Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install and Configure the Content Pack for Windows Dashboards and Reports

Perform the following high-level steps to configure the Content Pack for Windows Dashboards and Reports:

  1. Create the necessary indexes.
  2. Install and configure the Splunk Add-on for Windows.
  3. Install and configure the Splunk Supporting Add-on for Active Directory.
  4. Install the Content Pack.
  5. Run the necessary saved searches to build the required lookups.

Prerequisites

  • Please make sure that the App Key-Value Store is enabled in your environment where the content pack is installed.
  • The ITSI or IT Essentials Work app should be installed and configured in your environment.

Step 1: Create necessary Indexes

Content pack for Windows Dashboards and Reports requires the 4 indexes below for indexing and showing the data coming from the Splunk Add-on for Windows.

Create the following indexes from the UI of Search head:

  • msad
  • perfmon
  • windows
  • wineventlog

Follow the steps below to create the indexes:

For Splunk Enterprise, see Create events indexes. For Splunk Cloud, contact Splunk Support to set up, manage, and maintain their cloud index parameters. See Manage Splunk Cloud Platform indexes.

Step 2: Install and Configure Splunk Add on for Windows

This content pack depends on data from the Splunk Add-on for Windows, which collects computer, groups, security, DNS, organizational, and domain data from your Windows server hosts. For instructions to install and configure the add-on, see Install the Splunk Add-on for Windows.

For information about getting data in from the Splunk Add-on for Windows for the content pack, see Get Windows Data.

The table below shows where to install Splunk Add-on for Windows in your distributed environment:

Package Search head Indexer Forwarder
Splunk Add on for Windows X X X

Step 3: Install and Configure Splunk Supporting Add-on for Active Directory

This content pack depends on the custom commands provided by the Splunk Supporting Add-on for Active Directory for searching the necessary attributes from the Active directory. For instructions to install and configure the add-on, see Install the Splunk Supporting Add-on for Active Directory.

For information about getting data in from the Splunk Supporting Add-on for Active Directory for the content pack, see [Get Active Directory Data].

The table below shows where to install Splunk Supporting Add-on for Active Directory in your distributed environment:

Package Search head Indexer Forwarder
Splunk Supporting Add-on for Active Directory X

Step 4: Install the content pack

The Splunk App for Content Packs contains the Content Pack for Windows Dashboards and Reports. The content pack contents are automatically installed once the Splunk App for Content Packs is installed on the search head.

Note: The ITSI Content Pack for Windows Dashboards and Reports and the Splunk App for Windows Infrastructure contain identical knowledge objects that can cause a conflict when installed on the same search head deployment. To avoid knowledge object conflicts, do not install both apps on the same search head.

For more information, see Install the Splunk App for Content Packs.

Step 5: Run saved searches

The build_winfra_lookup saved search is required to use the content pack dashboards. The search fills the lookup tables that are used to populate the dashboards and reports in the content pack.

Before running the search, please make sure that data is populating the four indexes created from Step 1: Create necessary indexes. Follow these steps to run the saved searches:

  1. Go to Settings > Searches, Reports and Alerts
  2. Search for the build_winfra_lookup saved search.
  3. Run the search and verify that all the below searches included in the build_winfra_lookup search have run:
  • WinApp_Lookup_Build_Perfmon - Update - Server
  • WinApp_Lookup_Build_Printmon - Update
  • WinApp_Lookup_Build_Netmon - Update - Detail
  • WinApp_Lookup_Build_Netmon - Update - Server
  • WinApp_Lookup_Build_Hostmon_Services - Update - Detail
  • WinApp_Lookup_Build_Hostmon_Process - Update - Detail
  • WinApp_Lookup_Build_Hostmon_FS - Update - Detail
  • WinApp_Lookup_Build_Hostmon_Machine - Update - Detail
  • WinApp_Lookup_Build_Hostmon - Update - Server
  • WinApp_Lookup_Build_Event - Update - Detail
  • WinApp_Lookup_Build_Event - Update - Server
  • WinApp_Lookup_Build_Perfmon - Update - Detail
  • ActiveDirectory: Update Computer Lookup
  • ActiveDirectory: Update User Lookup
  • ActiveDirectory: Update Group Lookup
  • ActiveDirectory: Update GPO Lookup
  • tSiteInfo_Lookup_Update
  • tSessions_Lookup_Update
  • HostInfo_Lookup_Update
  • HostToDomain_Lookup_Update
  • DomainSelector_Lookup
Last modified on 08 September, 2021
PREVIOUS
Release notes for Content Pack for Windows Dashboards and Reports
  NEXT
Migrate from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters