Content Pack for Windows Dashboards and Reports

Content Pack for Windows Dashboards and Reports

This documentation does not apply to the most recent version of Content Pack for Windows Dashboards and Reports. For documentation on the most recent version, go to the latest release.

Dashboard reference for the Content Pack for Windows Dashboards and Reports

The Content Pack for Windows Dashboards and Reports offers a variety of dashboards to give you insight into your Windows environment.

Access the dashboards

Perform the following steps to access the content pack dashboards:

  1. Log into Splunk Web.
  2. Select App > IT Service Intelligence (ITSI) or IT Essentials Work.
  3. From the navigation bar, select Dashboards > Dashboards.
  4. In the App column, dashboards listed as DA-ITSI-CP-windows-dashboards are part of the Content Pack for Windows Dashboards and Events.

Dashboards by category

The following table groups the available dashboards into categories. Click a category name for additional details on the dashboards within the category:

Category Dashboards in category
Windows Help

Windows Overview - Windows
Event Monitoring - Windows
Performance Monitoring - Windows

Windows Help: Applications and Updates

Application Crashes - Windows
Application Installs - Windows
Windows Update - Windows

Windows Help: Host Monitoring

Hosts Overview - Windows
Host Inventory - Windows
Host Monitoring Operations - Windows
Disk Information - Windows
Host Monitoring Processes - Windows
Host Monitoring Services - Windows

Windows Help: Network Monitoring

Network Activity - Windows
Top Network Hosts and Processes - Windows

Windows Help: Print Monitoring

Printers Overview - Windows
Top Printers and Users - Windows
Print Job Viewer - Windows

Active Directory Help Active Directory Overview - Windows
Active Directory Help: Domains

Domain Health Issues - Windows
Domain Subnet Affinity Problems - Windows
Domain Replication issues - Windows
Directory Performance - Windows

Active Directory Help: Domain Controllers

Domain Status - Windows
Site Status - Windows
DC Status - Windows

Active Directory Help: DNS

DNS Status - Windows
DNS Server Status - Windows
DNS Zone Information - Windows
DNS Performance - Windows

Active Directory Help: Users

User Overview - Windows
User Audit - Windows
Administrator Audit - Windows
User Record Changes - Windows
Failed Logons - Windows
Anomalous Logons - Windows

Active Directory Help: Computers

Computer Audit - Windows
Computer Changes - Windows

Active Directory Help: Groups

Group Audit - Windows
Group Changes - Windows

Active Directory Help: Group Policy

Group Policy Audit - Windows
Group Policy Changes - Windows

Active Directory Help: Organisational Units Organisational Unit Audit - Windows

Windows Help dashboards

The following dashboards are included in the Windows Help category.

Windows Overview dashboard

The Windows Overview dashboard includes the following three panels:

  • Windows events
  • Windows performance counters
  • All indexed data'

The following table describes the content of the dashboard panels:

Panel Description
Windows events Provides information on the number of hosts from which event log data is being collected, the number of event logs, and a number of event IDs.
Windows performance counters Provides information on the number of hosts from which performance data is being collected, number of objects, and the total number of counters.
All indexed data Provides a chronologically sorted list of the sources, source types, and hosts that the Content Pack for Windows Dashboards and Reports has collected data on.

How to use this dashboard
You can perform the following tasks on the Windows Overview dashboard:

  • Control how much data this panel displays by clicking the time picker and choosing one of the available range presets or selecting a custom time range.
  • Click on the Windows events and Windows performance counters links to navigate to a Search page that lists all of the events found for that particular counter.

Event Monitoring - Windows dashboard

The Event Monitoring - Windows dashboard includes dashboard panels for several Windows Event Log statistics. The panels display trend lines that can help you isolate areas of peak activity. You can mouse over the trend lines to see individual values and click the trend lines to open a Search window that shows events collected in the time frame where you clicked.

The Event Monitoring - Windows dashboard requires one or more Windows event log inputs be enabled.

The dashboard includes the following dashboard panels:

  • Event source names
  • Task categories
  • Hosts
  • Event IDs
  • The number of events by the host over time
  • The number of events by event code over time
  • The number of events by log name over time
  • The number of events by event type over time

How to use this dashboard
You can perform the following tasks on the Event Monitoring dashboard:

  • Filter event log data
  • Use the wildcard capability on the Host drop-down field

The following sections provide additional details.

Filter event log data
At the top of the Event Monitoring page, there is a row of drop-down boxes that lets you filter the indexed data using the following parameter options:

  • Host
  • Event Log Name
  • Source Name
  • Task Category
  • Event Code
  • Type

The parameters filter out data based on what you pick in each drop-down. For example, if you select a host in the Host drop down, the other drop-downs update to show only data collected for that host.

Each drop-down box is also a text field. Click your mouse on any drop-down box on the page to enter text into that box. The Content Pack for Windows Dashboards and Reports immediately filters the collected data to show only entries that match what you type into any of the boxes.

The Additional Search Criteria box allows you to search for a specific word or phrase across all of your indexed event log data.

Use the wildcard capability on the 'Host' drop-down field

In the Host drop-down control box you can type in text, including wildcards, and the Content Pack for Windows Dashboards and Reports filters the data to include only those events generated by hosts whose names match the text that you enter.

For example, if all domain controllers in the environment have host names which contain "DC", or all IIS servers' host names contain the string "IIS", you can type in "DC" in any Host control to display data collected from all domain controllers, or "IIS" to display information from all computers in your environment that run Internet Information Server.

Performance Monitoring - Windows dashboard

The Performance Monitoring - Windows dashboard contains dashboard panels for CPU, Memory, Physical Disk, Logical Disk, Network Interface, and System metrics.

Prerequisites
The dashboard panels require the following inputs to display data:

Dashboard panel Required input to display data
CPU Metrics Processor performance monitoring input
Memory Metrics Memory performance monitoring input
Physical Disk Metrics Physical Disk performance monitoring input
Logical Disk Metrics Logical Disk performance monitoring input
Network Metrics Network Interface performance monitoring input
System Metrics System performance monitoring input

How to use this dashboard
You can customize the data that appears in the panels by selecting different counters and instances. You can also drill into specifics on memory, CPU, disk and network traffic by host, process, and user.

The dashboard also provides a list of useful reports at the bottom of the page. These reports can be used as a guide to customizing new reports.

Filter performance metrics

Each of the drop-downs in the dashboards on the Performance Monitoring page is also a text box. You can click on any drop-down box on the page to enter text. The Content Pack for Windows Dashboards and Reports immediately filters the collected performance metrics to show only entries that match the text you enter.

Windows Help: Applications and Updates dashboards

The following dashboards are included in the Windows Help: Applications and Updates category.

Application Crashes - Windows dashboard

This dashboard displays the status of application crashes on all of the machines in your environment. The dashboard panels display the following information:

  • Which applications are crashing
  • Which hosts these crashes occur on
  • The number of crashes over time, by host
  • The number of crashes over time, by application
  • The details of each crash, by host
  • A list of useful searches to customize the page

Prerequisites
This dashboard requires you to enable one or more Windows event log inputs to function. At a minimum, enable the Application Event Log.

Application Installs - Windows dashboard

This dashboard displays the status of application installs on all of the machines in your environment. The dashboard panels display the following information:

  • The total number of installs, by host
  • The total number of installs, by application
  • The number of installs over time, by application
  • The details of an installation, by host
  • A list of useful searches to customize the page

Prerequisites
This dashboard requires one or more Windows event log inputs to function. At a minimum, enable the Application Event Log.

Windows Update - Windows dashboard

This dashboard displays the status of Windows updates on all of the machines in your environment. The dashboard panels display the following information:

  • The number of failed Windows updates, by host
  • The number of failed Windows updates, by Knowledge Base (KB) number
  • The number of failed Windows updates over time, by host
  • The number of failed Windows updates over time, by KB number
  • The number of successful Windows updates, by host
  • The number of successful Windows updates, by Knowledge Base (KB) number
  • The number of successful Windows updates over time, by host
  • The number of successful Windows updates over time, by KB number
  • A list of useful searches to customize the page

Prerequisites
This dashboard requires that the windowsupdate.log file monitoring input be enabled.

Windows Help: Host Monitoring dashboards

The following dashboards are included in the Windows Help: Host Monitoring category.

Hosts Overview - Windows dashboard

This dashboard displays data that the Content Pack for Windows Dashboards and Reports has collected about the hosts in your Windows environment.

How to use this page
The top of the page has controls that let you filter the host list based on host name, OS version, domain name, and architecture. By default, the page shows all hosts that the app has data for.

Filter hosts by host name

Perform the following steps to filter the host list based on host:

  1. Click the Host field.
  2. Choose a host from the pop-up list that appears. The Content Pack for Windows Dashboards and Reports updates the list to show only the host(s) you select. You can select as many hosts as you want to filter the list.
  3. (Optional) Remove hosts by clicking the x next to the host name.

Filter hosts by text string

To filter the host list based on a text string, enter that string in the Host search field and press Enter. The Content Pack for Windows Dashboards and Reports updates the list to show only those hosts that match the text string exactly. To specify a range of hosts, use the wildcard (*) symbol.

Filter hosts by OS version

To filter hosts by operating system (OS) version, click the OS version list box and select a version of Windows. The Content Pack for Windows Dashboards and Reports updates the list to include only the hosts that run the version of Windows that you chose.

Filter hosts by domain

To filter hosts by domain, click the Domain list box and select a domain. The Content Pack for Windows Dashboards and Reports updates the list to include only the hosts that reside in the domain that you chose.

Filter hosts by architecture

To filter hosts by OS version, click the Architecture list box and select an architecture. The Content Pack for Windows Dashboards and Reports updates the list to include only the hosts that have the architecture that you chose.

Host Inventory - Windows dashboard

The Host Inventory dashboard can be accessed from the Component Health page. The Host Inventory dashboard lists detailed information about a host, including the following information:

  • The host name
  • The domain that the host resides in
  • Host hardware information
  • The version of Windows (including platform architecture) that the host runs
  • The service pack version and last installed update
  • A sparkline that shows recent processor usage
  • The amount of installed memory and a sparkline that shows recent changes in free memory
  • The amount of total and available free space
  • A sparkline that shows recent disk read I/O
  • A sparkline that shows recent disk write I/O
  • A list of key Windows Event Log events that have occurred recently

How to use this dashboard
You can perform the following tasks on the Host Inventory - Windows dashboard:

  • See host inventory on a specific host by selecting the host in the Host Name list.
  • Change the time range of data that the host inventory shows by using the time picker next to the Host Name field.

Sparklines
Drill into more specific information from the provided sparklines:

  • To see individual values that comprise each sparkline, mouse over the sparkline.
  • To see a detailed version of the data in the sparkline, click it. The Content Pack for Windows Dashboards and Reports loads the Performance Monitoring page for the counter you clicked.

Key Events
Any key events that the host has logged show up in the left pane. To see more information about an event, click it. The details of the event show up in the right pane.

Host Monitoring Operations - Windows dashboard

This dashboard provides operations information about a specific host, and displays pie charts for the following information:

  • The peak CPU utilization above 50% over the last 24 hours.
  • The peak memory utilization above 50% over the last 24 hours.
  • The free disk space distribution.

How to use this dashboard
You can filter this dashboard to show a single host by selecting it from the Host drop-down list in the upper right side of the dashboard.

If you click on any of the pie chart slices, the Content Pack for Windows Dashboards and Reports loads the Host Monitoring Overview page, which is filtered to the selected host.

Host Monitoring Disk Information - Windows dashboard

This dashboard displays information on disk subsystems for each host. The dashboard has a single panel, which lists hostname, drive name, drive type, total disk space, free disk space, and percentage of free space.

How to use this dashboard
You can filter the host list by selecting entries from the Host, File System, Type, Free Space %, or Total Space (GB) drop-down lists.

Host Monitoring Processes - Windows dashboard

This dashboard displays information on processes that run on each host. The dashboard has a single panel, which lists hostname, process name, start time, and any command-line arguments that might have been passed to the process.

How to use this dashboard
You can filter the host list by selecting entries from the Host' or Name drop-down lists. Name refers to the name of the process or processes you want to filter by.

Host Monitoring Services - Windows dashboard

This dashboard displays information on the services that run on each host. The dashboard has a single panel, which lists hostname, service name, start mode, and current service state.

How to use this dashboard
You can filter the host list by selecting entries from the "'Host'", "'StartMode'", or "'State'" drop-down lists. You can also enter text into the "Name" text box and select it. In this case, Name refers to the name of the service or services you want to filter by. You can use the Time Range filter to limit the data.

.

Windows Help: Network Monitoring dashboards

The following dashboards are included in the Windows Help: Network Monitoring category.

Network Activity - Windows dashboard

This dashboard shows you information about the network activity that has been collected from your Windows hosts.

How to use this dashboard
Choose a list box to filter network activity based on that filter. You can either select an entry from the list box or select the search field and type in an entry. When you type in a string, the page only matches entries for events that have been collected previously.

You can choose or enter data from one of the following filters:

Filter name Description
Local Host Where the network transaction originated
Direction Whether the transaction was inbound or outbound from the local host.
Protocol The protocol of the network activity (TCP or UDP).
Packet Type The type of packet that was used in the transaction, either "connect", "accept", or "transport".
Remote Host Where the network transaction was destined.
Remote Port The remote port that the network transaction used.
Local Port The local port that the network transaction used.
Process Name The program that initiated the network transaction.
User Name The user that initiated the network transaction.

The Network Information pane shows all network transactions that apply to the filters you set. You can use the time picker in the upper right to limit the range of data that the panel shows.

Top Network Host and Processes - Windows dashboard

This dashboard shows you information about the top users of network resources on a host.

This dashboard offers the following four panels:

Panel Description
Top Hostnames - Inbound connections Shows the top hosts that have inbound connections to the host you choose in the list box on the right.
Top Hostnames - Outbound connections Shows the top hosts that the host you choose in the list box has outbound connections to.
Top processes - Inbound connections Shows the processes on the host you choose in the list box that accept the most amount of network traffic.
Top processes - Outbound connections Shows the processes on the host you choose that generate the most amount of network traffic.

How to use this dashboard
You can perform the following tasks on the Top Network Hosts and Processes dashboard:

  • Choose a host from the Local Host list box on the top right to show the top network hosts and processes for that host.
  • Choose the time picker to change the time range that this page should use to display top hosts and processes.

Windows Help: Print Monitoring dashboards

The following dashboards are included in the Windows Help: Print Monitoring category.

Printers Overview - Windows dashboard

This dashboard displays the active printers in your organization.

The dashboard lists the following printer information:

Panel Description
Host The host that defined the printer.
Printer The name of the printer.
Status The current status of the printer.
Operation Whether or not a baseline was written for the printer status.
Driver The driver that the printer uses to print.
Print processor The print processor for the printer.
Priority The print priority of the printer.
Port The port that the printer uses to send data to the print device.

How to use this dashboard
Choose a list box to filter the number of printers the page shows. You can either select an entry from the list box or select the search field and type in an entry. When you type in a string, the page only matches entries for events that have been collected previously.

You can choose or enter data from one of the following filters:

  • Host: Shows only printers that have been defined on the selected host.
  • Printers: Shows only printers whose name matches the text you entered or name you selected.
  • Operation: Whether or not a baseline was written for the printer status.

You can sort the printer list by clicking on a column header. Clicking the header multiple times toggles an ascending or descending sort.

Top Printers and Users - Windows dashboard

This dashboard shows the top printer users on your network.

The dashboard has the following two panels:

  • Top Printers and Users
  • Top 10 users printing

Both panels are bar charts.

How to use this dashboard
Use the time picker on the upper right of the page to change the time range of data that the panels show. Mouse over the charts to get the values for the number of printers and print jobs.

Print Job Viewer - Windows dashboard

This dashboard lets you view print jobs that have occurred over the time period that you select.

The dashboard has one panel called Print Monitoring Job Browser. This panel lists print jobs that have occurred based on the filter controls you use at the top of the page.

How to use this dashboard
Choose a list box to filter print job activity. You can either select an entry from the list box or select the search field and type in an entry. When you type in a string, the page only matches entries for events that have been collected previously.

You can choose to enter data from one of the following filters:

  • Host: The host that the printer resides on.
  • Printer: The printer that printed the job.
  • Document: A text field that lets you enter a partial or full string that represents the name of the job that was printed. To see all documents whose name matches a particular string, use an asterisk at the end of the string.
  • User: The user that initiated the print job.

Use the time picker on the upper right of the page to change the time range of data that the panels show.

Active Directory Help dashboards

The following dashboards are included in the Active Directory Help category.

Active Directory Overview - Windows dashboard

The Topology Report page displays a view of all of the Active Directory forests, domains, and domain controllers known to the Content Pack for Windows Dashboards and Reports at the present time.

To return to this dashboard, select Active Directory > Active Directory Overview.

Choose the forests, sites, domains, and domain controllers using the selection panel close to the top of the pag to filter dashboard results.

Based on the options selected, additional information on the domain controllers in the selected forest and domain display on the page and include the following statistics:

  • The host name of the domain controller (DC)
  • The Active Directory (AD) site that the DC belongs to.
  • The operating system and version of Windows the server runs.
  • The AD Flexible Single Master Operation (FSMO) role(s) the server holds.
  • Information on the Directory Service Agent (DSA) options available for the DC.
  • Information on the status of the AD services that the machine runs.
  • Information on whether or not the server has registered itself in DNS.
  • Information on whether or not the machine's SYSVOL share is available on the network.

In this dashboard, icons in the "Masters Roles" column indicate the operations master roles for each server.

Role Details
Schema Master The Schema Master controls all updates to the Active Directory's schema, then replicates it to all other domain controllers in the forest. There can be only one Schema Master in an entire forest.
The Schema Master controls all updates to the Active Directory's schema, then replicates it to all other domain controllers in the forest. There can be only one Schema Master in an entire forest. The Domain Naming Master controls the naming of all domains within the forest. It is the only domain controller that can add or remove domains from Active Directory. As such, only one Domain Naming Master can be present in a forest.
Relative ID Master The Relative ID Master domain controller maintains the relative ID (RID) resource pool and is responsible for allocating RIDs to other domain controllers within a domain when they are requested during the creation of security principle objects like users and groups. There can only be one RID Master in a domain.
PDC Emulator Master This domain controller emulates the Primary Domain Controller (PDC) role for a domain and handles time synchronization across the domain. It also handles various PDC duties (such as password changes, account lockouts and GPO manipulation) for domains which have both Windows Server 2000 and Server 2003 domain controllers present. Only one PDC emulator can be present in a domain.
Infrastructure Master The Infrastructure Master handles updates to the security identifier (SID) and distinguished name (DN) of an object that is cross-referenced by another object in another domain. There can only be one Infrastructure Master in a domain.

The DSA options are listed as icons under the DSA Options column:

  • A globe icon indicates that the server is a Global Catalog (GC).
  • A padlock icon indicates that the server is a Read-only Domain Controller (RODC).

How to use this dashboard
You can click on any domain controller in the list to get additional information about that domain controller. See the Domain Status - Windows dashboard for more details.

You can limit the number of domain controller objects displayed by selecting the Show n entries list box on the left. You can also search for a specific string (such as the name of a domain controller) by typing in the string in the Search field.

Active Directory Help: Domains dashboards

The following dashboards are included in the Active Directory Help: Domain category.

Domain Health Issues - Windows dashboard

The Domain Health Issues dashboard displays active problems occurring with the domain controllers within your AD. The dashboard also displays anomalous events such as reboots, problems with Knowledge Consistency Checkers (KCCs) on domain controllers, and other unexpected circumstances.

How to use this dashboard
Use the selection panel to filter results based on Forest, Site, Domain, and Server.

You can also control how much information the dashboard displays by selecting a time range in the time range picker on the upper right side of the dashboard.

Domain Subnet Affinity Problem - Windows dashboard

The Domain Subnet Affinity Issues dashboard provides a concise report for handling cases where a server appears from an IP address not associated with a site. When you see an IP address on this dashboard, use the Active Directory Sites and Services tool to add the subnet and associate it with a Site. IP addresses that report more frequently are closer to the top of the list.

How to use this dashboard
You can also control how much information the dashboard displays by selecting a time range in the time range picker on the upper right side of the dashboard.

Domain Replication Issues - Windows dashboard

This dashboard lets you review current Active Directory (AD) replication agreements, and the status of those agreements.

How to use this dashboard
Use the selection panel to filter results based on Forest, Site, Domain, and Server. You can also control how much information the app displays by selecting a time range in the time range picker on the upper right side of the dashboard.

You can change the context in which you view the replication agreements by selecting the Naming Context drop-down in the selection panel.

You can also control how much information the dashboard displays by selecting a time range in the time range picker on the upper right side of the dashboard.

Directory Performance - Windows dashboard

This dashboard lets you view all Active Directory (AD) related performance metrics across all domain controllers in your AD forest in a chart.

How to use this dashboard
To view a metric, select the desired domain controller from the Server drop-down list on the top of the dashboard. Then, select the performance object and the counter.

The Content Pack for Windows Dashboards and Reports displays the chart on the lower portion of the dashboard.

You can also adjust how much data is displayed by selecting a time range in the time range picker on the upper right side of the dashboard.

Active Directory Help: Domain Controllers dashboards

The following dashboards are included in the Active Directory Help: Domain Controllers category.

Domain Status - Windows dashboard

The Domain Status dashboard gives you information on the selected domain, including the following:

  • Which domain controllers in the domain hold AD operations masters roles
  • Which site(s) the domain is a part of
  • Which domain controllers control the domain

You can choose which domain you want to view by choosing it in the Domain drop-down list in the upper right side of the dashboard.

You can click on one of the listed sites to get additional information about the site. See the Site Status dashboard for more information.

You can click on one of the listed domain controllers to get additional information about that controller. See the DC Status dashboard for more information.

You can also adjust how much data you see by selecting a time range in the time range picker on the upper right side of the dashboard.

Site Status - Windows dashboard

The Site Status dashboard gives you information about the sites in your Active Directory forest, including the following:

  • A list of the domains included in the site.
  • A list of the domain controllers included in the site.
  • A list of the IP network subnets configured for the site.
  • The number and replication status of any site links between this and other AD sites.
  • The targeted and actual weighting of Active Directory-related activity across all of the domain controllers for a particular domain.

In the selection panel for this dashboard, you can select the site you want to view by choosing it in the Site Name drop-down list. This automatically updates the Domain drop down list next to it, which lets you select domains that are in the site you selected.

You can click on a domain in the Domains in Site list to get more information about that domain.

You can click on a domain controller in the Domain Controllers in Site list to get details about that domain controller.

You can also adjust how much data you see by selecting a time range in the time range picker on the upper right side of the dashboard.

DC Status - Windows dashboard

The Domain Controller (DC) Status dashboard gives you information on the domain controllers in your Active Directory environment, including the following:

  • Information on Directory Services performance, with average values over time for important DS related performance counters.
  • Information on replication performance.
  • Any anomalous events that you should be aware of.

In the selection panel for this dashboard, you can select the domain you want to view by choosing it in the Domain Controller drop-down list.

You can click on individual counters in both the Directory Services performance and Replication Performance sections of the dashboard to review specifics about the values returned by those objects.

You can also adjust how much data is displayed by selecting a time range in the time range picker on the upper right side of the dashboard.

Active Directory Help: DNS dashboards

The following dashboards are included in the Active Directory Help: DNS category.

DNS Server Status - Windows dashboard

The DNS Status dashboard displays an overview of current DNS operations and includes:

  • A selectable list of known DNS servers in your AD environment. This includes the server host name, the status of DNS on the server, the zones in which it participates, the OS version and service pack level, and a sparkline depicting the average amount of DNS queries per second.
  • A selectable list of known DNS zones in the environment. This consists of the zone name, the servers that control the zone, the number of records in the zone and a breakdown of specific record types.
  • A list of anomalous DNS related events that have recently occurred.

You can select a server in the DNS Servers list to get more information about that server. See DNS Server status.

You can select a zone in the DNS Zones list to get additional details about that zone. See DNS Zone Information.

You can click on an anomalous event in the Anomalous events list to get specifics about that event.

You can also adjust how much data gets displayed by selecting the time range you desire in the time range picker at the upper right side of the dashboard.

DNS Server Status - Windows dashboard

The DNS Server Status dashboard is similar to the Domain Controller status dashboard described above. However, this dashboard contains information about DNS Query Performance and Recursion Performance instead of Active Directory Services and replication performance.

In the selection panel for this dashboard, you can select the DNS server that you want to view by choosing it in the DNS Server drop-down list.

You can click on a performance metric in either performance panel to get details about the selected metric. An Anomalous Events panel at the bottom of the dashboard lists events that warrant further investigation.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker at the upper right side of the dashboard.

DNS Zone Information - Windows dashboard

The DNS Zone Information dashboard contains details about a known Active Directory DNS zone, including:

  • Important DNS zone configuration settings.
  • A list of the DNS servers that control the zone.
  • The status of replication of DNS servers that control the zone, and whether or not those servers are out of sync.

Note: You cannot change DNS settings in this dashboard. To change DNS settings, you must use the Windows DNS configuration tool on the DNS server(s) that control the zone that you wish to change.

You can get additional information about the DNS servers that control the zone by selecting the desired server in the DNS Servers - Zone list. See DNS Server status for additional information.

You can choose which DNS Zone you want to display by selecting it in the DNS Zone: drop-down list at the top of the dashboard.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker.

DNS Performance - Windows dashboard

The DNS Performance dashboard lets you view specific DNS performance metrics in chart form, based on the server and performance metrics you choose in the drop-down lists in the dashboard selection panel.

In the selection panel for this dashboard, you can select the server whose performance metrics you want to view by choosing it in the Server drop-down list. This automatically updates the Counter drop down list next to it, which lets you select performance metrics for the server you selected.

Each metric is overlaid with CPU performance information so that you can correlate anomalous readings with CPU usage in real time.

You can adjust how much data gets displayed by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

Active Directory Help: Users dashboards

The following dashboards are included in the Active Directory Help: Users category. The Users series of dashboards give you visibility into the defense mechanisms of your Active Directory operations.

User Overview - Windows dashboard

The User Overview dashboard provides information on logon failures, attempts to controvert user security settings, and user utilization, as well as display audits and reports on all AD objects in your environment.

How to use this page
Each of the User dashboards has two sections: upper and lower. The upper section of the dashboard is a selection panel that lets you filter the user list based on the forests, sites, domains, and domain controllers that you choose. You can filter with multiple objects at a time. The lower portion of the dashboard displays additional information based on what you select on the top half.

You can also control how much data gets displayed by selecting a time range in the time range picker on the upper right side of the dashboard.

User Audit - Windows dashboard

The User Audit dashboard displays information about Active Directory user objects, and includes specifics on the following:

  • Active Directory record
  • Group Membership
  • Accounts that were locked out after failing to logon properly
  • Failed logons by the selected user

In this dashboard's selection panel, you can choose the domain from which you want to display user audit data by selecting the Account Domain drop-down list. You must select a domain in order to get information on user account activity within the domain.

You can further narrow down your search by typing in the name of a valid user object in the User Account field. If you type in the wildcard symbol (*) the Content Pack for Windows Dashboards and Reports searches against all users.

You can also control how much data gets displayed by selecting a time range in the time range picker on the upper left side of the dashboard.

Administrator Audit - Windows dashboard

The Administrator Audit dashboard displays information about Active Directory user objects, and includes specifics on:

  • Active Directory record
  • Group Membership
  • Accounts that were locked out after failing to logon properly
  • Failed logons by the selected user

How to use this page

In this selection panel, you can choose the domain from which you want to display user audit data by selecting the Account Domain drop-down list. You must do so in order to get information on user account activity within the domain.

You can further narrow down your search by typing in the name of a valid user object in the User Account field. If you type in '*' (asterisk), the Content Pack for Windows Dashboards and Reports searches against all users.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper left side of the dashboard.

User Record Changes - Windows dashboard

This dashboard shows information about changes to user objects in the Active Directory environment, from both a security and a directory services perspective.

How to use this page

This selection panel lets you filter results based on Forest, Site, Domain, and Server.

You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

You can narrow your search by typing in the name of a user in the Account User field in the upper portion of the dashboard.

Failed Logons - Windows dashboard

This dashboard provides insight into recent failed attempts by users to log into your domain. Specific statistics include:

  • Failed logons over time
  • Failed interactive logons by IP address
  • Failed logons by reason (for example, expired password, locked account, or disabled account)
  • Failed interactive logons by username
  • Failed logons by logon type
  • Users failing to logon from multiple IPs (for example, an active attempt to break into the network)

How to use this page

This selection panel lets you filter results based on Forest, Site, Domain, and Server

You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

Anomalous Logons - Windows dashboard

This dashboard contains information about questionable user activity on your network. It also shows the more sinister attempts to access restricted network resources. Specific statistics displayed here include:

  • Users logging on from more than one AD site
  • Users logging on from more than one workstation
  • Attempts to log on to disabled or expired accounts

How to use this page

Use the Forest', "Site, Domain, and Server fields to limit results to the forest(s), site(s), domain(s), and user(s) that you want to see.

To filter using these fields:

  1. Select a field with your mouse.
  2. Type the name of an element in the appropriate field. For example, type in the name of a forest in the Forest field. The Content Pack for Windows Dashboards and Reports displays entries for forests and updates the page to contain only relevant information that matches the specified forest.
    1. This method works identically for sites, domains, and users.

Use the time range picker to limit results to the range of time that you want the app to display.

Active Directory Help: Computers dashboards

The following dashboards are included in the Active Directory Help: Computers category.

Computer Audit - Windows dashboard

The Computer Audit dashboard displays information about access to Active Directory from computer accounts, and includes statistics on the following:

  • Active Directory record
  • Group Membership
  • Accounts that were locked out after attempting a logon from a specific workstation
  • Failed logons from specific computers

How to use this dashboard
You can choose the domain from which you want to display computer audit data by selecting the Account Domain drop-down list. You must select a domain in order to get information on computer account activity within the domain.

You can further narrow down your search by typing in the name of a valid computer object in the Computer Account field. If you use the wildcard symbol (*) the Content Pack for Windows Dashboards and Reports searches against all computers.

You can also control how much data gets displayed by selecting a time range in the time range picker on the upper left side of the dashboard.

Computer Changes - Windows dashboard

The Computer Changes dashboard displays information about changes to Active Directory computer objects.

How to use this dashboard
The selection panel lets you filter results based on Forest, Site, Domain, and Server. You can narrow your search by using one of the available drop downs to limit results based on the Administrator who made the changes and Computer Name.

You can also control how much information the app displays by selecting a time range in the time range picker on the upper right side of the dashboard.

Active Directory Help: Groups dashboards

The following dashboards are included in the Active Directory Help: Groups category.

Group Audit - Windows dashboard

The Group Audit dashboard displays information about Active Directory group objects, and includes statistics on the following:

  • Active Directory record
  • A full Group Membership list
  • Recent changes to the group membership

How to use this dashboard
Use the Account Domain drop-down list to to choose the domain from which you want to display group audit data.. You must choose a domain to get information on group account activity within the domain.

You can further narrow down your search by typing in the name of a valid group object in the Group Name field. If you the wildcard symbol (*) the Content Pack for Windows Dashboards and Reports searches against all groups.

You can also control how much data gets displayed by selecting a time range in the time range picker on the upper left side of the dashboard.

Group Changes - Windows dashboard

The Group Changes dashboard shows information about changes to AD group objects, from the context of both changes to the group object itself and changes to the membership of the group.

How to use this dashboard
Use the selection panel to filter results based on Forest, Site, Domain, and Server. You can narrow your search by using one of the available drop-downs to limit results based on the following:

  • Administrator: Who made the changes
  • Group, Group Class: Security or Distribution
  • Group Scope: Global, Local, or Universal

You can also control how much information the app displays by selecting a time range in the time range picker on the upper right side of the dashboard.

Active Directory Help: Group Policy dashboards

The following dashboards are included in the Active Directory Help: Group Policy category.

Group Policy Audit - Windows dashboard

This dashboard displays information about Active Directory Group Policy objects (GPOs), and includes statistics on the following:

  • Which group policy objects are linked to which containers.
  • Recent changes to group policy.

How to use this dashboard
In the upper portion of the dashboard, you can choose the domain from which you want to display user audit data by selecting the Domain drop-down list.

You can further narrow down your search by typing in a valid GPO in the Group Policy Name field.

Group Policy Changes - Windows dashboard

This dashboard shows information about changes to AD group policy objects, from the context of both changes to the GPO itself and changes to the membership of the group.

How to use this dashboard
Use the selection panel to filter results based on Domain, Administrator, and Group Policy name.

You can also narrow your search by using one of the available drop-downs to limit results based on the following:

  • Administrator who made the changes
  • Account Domain
  • Group Policy Name

You can also control how much information the app displays by selecting a time range in the time range picker on the upper right side of the dashboard.

Active Directory Help: Organisational Units dashboards

The following dashboards are included in the Active Directory Help: Organisational Units category.

Organization Unit Audit - Windows dashboard

This dashboard displays information about Active Directory Organizational Units and includes statistics on Active Directory records.

How to use this dashboard
Use the Account Domain drop-down menu to choose the domain from which you want to display organization unit (OU) audit data. You must choose a domain in order to get information on OUs within the domain.

You can further narrow down your search by typing in the name of a valid OU in the Group Policy Name field. If you use the wildcard symbol ( '*') the Content Pack for Windows Dashboards and Reports searches against all OUs.

You can also control how much data gets displayed by selecting a time range in the time range picker on the upper left side of the dashboard.

Last modified on 23 February, 2023
Troubleshoot the Content Pack for Windows Dashboards and Reports   Reports reference for Content Pack for Windows Dashboards and Reports

This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.2.0, 1.2.1, 1.2.2, 1.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters