head Indexer Forwarder
Splunk Add on for Windows X X X

Install and configure the Splunk Supporting Add-on for Active Directory

The content pack relies on the custom commands provided by the Splunk Supporting Add-on for Active Directory for searching attributes from the Active Directory.

To learn how to install and configure the add-on, see Install the Splunk Supporting Add-on for Active Directory in the Splunk Supporting Add-on for Active Directory manual.

For information about getting data in from the Splunk Supporting Add-on for Active Directory for the content pack, see Get Active Directory data.

The following table shows where to install the Splunk Supporting Add-on for Active Directory in your distributed environment:

Package Search head Indexer Forwarder
Splunk Supporting Add-on for Active Directory X

Install the content pack

To install the Content Pack for Windows Dashboards and Reports, you must install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the Install the Splunk App for Content Packs.

The Content Pack for Windows Dashboards and Reports contents are automatically installed and running once you install the Splunk App for Content Packs on the search head where you installed ITSI or IT Essentials Work.

Run the saved searches and build the lookups

The build_winfra_lookup saved search is required to use the dashboards in the content pack. The search fills the lookup tables that populate the dashboards and reports in the content pack.

Before running the search, make sure that data is populating the four required indexes. Then perform the following steps to run the saved searches:

  1. In Splunk Web, go to the Settings menu and select Searches, reports, and alerts.
  2. Search for the build_winfra_lookup saved search.
  3. Run the search and verify that all the searches included in the build_winfra_lookup search have run.

The following list shows the saved searches included in the build_winfra_lookup:

  • WinApp_Lookup_Build_Perfmon - Update - Server
  • WinApp_Lookup_Build_Printmon - Update
  • WinApp_Lookup_Build_Netmon - Update - Detail
  • WinApp_Lookup_Build_Netmon - Update - Server
  • WinApp_Lookup_Build_Hostmon_Services - Update - Detail
  • WinApp_Lookup_Build_Hostmon_Process - Update - Detail
  • WinApp_Lookup_Build_Hostmon_FS - Update - Detail
  • WinApp_Lookup_Build_Hostmon_Machine - Update - Detail
  • WinApp_Lookup_Build_Hostmon - Update - Server
  • WinApp_Lookup_Build_Event - Update - Detail
  • WinApp_Lookup_Build_Event - Update - Server
  • WinApp_Lookup_Build_Perfmon - Update - Detail
  • ActiveDirectory: Update Computer Lookup
  • ActiveDirectory: Update User Lookup
  • ActiveDirectory: Update Group Lookup
  • ActiveDirectory: Update GPO Lookup
  • tSiteInfo_Lookup_Update
  • tSessions_Lookup_Update
  • HostInfo_Lookup_Update
  • HostToDomain_Lookup_Update
  • DomainSelector_Lookup
Last modified on 17 May, 2022
Release notes for the Content Pack for Windows Dashboards and Reports   Upgrade the Content Pack for Windows Dashboards and Reports

This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.0.0, 1.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters