Get Windows server data
The Content Pack for Windows Dashboards and Reports provides visibility into the health and performance of your Microsoft Windows Server and Active Directory environments. The content pack relies on data collected by the Splunk Add-on for Windows to populate the dashboards and reports provided by the content pack.
The Splunk Add-on for Windows is required in order to access data from the following resources:
- All hosts that run Active Directory Domain Services, including domain controllers and DNS servers.
- All Windows hosts from which you want Windows data.
- All indexers.
- All search heads.
Download the Splunk Add-on for Windows
Perform the following high-level steps to download the Splunk Add-on for Windows:
- Download the Splunk Add-on for Windows from Splunkbase and save it to an accessible place on the deployment server.
- When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
- Unarchive the file to an accessible location.
For more detailed instructions, see Install the Splunk Add-on for Windows in the Splunk Add-on for Windows manual.
Configure the Splunk Add-on for Windows
Perform the following high-level steps to configure the Splunk Add-on for Windows:
You must complete these steps for Windows perfmon data to be used in dashboards.
- In the location where you unarchived the downloaded app file, locate the Splunk_TA_windows directory.
- Create a local subdirectory within the Splunk_TA_windows directory.
- Copy the inputs.conf file in the default subdirectory to the local directory.
- Edit the disabled and mode attributes in the inputs.conf file. You can optionally add an index attribute to use specific indexes.
Microsoft Windows event logs that are rendered in XML format will not populate in the Content Pack for Windows Dashboards and Reports.
Version 5.0.1 and higher of the Splunk Add-on for Windows collects data in multikv mode by default. This mode has a different event format over the existing single mode. The Content Pack for Windows Dashboards and Reports only supports single mode. You must change the value of the mode
parameter to single
in the perfmon stanzas in /Splunk_TA_windows/default/inputs.conf on forwarder.
You can refer to the following example input stanzas:
[perfmon://CPU] counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec disabled = 0 instances = * interval = 10 mode = single object = Processor useEnglishOnly=true ## Logical Disk [perfmon://LogicalDisk] counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec disabled = 0 instances = * interval = 10 mode = single object = LogicalDisk useEnglishOnly=true ## Physical Disk [perfmon://PhysicalDisk] counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec disabled = 0 instances = * interval = 10 mode = single object = PhysicalDisk useEnglishOnly=true ## Memory [perfmon://Memory] counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s) disabled = 0 interval = 10 mode = single object = Memory useEnglishOnly=true ## Network [perfmon://Network] counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size disabled = 0 instances = * interval = 10 mode = single object = Network Interface useEnglishOnly=true ## Process [perfmon://Process] counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private disabled = 0 instances = * interval = 10 mode = single object = Process useEnglishOnly=true ## ProcessInformation [perfmon://ProcessorInformation] counters = % Processor Time; Processor Frequency disabled = 0 instances = * interval = 10 mode = single object = Processor Information useEnglishOnly=true ## System [perfmon://System] counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use disabled = 0 instances = * interval = 10 mode = single object = System useEnglishOnly=true
You can either create the default Windows index as mentioned in the section Create the required Indexes, or you can create your own custom index and then update the event types as mentioned in the section Update configuration files to use custom indexes. If you use the default Windows index, you must add index parameters with the values in the following table, located in /Splunk_TA_windows/default/inputs.conf on the forwarder.
Input staza | Indexes | Event types |
---|---|---|
[WinEventLog://Application], [WinEventLog://Security], [WinEventLog://System], [WinEventLog://ForwardedEvents]
|
wineventlog
|
wineventlog_index_windows
|
[monitor://$WINDIR\System32\DHCP], [monitor://$WINDIR\WindowsUpdate.log], [script://.\bin\win_listening_ports.bat], [script://.\bin\win_installed_apps.bat], [script://.\bin\win_timesync_status.bat], [script://.\bin\win_timesync_configuration.bat],
|
windows
|
windows_index_windows
|
[perfmon://CPU], [perfmon://LogicalDisk], [perfmon://PhysicalDisk], [perfmon://Memory], [perfmon://Network], [perfmon://Process], [perfmon://ProcessorInformation], [perfmon://System]
|
perfmon
|
perfmon_index_windows
|
[admon://default], [WinRegMon://default], [WinRegMon://hkcu_run], [WinRegMon://hklm_run]
|
windows
|
windows_index_windows
|
[monitor://$WINDIR\debug\netlogon.log], [MonitorNoHandle://$WINDIR\System32\Dns\dns.log],
|
msad
|
msad_index_windows
|
Save the inputs.conf in the local subdirectory. The following is an example inputs.conf staza:
[perfmon://CPU] counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec disabled = 0 instances = * interval = 10 mode = single object = Processor useEnglishOnly=true index = perfmon [WinEventLog://Application] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=false index = wineventlog [WinPrintMon://port] type = port interval = 600 baseline = 1 disabled = 0 index = windows [script://.\bin\runpowershell.cmd nt6-siteinfo.ps1] source=Powershell sourcetype=MSAD:NT6:SiteInfo interval=3600 disabled=0 index = msad
Create the required Indexes
The Content Pack for Windows Dashboards and Reports requires the following four indexes for indexing and displaying the incoming data from the Splunk Add-on for Windows:
- msad
- perfmon
- windows
- wineventlog
Refer to the following links to learn how to create indexes:
- For Splunk Enterprise users, see Create events indexes in the Managing Indexers and Clusters of Indexers manual.
- For Splunk Cloud Platform users, contact Splunk Support to set up, manage, and maintain the cloud index parameters. See Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual.
You can also use custom indexes to ingest the data by updating the relevant event types. Refer to the section Update configuration files to use custom indexes for more details.
Update configuration files to use custom indexes
Perform the following steps to update configuration files to use custom index(es):
- Copy the inputs.conf file from the default subdirectory /Splunk_TA_windows/default/ to the local directory folder /Splunk_TA_windows/local/ folder of the forwarder.
- Open the inputs.conf in the local subdirectory with a text editor.
- If you are using
<<CUSTOM INDEX>>
instead of TA_windows default indexes then addindex = <<CUSTOM INDEX>>
under stanzas as defined in the table above for the Windows default index(es). Refer to the previous table for Windows default indexes.
The following are examples of inputs stanzas:
[perfmon://CPU] counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec disabled = 1 instances = * interval = 10 mode = single object = Processor useEnglishOnly=true index = <<CUSTOM INDEX>> [WinEventLog://Application] disabled = 1 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=false index = <<CUSTOM INDEX>> [WinPrintMon://port] type = port interval = 600 baseline = 1 disabled = 1 index = <<CUSTOM INDEX>>
Update eventtypes.conf
Perform the following steps to update eventtypes.conf files to a custom index:
- Copy the eventtypes.conf file from the default subdirectory /DA-ITSI-CP-windows-dashboards/default/ to the local directory folder /DA-ITSI-CP-windows-dashboards/local/ folder on the search head.
- Open the eventtypes.conf in the local subdirectory with a text editor.
- If you are using
<<CUSTOM INDEX>>
instead of Windows default indexes, then update the eventtype definitions as shown in the following table:
Default index | Custom index | Updated eventtypes |
---|---|---|
perfmon | <<CUSTOM INDEX 1>> | [perfmon_index_windows], definition = index=perfmon OR index=<<CUSTOM INDEX 1>>
|
wineventlog | <<CUSTOM INDEX 2>> | [wineventlog_index_windows], definition = index=wineventlog OR index=<<CUSTOM INDEX 2>>
|
windows | <<CUSTOM INDEX 3>> | [windows_index_windows], definition = index=windows OR index=<<CUSTOM INDEX 3>>
|
Update configuration files to use the main index
Perform the following steps to update eventtypes.conf files to the main index:
- Copy the eventtypes.conf file from the default subdirectory /DA-ITSI-CP-windows-dashboards/default/ to the local directory folder /DA-ITSI-CP-windows-dashboards/local/ folder on the search head.
- Open the eventtypes.conf in the local subdirectory with a text editor.
- If you are using
index=main
instead of Windows default indexes, then update the eventtype definitions as shown in the following table:
Default index | Main index | Updated eventtypes |
---|---|---|
perfmon | main | [perfmon_index_windows], definition = index=perfmon OR index=main
|
wineventlog | main | [wineventlog_index_windows], definition = index=wineventlog OR index=main
|
windows | main | [windows_index_windows], definition = index=windows OR index=main
|
Migrate from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports | Get Active Directory data |
This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.2.0, 1.2.1, 1.2.2, 1.3.0
Feedback submitted, thanks!