Content Pack for Monitoring Microsoft Windows

Content Pack for Monitoring Microsoft Windows

Install and configure the Content Pack for Monitoring Microsoft Windows

Perform the following high-level steps to configure the Content Pack for Monitoring Microsoft Windows:

  1. Install the content pack on your ITSI search head.
  2. Update the index search macro that includes all indexes you're using for data collection.
  3. Update the KPI Base Search macros if you are not using the recommended method of data ingestion.
  4. Enable entity discovery to automatically discover entities for which relevant data has been collected.
  5. Tune KPI base searches.
  6. Tune KPI threshold levels.

Prerequisites

Install the content pack

You have two options for installing and configuring the Content pack for Monitoring Microsoft Windows:

  • One option is to install the content pack from the Splunk App for Content Packs. The Content Pack for Monitoring Microsoft Windows is included in the Splunk App for Content Packs if you are using ITSI version 4.9.x higher.
  • Your second option is to install the content pack using backup and restore functionality provided by ITSI. You must choose this option if you are using ITSI version 4.8.x or lower.

Install the content pack from the Splunk App for Content Packs

To install the Content Pack for Microsoft Exchange, you have to install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the Splunk App for Content Pack installation instructions.

After you install the Splunk App for Content Packs, follow these steps to configure the Content Pack for Monitoring Microsoft Windows:

  1. From the ITSI main menu, go to Configuration > Data Integrations.
  2. Select Add content packs or Add structure to your data depending on your version of ITSI.
  3. Select the Monitoring Microsoft Windows content pack.
  4. Review what's included in the content pack and then select Proceed.
  5. Configure the following settings:
    Setting Description
    Choose which objects to install For a first-time installation, select the items you want to install and deselect any you're not interested in.


    For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version, or install them all.

    Choose a conflict resolution rule for the objects you install For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from the following options:
    • Install as new - Objects are installed and any existing identical objects in your environment remain intact.
    • Replace existing - Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
    Import as enabled Select whether to install objects as enabled or to leave them in their original state. It's recommended that you import objects as disabled to ensure your environment doesn't break from the addition of new content.


    This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of which option you choose.

    Add a prefix to your new objects Optionally, append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with CP- to indicate they came from a content pack. This option can help you locate and manage the objects post-install.
    Backfill service KPIs Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and Predictive Analytics for the new services. This setting only applies to KPIs and not service health scores.
  6. When you're satisfied with your selections, select Install selected.
  7. Select Install to confirm the installation. When the installation completes you can view all objects that were successfully installed in your environment. A green check mark in the main Content Library list indicates which content packs you've already installed.

Install the content pack using backup and restore functionality provided by ITSI

If you are using ITSI version 4.8.x or lower, follow these steps to install the Content Pack for Monitoring Microsoft Windows. For instructions on restoring a backup, see Restore from a backup zip in the Administration Manual.

Perform the following steps to install the content pack:

  1. Download the following ITSI backup file: BACKUP-CP-WIN-OS-1.0.1.zip.
  2. On your ITSI search head, create a restore job and upload the backup file. For instructions, see Restore from a backup zip file.
  3. After the restore job completes, confirm that the objects included in the content pack are restored to your environment.

(Optional) Update the index search macro with custom index

Prerequisites

  • Admin role is required to update the index search macro.
  • You have to know the indexes your organization uses to send data from the Splunk Add-on for Microsoft Windows to your Splunk platform deployment.

Steps

  1. From Splunk Web, select Settings > Advanced Search > Search Macros.
  2. Configure the custom index settings:
    Macro name Index type Macro definition
    itsi-cp-windows-indexes Events All of the indexes that you're using for data collection from add-ons combined with OR operators.


    For example: index=windows OR index=perfmon OR index=<index-name>

    itsi-cp-windows-metrics-indexes Metrics All of the indexes that you're using for data collection from add-ons combined with OR operators.


    For example: index=itsi_im_metrics OR index=<index-name>

Update the KPI base search macro with new definition based on data ingested

If you are a customer that is not using the recommend data ingestion (metrics data with custom sourcetype) method yet, you will need to update 5 macros to use this content pack. Refer to the sections below and update the macros based on your data ingestion method.

Update the macros to use the event search with single mode

If you are a customer that is ingesting the perfmon data as events with single mode, you will need to edit the following macros with this new definition to use this content pack:

Macro Name Current Definition Updated Definition
monitoring_windows_cpu_wrapper `monitoring_windows_cpu_recommended` `monitoring_windows_cpu_events`
monitoring_windows_logicaldisk_wrapper `monitoring_windows_logicaldisk_recommended` `monitoring_windows_logicaldisk_events`
monitoring_windows_memory_wrapper `monitoring_windows_memory_recommended` `monitoring_windows_memory_events`
monitoring_windows_network_wrapper `monitoring_windows_network_recommended` `monitoring_windows_network_events`
monitoring_windows_physicaldisk_wrapper `monitoring_windows_physicaldisk_recommended` `monitoring_windows_physicaldisk_events`

Update the macros to use the metrics data with default sourcetype

If you are a customer that is ingesting the perfmon data as metrics without specifying the custom sourcetype, you will need to edit the following macros with this new definition to use this content pack.

Macro Name Current Definition Updated Definition
monitoring_windows_cpu_wrapper `monitoring_windows_cpu_recommended` `monitoring_windows_cpu_deprecated`
monitoring_windows_logicaldisk_wrapper `monitoring_windows_logicaldisk_recommended` `monitoring_windows_logicaldisk_deprecated`
monitoring_windows_memory_wrapper `monitoring_windows_memory_recommended` `monitoring_windows_memory_deprecated`
monitoring_windows_network_wrapper `monitoring_windows_network_recommended` `monitoring_windows_network_deprecated`
monitoring_windows_physicaldisk_wrapper `monitoring_windows_physicaldisk_recommended` `monitoring_windows_physicaldisk_deprecated`

Update the macros to use the mixed mode of data

If you are a customer that is ingesting the perfmon data in different ways on different Windows Hosts, you will need to edit the following macros with this new definition to use this content pack.

Note: There is a possibility to get truncated results when using this method. Use this method only as a stop gap to plan to migrate to the recommend method of data ingestion.

Macro Name Current Definition Updated Definition
monitoring_windows_cpu_wrapper `monitoring_windows_cpu_recommended` `monitoring_windows_cpu_mixed_mode_TRUNCATED_RESULTS`
monitoring_windows_logicaldisk_wrapper `monitoring_windows_logicaldisk_recommended` `monitoring_windows_logicaldisk_mixed_mode_TRUNCATED_RESULTS`
monitoring_windows_memory_wrapper `monitoring_windows_memory_recommended` `monitoring_windows_memory_mixed_mode_TRUNCATED_RESULTS`
monitoring_windows_network_wrapper `monitoring_windows_network_recommended` `monitoring_windows_network_mixed_mode_TRUNCATED_RESULTS`
monitoring_windows_physicaldisk_wrapper `monitoring_windows_physicaldisk_recommended` `monitoring_windows_physicaldisk_mixed_mode_TRUNCATED_RESULTS`

Enable automatic entity discovery

Perform the following steps to ensure that ITSI automatically detects your Microsoft Windows hosts. For best results, perform these steps after configuring one or more hosts to send data to Splunk.

  1. Navigate to ITSI on the search head.
  2. Select Configuration > Entities.
  3. Select Create Entity > Import from Search.
  4. Select Ad hoc search and enter the following search:

    `itsi-cp-windows-indexes` sourcetype=WinHostMon | eval role="operating_system_host" | stats latest(family) as family, latest(version) as version, latest(vendor_product) as vendor_product, latest(role) as itsi_role, latest(cpu_cores) as cpu_cores, latest(mem) as memory, latest(cpu_architecture) as cpu_architecture by host | fields + host, family, version, vendor_product, itsi_role, cpu_cores, memory, cpu_architecture

  5. Select the search icon to run the search and confirm that one or more hosts are shown with all columns populated.
  6. Select Next.
  7. In the Import Column As column, set the host field to Entity Title. Set all other fields to Entity Information Field.
  8. Set Conflict Resolution to Update Existing Entities and set the Conflict Resolution Field to host.
  9. Select Import.
  10. After the import completes, select Set up Recurring Import.
  11. Name the recurring import ITSI discovery of Windows servers
  12. Set the frequency based on the needs of your deployment. Use Run on cron Schedule for maximum flexibility.
  13. Select Submit. ITSI creates the new modular input in $SPLUNK_HOME/etc/apps/itsi/local/inputs.conf.

Enabling automatic entity discovery is not required if performance data is ingested in metrics index, as preferred by IT Essentials Work and IT Service Intelligence.

Tune KPI base searches

This content pack ships with the following KPI base searches:

  • OS:Performance.WIN.CPU
  • OS:Performance.WIN.LogicalDisk
  • OS:Performance.WIN.Memory
  • OS:Performance.WIN.Network
  • OS:Performance.WIN.PhysicalDisk
  • OS:Performance.WIN.WinHostMon

Each search runs every five minutes with a 5 minute calculation window, and uses only the latest value on a per-entity basis. The 5 minute calculation window ensures that you won't see N/A for less frequent data. Using the latest value means that the KPI status refreshes as quickly as possible for data collected more frequently.

You must review and tune all base searches to run at a frequency that matches your data collection interval.

Tune KPI thresholds

Aggregate KPI thresholds use Normal, Medium, and Low levels, while per-entity thresholds except for available disk space don't exceed Medium. Lower threshold levels for OS-level monitoring allow application-level KPIs to take a more prominent threshold level. For example, a server at 100% CPU isn't a critical issue if the apps running on that server are responding normally.

Aggregate threshold values are calculated for general use only. You must tune these threshold values according to your environment. For more information, see Overview of creating KPIs in ITSI in the Service Insights manual.

Last modified on 30 January, 2024
Data requirements for the Content Pack for Monitoring Microsoft Windows   Use the Content Pack for Monitoring Microsoft Windows

This documentation applies to the following versions of Content Pack for Monitoring Microsoft Windows: 1.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters