This documentation does not apply to the most recent version of Content Pack for Windows Dashboards and Reports.
For documentation on the most recent version, go to the latest release.
Reports reference for the Content Pack for Windows Dashboards and Reports
The Content Pack for Windows Dashboards and Reports includes several reports through which you can proactively monitor and troubleshoot your Windows environment.
Access the reports
- Log into Splunk Web.
- Select App > IT Service Intelligence (ITSI) or IT Essentials Work.
- From the navigation bar, select Dashboards > Reports to see the list of reports.
- In the App column, reports listed as DA-ITSI-CP-windows-dashboards are part of the Content Pack for Windows Dashboards and Reports.
Available reports
The following table lists the reports that are present in the Content Pack for Windows Dashboards and Reports:
| Report name | Description |
|---|---|
| Application crash count in the last 7 days | Shows the Application Crashes count in last 7 days |
| Application crash count in the last 24 hours | Shows the Application Crashes count in last 24 hours |
| Application crash count in the last 30 days | Shows the Application Crashes count in last 30 days |
| Average CPU utilization per process, host in the last 24 hours | Shows the Average Utilization of CPU per process, host in the last 24 hours |
| Average Memory utilization per process, host in the last 24 hours | Shows the Average Utilization of Memory per process, host in the last 24 hours |
| Count of total installs per Application each day for the last 7 days | Shows the count of Installations from each Application each day for the last 7 days |
| Count of total installs per user each day for the last 7 days | Shows the count of Installations from each User each day for the last 7 days |
| Count of total installs per user for the last 7 days | Shows the count of Installations from each User for the last 7 days |
| Event categories and counts by host for the last 30 days | Shows the Event Categories and hosts count in last 30 Days |
| Event severity counts by host for the last 7 days | Shows the count of Event Severity by host in last 7 days |
| Event severity counts by host for the last 24 hours | Shows the count of Event Severity by host in last 24 hours |
| Event severity counts by host for the last 30 days | Shows the count of Event Severity by host in last 30 days |
| Generic event counts | Shows the Count of Generic Events based on EventCode |
| List of Applications, Time of install, User and Host for the last 7 days | Shows the list of Applications, Time of install, User and Host for the last 7 days |
| List of Failed KB installs in the last 7 days | Shows the List of Failed KB that installed in last 7 days |
| List of KB successful and failed KB installation for the last 30 days | Shows the List of installed successful and failed KB in last 30 days |
| List of Successful installations (non-KB) for the last 7 days | Shows the list of successful installations (non-KB) in last 7 days |
| List of failed service starts for the last 30 days | Shows the list of failed service starts in last 30 days |
| List of shutdowns for last 30 days | Show the list of hosts which are shutdown in last 30 days |
| List of unexpected service terminations for the last 30 days | Shows the list of unexpected service terminations of host in last 30 days |
| Number of hosts with Average CPU utilization > 80% in the last 24 hours | Shows the number of host with Average utilization of CPU is greater than 80% in last 24 hours |
| Performance counter categories and counts by host for the last 7 days | Shows the number of performance counter categories and counts of host in last 7 days |
| ActiveDirectory: Create Computer Lookup | Creates the ActiveDirectory_ComputerInfoLookup which contains the details of Computer of Active Directory |
| ActiveDirectory: Create GPO Lookup | Creates the ActiveDirectory_GPOInfoLookup which contains the details of GPO (Group Policy object) of Active Directory |
| ActiveDirectory: Create Group Lookup | Creates the ActiveDirectory_GroupInfoLookup which contains the details of Group of Active Directory |
| ActiveDirectory: Create User Lookup | Creates the ActiveDirectory_UserInfoLookup which contains the details of User of Active Directory |
| DNS: Failing Domains | Shows the list of domains which have responded as error |
| DNS: Top Failing Domains | Shows the top domain which have responded as error |
| DNS: Top Hosts sending failing queries | Shows the top host which is sending failed queries |
| DNS: Top Non-Authoritative Responses | Shows the top non-authoritive domain Responses |
| DNS: Top Querying Hosts | Shows the top Querying host |
| DNS: Top Recursive Failure Domains | Shows the Top Recursive Failure Domain |
| DNS: Top Requested Queries | Shows the Top Requested Query domain |
| System_App Installs - By Host - Timechart - 7days | Shows the list of App Installed by a host in last 7 days |
| WinApp_Lookup_Build_Event - CreateNew - Detail | Creates the windows_event_details lookup which contains the Source name and Task category |
| WinApp_Lookup_Build_Event - CreateNew - Server | Creates the windows_event_system lookup which contains the host details |
| WinApp_Lookup_Build_Hostmon - CreateNew - Server | Creates the windows_hostmon_system lookup which contains the host details |
| WinApp_Lookup_Build_Hostmon_FS - CreateNew - Detail | Creates the windows_hostmon_fs_details lookup which contains File System details |
| WinApp_Lookup_Build_Hostmon_Machine - CreateNew - Detail | Creates the windows_hostmon_machine_details lookup which contains Domain details |
| WinApp_Lookup_Build_Hostmon_Process - CreateNew - Detail | Creates the windows_hostmon_process_details lookup which contains process details |
| WinApp_Lookup_Build_Hostmon_Services - CreateNew - Detail | Creates the windows_hostmon_services_details lookup which contains different service details |
| WinApp_Lookup_Build_Netmon - CreateNew - Detail | Creates the windows_netmon_details lookup which contains host details with its local and remote port |
| WinApp_Lookup_Build_Netmon - CreateNew - Server | Creates the windows_netmon_system lookup which contains the count of event by each hosts |
| WinApp_Lookup_Build_Perfmon - CreateNew - Detail | Creates the windows_perfmon_details lookup which contains the details related to instance |
| WinApp_Lookup_Build_Perfmon - CreateNew - Serve | Creates the windows_perfmon_system lookup which contains the details of event of each hosts in last 1 hour |
| WinApp_Lookup_Build_Printmon - CreateNew | Creates the windows_printmon lookup which contains the details of operations performed by user |
| WinApp_Lookup_Event - Event Details | Shows the details of each event |
| WinApp_Lookup_Event - EventCode | Shows the list of EventCodes |
| WinApp_Lookup_Event - EventCode Description | Shows the list of EventCodeswith description |
| WinApp_Lookup_Event - Host | Shows the list of Hosts |
| WinApp_Lookup_Event - LogName | Shows the list of Logname |
| WinApp_Lookup_Event - TaskCategory | Shows the list of Task Category |
| WinApp_Lookup_Perfmon - Collections, Object, and counters | Shows the list of Objects containing collections |
| WinApp_Lookup_Perfmon - Combined | Shows the list of each object containing collections and instance |
| WinApp_Lookup_Perfmon - Host | Shows the list of Host in perfmon |
| WinApp_Lookup_Perfmon - Object | Shows the list of objects |
| WinApp_Lookup_Perfmon - counters and instances | Shows the list of counters and instances in perfmon |
| WinMgmt_Security_Logon_Success Overall by Host | Shows the list of hosts that has been logged successfully in last 7 days |
| WinMgmt_Security_Logon_Success Overtime | Shows the list of transaction happened in logons successfully in last 7 days |
| WinMgmt_Security_Logon_Unsuccessful | Shows the list of transaction happened in logons unsuccessfully in last 7 days |
| WinMgmt_System_Reboot Overtime | Shows the list of transaction happened with host and username in last 7 days |
| build_winfra_lookup | Shows the list of necessary lookups that are used in populating the Content Pack for Windows Dashboards and Reports |
Active Directory reports
The Active Directory module of the Content Pack for Windows Dashboards and Reports contains several reports that let you view common security issues within Active Directory.
There are six groups of reports:
- DNS reports
- User reports
- Computer reports
- Security Group reports
- Group Policy Object reports
- Organizational Unit reports
DNS reports
DNS reports are generated on your DNS operations and by running real-time searches against the collected DNS data.
In order to view these statistics, your DNS servers must have debug logging enabled. If this feature is not turned on, then these reports will be blank.
The following reports are available:
| Report | Description |
|---|---|
| DNS Failing Domains | A list of the queries made by DNS servers that return failing responses (such as SERVFAIL, NXDOMAIN, etc.) This panel lets you sort by query, query type, response, count, and percentage of queries. |
| DNS Top Failing Domains | A list of the top queries made by clients for domains that return failures. You can sort by query, query type, count, and percentage of queries. |
| DNS Top Hosts sending failing queries | A list of the hosts that send the most failing DNS queries. You can sort by source IP address, count, and percentage of queries. |
| DNS Top Non-authoritative responses | A list of the queries that DNS servers returned non-authoritative responses for. You can sort by query, query type, count, and percentage of queries. |
| DNS Top Querying Host | A list of the hosts who made the highest number of DNS queries. You can sort by source IP address, count, and percentage of queries. |
| DNS Top Recursive Failure Domains | A list of domains whose DNS servers failed to perform recursion - the ability to query DNS information on remote names handled by other DNS servers - correctly. You can sort by query, query type, count, and percentage of queries. |
| DNS Top Requested Queries | A list of the top requested DNS queries. You can sort by query, query type, count, and percentage of queries. |
User reports
User reports are generated based on the users from your Active Directory servers.
The following reports are available:
| Report name | Description |
|---|---|
| All | A list of all users in the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official (SAM) account name, LDAP Common Name, user principal name, and User Account Control (UAC) attribute settings. |
| New | A list of newly created users in the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by user creation time, user added, and the user who performed the addition. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page. |
| Deleted | A list of deleted accounts in the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by user deletion time, user deleted, and the user who performed the deletion. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page. |
| Active | A list of users who are active (meaning they have recently logged on) to the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by username, full name, user principal name, and last logon time. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page. |
| Inactive | A list of users who have not recently logged onto the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principal name, and UAC attribute settings. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
|
| Disabled | A list of users whose ability to access the selected domain has been disabled. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principal name, and UAC attribute settings. |
| Non-expiring | A list of accounts that do not expire. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings. |
| Password Not Required | A list of accounts where a password is not required. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings. |
| No Password Expiry | A list of accounts where the password does not expire. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
|
| Smartcard Not Required | A list of accounts where a smartcard is not required to authenticate. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings. |
| Smartcard Required | A list of accounts where a smartcard is not required to authenticate. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings. |
| Password Too Old | A list of accounts where the password is too old: YYou can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings. |
| No Manager | A list of accounts that do not have a delegate assigned to them. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings. |
| Sensitive accounts | A list of accounts whose security contexts have not been delegated to a service even though the service account has been set as trusted for Kerberos delegation. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings. |
Computer reports
Computer reports are generated based on computer accounts from your Active Directory servers.
The following reports are available:
| Report name | Description |
|---|---|
| All | A list of all computers in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, User Account Control attributes, installed operating system, and any OS service packs that have been installed. |
| Domain controllers only | A list of all domain controllers in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, User Account Control attributes, installed operating system, and any OS service packs that have been installed. |
| New | A list of computers that have recently been added to the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computers that were added, installed operating system, OS service pack, and the user who performed the addition. |
| Deleted | A list of computers that have recently been removed from the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computers that were deleted, installed operating system, OS service pack, and the user who performed the deletion. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page. |
| Active | A list of computers that have recently logged on to the selected domain in Active Directory. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computer name, DNS host name, installed operating system, OS service pack, and last logon time. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page. |
| Inactive | A list of computers that have not logged on to Active Directory recently. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computer name, DNS host name, installed operating system, OS service pack, and last logon time. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page. |
| Unused | A list of computers that have never logged on to Active Directory. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name and DNS hostname. |
| Disabled | A list of computers whose ability to log into Active Directory has been disabled. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computer name, DNS host name, installed operating system, and OS service pack. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page. |
| Trusted | A list of computers that either manage or are managed by a domain trust relationship. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, UAC attributes, installed operating system, and OS service pack. |
| No Manager | A list of computers that do not have a delegate assigned to them. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, UAC attributes, installed operating system, and OS service pack. |
Security Group reports
Security Group reports are generated based on group accounts from your AD servers.
The following reports are available:
| Report name | Description |
|---|---|
| All | A list of all security groups in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, group type, LDAP member Distinguished Name, and member type. |
| New | A list of recently-created groups in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by creation time, group name, group class, group type, and the user who performed the addition. You can also limit the list of groups by selecting a time range with the time range picker at the top of the page. |
| Deleted | A list of recently-removed groups in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by creation time, group name, group class, group type, and the user who performed the addition. You can also limit the list of groups by selecting a time range with the time range picker at the top of the page. |
| Changed type | A list of the changes that have been made to security groups in the selected domain, over the selected time period. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by the time that the group change occurred, the change action, the group name, the user who performed the change, the old group class or type, and the new group class or type. You can also limit the list of groups by selecting a time range with the time range picker at the top of the page. |
| Empty | A list of groups in the selected domain that do not have any users in them. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by group name or type. |
| Large | A list of groups in the selected domain that have a member count that is greater than a specified amount. You can use the Domain drop-down list to choose between domains known to the app. You can enter a positive number that represents the size of the group's membership into the Minimum Size text field. The page then shows only groups whose membership equals or is greater than the number entered. You can then sort that list by group name, group type, the number of members, the LDAP Member Distinguished Name, and the member type. |
| Nested | A list of groups in the selected domain that have been nested into other groups. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Distinguished Name, LDAP Common Name, group type, and member type. |
| No Manager | A list of groups in the selected domain that do not have a delegate assigned to them. You can use the Domaindrop-down list to choose between domains known to the app. You can sort the list by group name, group type, LDAP Member Distinguished Name, and member type. |
Group Policy Object reports
Group Policy Object reports are generated based on group policy objects from your AD servers.
The following reports are available:
| Report name | Description |
|---|---|
| All | A list of all group policy objects in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by group policy ID, group policy name, group policy object version number, and the list of containers that the object has been linked to. |
| New | A list of recently-created group policy objects in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by add time, LDAP Common Name, group policy object display name, group policy object version number, and the list of containers that the object has been linked to. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page. |
| Deleted | A list of recently-removed group policy objects in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by delete time and LDAP Common Name. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page. |
| Disabled | A list of group policy objects that have been disabled. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by group policy object ID, group policy object name, group policy object version number, group policy object status, change time, and the list of containers that the object has been linked to. |
Organizational Unit reports
Organizational Unit reports are generated based on group policy objects from your AD servers.
The following reports are available:
| Report name | Description |
|---|---|
| All | A list of all organizational units in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by name, description, and the list of linked group policy objects. |
| New | A list of recently-created OUs in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by the time the OU was added, the OU name, description, and the list of linked group policy objects. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page. |
| Deleted | A list of recently-deleted OUs in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by delete time, OU name, and description. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page. |
| No Manager | A list of OUs in the selected domain that do not have a delegate assigned to them. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by OU name, description, and the list of linked group policy objects. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page. |
| GPO Linked | A list of OUs with a direct GPO link. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by OU name, description, and the list of linked group policy objects. |
Last modified on 17 January, 2022
| Dashboard reference for the Content Pack for Windows Dashboards and Reports |
This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.0.0, 1.0.1
Download manual
Feedback submitted, thanks!