Collect Windows metrics and logs with the data collection script in ITSI
Use the data collection script to configure data collection agents on Windows hosts you want to collect metrics and log data from.
The data collection script requires internet access. If you don't have internet access, configure data collection manually. For more information, see these topics:
- Manually collect metrics from a Windows host in ITSI
- Manually collect logs from a Windows host in ITSI
If you haven't seen the requirements yet, see Windows integration requirements for ITSI.
If you're using Splunk Cloud, you need to enter specific information according to your cloud stack when you configure an integration. For more information, see Send data to Splunk Cloud with ITSI data collection agents.
To see which data the Windows integration sends to ITSI, see Windows data you can collect with ITSI.
|Windows host||See Windows operating system support.|
|Dependencies||See Required Windows dependencies.|
In Splunk Enterprise, you have to be a user with the
In Splunk Cloud, you have to be a user with the
|Internet access||The data collection script downloads a universal forwarder package from https://www.splunk.com/en_us/download/universal-forwarder.html.|
Steps to configure the data collection script for Windows hosts
Follow these steps to configure and use the data collection script to collect Windows metrics and logs in ITSI.
1. Specify configuration options
Configure data collection options for collecting metrics and logs from your host.
- From the ITSI main menu, go to Configuration > Data Integrations.
- Click the Windows chicklet.
- Click Customize to select the metrics and log sources you want to collect data for.
uptimemetrics are selected by default, and cannot be deselected.
- If you select cpu > Collect data for each CPU the metrics are stored for each CPU core so that you can split CPU usage by each core in the Analysis Workspace.
- If you select cpu > Collect sum over all CPUs, only aggregate metrics are stored for CPU usage.
- ITSI creates a custom script for you to run on your host system based off of your data selections and customizations.
dimension:value, such as
region:uswest. You can't delete dimensions the plug-in creates.
9997if it's available.
2. Copy and paste the data collection script in a PowerShell window on the host
Deploy the script on your host to collect metrics and logs.
Follow these steps to deploy the script:
- Connect to the Windows host.
- Open a PowerShell window on the host.
- Paste the script into the PowerShell window on the host and run the script.
- When you run the script on a Windows system for the first time, you might receive a message stating that the universal forwarder was installed without creating an admin user. If this occurs, you have to manually create admin credentials. For information about creating admin credentials, see user-seed.conf in the Splunk Enterprise Admin Manual.
3. Verify your data connection
Verify your data connection to start monitoring your infrastructure. It can take up to about five minutes for your host to display in the user interface.
In the ITSI user interface, go to Configuration > Entities and wait for new hosts to start appearing. Each host has the entity type
Windows data you can collect with ITSI
Manually collect metrics from a Windows host in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only