Install and configure the Content Pack for Windows Dashboards and Reports
Perform the following high-level steps to install and configure the Content Pack for Windows Dashboards and Reports:
- Install and configure the Splunk Add-on for Windows.
- Install and configure the Splunk Supporting Add-on for Active Directory.
- Install the content pack.
- Run the saved searches to build the lookups.
- Enable entity discovery search.
Prerequisites
Review the following prerequisites before installing the content pack:
- Enable the App Key-Value Store in your environment where the content pack is installed.
- Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.
Install and configure the Splunk Add-on for Microsoft Windows
The content pack relies on data from the Splunk Add-on for Microsoft Windows. The add-on collects the computer, groups, security, DNS, organizational, and domain data from your Windows server hosts.
To learn how to install and configure the add-on, see Install the Splunk Add-on for Microsoft Windows in the Splunk Add-on for Microsoft Windows manual.
For information about getting data in from the Splunk Add-on for Microsoft Windows for the content pack, see Get Windows server data.
The following table shows where to install the Splunk Add-on for Microsoft Windows in your distributed environment:
Package | Search head | Indexer | Forwarder |
---|---|---|---|
Splunk Add on for Microsoft Windows | X | X | X |
Install and configure the Splunk Supporting Add-on for Active Directory
The content pack relies on the custom commands provided by the Splunk Supporting Add-on for Active Directory for searching attributes from the Active Directory.
To learn how to install and configure the add-on, see Install the Splunk Supporting Add-on for Active Directory in the Splunk Supporting Add-on for Active Directory manual.
For information about getting data in from the Splunk Supporting Add-on for Active Directory for the content pack, see Get Active Directory data.
The following table shows where to install the Splunk Supporting Add-on for Active Directory in your distributed environment:
Package | Search head | Indexer | Forwarder |
---|---|---|---|
Splunk Supporting Add-on for Active Directory | X |
Install the content pack
To install the Content Pack for Windows Dashboards and Reports, you must install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the Install the Splunk App for Content Packs.
After you have installed the Splunk App for Content Packs, perform the following steps to install the content pack:
- From the ITSI main menu, click Configuration > Data Integrations.
- Select Content Library.
- Select the Windows Dashboards and Reports content pack.
- Review what's included in the content pack and then click Proceed.
- Configure the following settings:
- Choose which objects to install: For a first-time installation, select the items you want to install and deselect any you're not interested in. For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version or install them all.
- Choose a conflict resolution rule for the objects you install: For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from the following options:
- Install as new: Objects are installed and any existing identical objects in your environment remain intact.
- Replace existing: Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
- Import as enabled: Select whether to install objects as enabled or to leave them in their original state. We recommend that you import objects as disabled to ensure your environment doesn't break from the addition of new content. This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of the option you choose.
- Modify status of saved searches: This option will be displayed solely if the content pack contains saved searches. By default, saved searches included in a content pack are in deactivated state. Within this configuration, you have the flexibility to perform the following operations.
- Activate all saved searches: By selecting this option, you can activate all the saved searches associated with the content pack.
- Deactivate all saved searches: By selecting this option, you can deactivate all the saved searches associated with the content pack.
- Retain current status of saved searches: This option allows you to preserve the existing status of the saved searches within the content pack, ensuring they remain unchanged.
- Add a prefix to your new objects: You can optionally append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with CP- to indicate they came from a content pack. This optional prefix can help you locate and manage the objects after installation.
- Backfill service KPIs: Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and predictive analytics for the new services. This setting only applies to KPIs, not service health scores.
- When you're satisfied with your selections, click Install selected.
- Click Install to confirm the installation. When the installation completes, you can view all objects that were successfully installed in your environment. A green checkmark next to the name of a content pack on the Data Integrations page indicates which content packs you've already installed.
Run the saved searches and build the lookups
The build_winfra_lookup
saved search is required to use the dashboards in the content pack. The search fills the lookup tables that populate the dashboards and reports in the content pack.
Before running the search, make sure that data is populating the indexes, whether they're the original four, or custom indexes you've created. Data ingestion must be set up before you can run search successfully. For information about the indexes that the content pack expects and how to create them, see Create the required indexes.
After glancing at the indexes to verify data ingestion, perform the following steps to run the saved searches:
- In Splunk Web, go to the Settings menu and select Searches, reports, and alerts.
- Search for the
build_winfra_lookup
saved search. - Run the search and verify that all the searches included in the
build_winfra_lookup
search have run.
The following list shows the saved searches included in the build_winfra_lookup
:
- WinApp_Lookup_Build_Perfmon - Update - Server
- WinApp_Lookup_Build_Printmon - Update
- WinApp_Lookup_Build_Netmon - Update - Server
- WinApp_Lookup_Build_Hostmon_Process - Update - Detail
- WinApp_Lookup_Build_Hostmon_FS - Update - Detail
- WinApp_Lookup_Build_Hostmon_Machine - Update - Detail
- WinApp_Lookup_Build_Hostmon - Update - Server
- WinApp_Lookup_Build_Event - Update - Server
- ActiveDirectory: Update Computer Lookup
- ActiveDirectory: Update User Lookup
- ActiveDirectory: Update Group Lookup
- ActiveDirectory: Update GPO Lookup
- SiteInfo_Lookup_Update
- tHostInfo_Lookup_Update
- HostToDomain_Lookup_Update
- DomainSelector_Lookup
Collect AD data in a Splunk metric index
To collect AD data in a Splunk metric index, perform the following steps:
- In the
inputs.conf
file of your local folder, update/add the NTDS source with the following configuration as per your ITSI version - Restart your Splunk Enterprise to enable the new configuration.
##If you are using ITSI version 4.13.0 or higher, then update stanza with the configuration below## [perfmon://NTDS] object = NTDS counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run interval = 60 disabled = 0 mode = single useEnglishOnly=true index = itsi_im_metrics sourcetype=PerfmonMetrics:NTDS ##If you are using ITSI version 4.13.0 or lower, then update stanza with the configuration below## [perfmon://NTDS] object = NTDS counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run interval = 60 disabled = 0 mode = single useEnglishOnly=true index = itsi_im_metrics
The following data ingestion configuration is optional because it is not required by the Content Pack, but it yields better visualization of AD data.
This configuration can only be used if you are running ITSI v4.13.0 or higher.
- In the
inputs.conf
file of your local folder, update/add the DFS_Replicated_Folders and DNS source with the following configuration: - Restart your Splunk Enterprise to enable the new configuration.
##If you are using ITSI version 4.13.0 or higher, then update stanza's with below configuration## [perfmon://DFS_Replicated_Folders] object = DFS Replicated Folders counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated instances = * interval = 30 disabled = 0 mode = single useEnglishOnly=true index = itsi_im_metrics sourcetype=PerfmonMetrics:DFS_Replicated_Folders [perfmon://DNS] object = DNS counters = Total Query Received; Total Query Received/sec; UDP Query Received; UDP Query Received/sec; TCP Query Received; TCP Query Received/sec; Total Response Sent; Total Response Sent/sec; UDP Response Sent; UDP Response Sent/sec; TCP Response Sent; TCP Response Sent/sec; Recursive Queries; Recursive Queries/sec; Recursive Send TimeOuts; Recursive TimeOut/sec; Recursive Query Failure; Recursive Query Failure/sec; Notify Sent; Zone Transfer Request Received; Zone Transfer Success; Zone Transfer Failure; AXFR Request Received; AXFR Success Sent; IXFR Request Received; IXFR Success Sent; Notify Received; Zone Transfer SOA Request Sent; AXFR Request Sent; AXFR Response Received; AXFR Success Received; IXFR Request Sent; IXFR Response Received; IXFR Success Received; IXFR UDP Success Received; IXFR TCP Success Received; WINS Lookup Received; WINS Lookup Received/sec; WINS Response Sent; WINS Response Sent/sec; WINS Reverse Lookup Received; WINS Reverse Lookup Received/sec; WINS Reverse Response Sent; WINS Reverse Response Sent/sec; Dynamic Update Received; Dynamic Update Received/sec; Dynamic Update NoOperation; Dynamic Update NoOperation/sec; Dynamic Update Written to Database; Dynamic Update Written to Database/sec; Dynamic Update Rejected; Dynamic Update TimeOuts; Dynamic Update Queued; Secure Update Received; Secure Update Received/sec; Secure Update Failure; Database Node Memory; Record Flow Memory; Caching Memory; UDP Message Memory; TCP Message Memory; Nbstat Memory; Unmatched Responses Received interval = 60 disabled = 0 mode = single useEnglishOnly=true index = itsi_im_metrics sourcetype=PerfmonMetrics:DNS
Enable entity discovery search
The content pack includes one entity discovery search which is disabled by default. When you are ready to get your data in, follow these steps to enable the entity discovery search for Windows Dashboards and Reports. You must have administrator rights to perform the following steps:
- In Splunk Enterprise go to Settings > Searches, reports, and alerts.
- In the Type dropdown, select All.
- In the App dropdown, select Content Pack for Windows Dashboards and Reports (DA-ITSI-CP-windows-dashboards).
- In the Owner dropdown, select All.
- Select Edit > Enable to enable the saved search
ITSI Import Objects - Import Active Directory Entity
Release Notes for the Content Pack for Windows Dashboards and Reports | Migrate from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports |
This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.2.1, 1.2.2, 1.3.0
Feedback submitted, thanks!