Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Get Windows Data

This topic discusses the steps to get the necessary data from the Windows servers by installing and configuring the Splunk Add-on for Windows.

About the Splunk Add-on for Windows - Section The Splunk Add-on for Windows collects Windows data from Windows hosts. In the context of the Content Pack for Windows Dashboards and Reports, the add-on collects Windows data and provides knowledge objects for the app. You need to deploy the Splunk Add-on for Windows to:

  • All hosts that run Active Directory Domain Services (including domain controllers and DNS servers).
  • All Windows hosts from which you want Windows data.
  • All indexers.
  • All search heads.

Download the Splunk Add-on for Windows

  1. Download the Splunk Add-on for Windows from Splunkbase and save it to an accessible place on the deployment server.
  2. When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
  3. Unarchive the file to an accessible location.

For instructions about how to install the Splunk Add-on for Windows, see Install the Splunk Add-on for Windows.

Configure the Splunk Add-on for Windows

Note: Microsoft Windows event logs that are rendered in XML format will not populate in the Content Pack for Windows Dashboards and Reports.

  1. In the location where you unarchived the download file, locate the Splunk_TA_windows directory.
  2. Create a local subdirectory within the Splunk_TA_windows directory.
  3. Copy the inputs.conf file in the default subdirectory to the local directory.
  4. Edit the disabled and mode attributes in the inputs.conf file. Optionally, as shown below, add an index attribute to use specific indexes.

From version 5.0.1 onwards, the Splunk Add-on for Windows collects data in multikv mode by default. This mode has a different event format over the existing single mode, and the Content Pack for Windows Dashboards and Reports supports single mode only, so please change the value of the mode parameter to single in the perfmon stanzas in /Splunk_TA_windows/default/inputs.conf on forwarder.

Please refer to the below example input stanzas:

[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
 
## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 10
mode = single
object = LogicalDisk
useEnglishOnly=true
 
## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 10
mode = single
object = PhysicalDisk
useEnglishOnly=true
 
## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
interval = 10
mode = single
object = Memory
useEnglishOnly=true
 
## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 0
instances = *
interval = 10
mode = single
object = Network Interface
useEnglishOnly=true
 
## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 10
mode = single
object = Process
useEnglishOnly=true
 
## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 10
mode = single
object = Processor Information
useEnglishOnly=true
 
## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 0
instances = *
interval = 10
mode = single
object = System
useEnglishOnly=true

Note: If you do not complete the above step, then windows perfmon data will not be considered in dashboards.

From version 5.0.1 onwards, you can either use the default windows index as mentioned in the table below, or you can create your own custom index. If you're using the default index, you have to add index parameter with the values as mentioned in the table below, located in /Splunk_TA_windows/default/inputs.conf on the forwarder.

Input staza Indexes Event types
[WinEventLog://Application], [WinEventLog://Security], [WinEventLog://System], [WinEventLog://ForwardedEvents] wineventlog wineventlog_index_windows
[monitor://$WINDIR\System32\DHCP], [monitor://$WINDIR\WindowsUpdate.log], [script://.\bin\win_listening_ports.bat], [script://.\bin\win_installed_apps.bat], [script://.\bin\win_timesync_status.bat], [script://.\bin\win_timesync_configuration.bat],

[WinHostMon://Computer], [WinHostMon://Process], [WinHostMon://Processor], [WinHostMon://NetworkAdapter], [WinHostMon://Service], [WinHostMon://OperatingSystem], [WinHostMon://Disk], [WinHostMon://Driver], [WinHostMon://Roles], [WinPrintMon://printer], [WinPrintMon://driver], [WinPrintMon://port], [WinNetMon://inbound], [WinNetMon://outbound]

windows windows_index_windows
[perfmon://CPU], [perfmon://LogicalDisk], [perfmon://PhysicalDisk], [perfmon://Memory], [perfmon://Network], [perfmon://Process], [perfmon://ProcessorInformation], [perfmon://System] perfmon perfmon_index_windows
[admon://default], [WinRegMon://default], [WinRegMon://hkcu_run], [WinRegMon://hklm_run] windows windows_index_windows
[monitor://$WINDIR\debug\netlogon.log], [MonitorNoHandle://$WINDIR\System32\Dns\dns.log],

[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1], [powershell://Replication-Stats], [script://.\bin\runpowershell.cmd nt6-health.ps1], [powershell://AD-Health][script://.\bin\runpowershell.cmd nt6-siteinfo.ps1], [powershell://Siteinfo] [script://.\bin\runpowershell.cmd dns-zoneinfo.ps1], [script://.\bin\runpowershell.cmd dns-health.ps1], [admon://default]

msad msad_index_windows

Save the inputs.conf in the local subdirectory. Below is an example inputs.conf staza:


[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = perfmon
 
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index = wineventlog
 
[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 0
index = windows
 
[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:SiteInfo
interval=3600
disabled=0
index = msad

Update configuration files to use custom indexes

Update the following configuration files to use custom index(es):

Update inputs.conf

  1. Copy the inputs.conf file from the default subdirectory /Splunk_TA_windows/default/ to the local directory folder /Splunk_TA_windows/local/ folder of the forwarder.
  2. Open the inputs.conf in the local subdirectory with a text editor.
  3. If you are using <<CUSTOM INDEX>> instead of TA_windows default indexes then add index = <<CUSTOM INDEX>> under stanzas as defined in the table above for the Windows default index(es). Refer to the above table for Windows default indexes.

Here are a few examples of inputs stanzas:

[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 1
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = <<CUSTOM INDEX>>
 
[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index = <<CUSTOM INDEX>>
 
[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 1
index = <<CUSTOM INDEX>>

Update eventtypes.conf

  1. Copy the eventtypes.conf file from the default subdirectory /DA-ITSI-CP-windows-dashboards/default/ to the local directory folder /DA-ITSI-CP-windows-dashboards/local/ folder on search head.
  2. Open the eventtypes.conf in the local subdirectory with a text editor.
  3. If you are using <<CUSTOM INDEX>> instead of Windows default indexes, then update the following eventtype definitions as shown below:
Default index Custom index Updated eventtypes
perfmon <<CUSTOM INDEX 1>> [perfmon_index_windows], definition = index=perfmon OR index=<<CUSTOM INDEX 1>>
wineventlog <<CUSTOM INDEX 2>> [wineventlog_index_windows], definition = index=wineventlog OR index=<<CUSTOM INDEX 2>>
windows <<CUSTOM INDEX 3>> [windows_index_windows], definition = index=windows OR index=<<CUSTOM INDEX 3>>

Update configuration files to use the main index

Update eventtypes.conf

  1. Copy the eventtypes.conf file from the default subdirectory /DA-ITSI-CP-windows-dashboards/default/ to the local directory folder /DA-ITSI-CP-windows-dashboards/local/ folder on search head.
  2. Open the eventtypes.conf in the local subdirectory with a text editor.
  3. If you are using index=main instead of Windows default indexes, then update the following eventtype definitions as shown below:
Default index Main index Updated eventtypes
perfmon main [perfmon_index_windows], definition = index=perfmon OR index=main
wineventlog main [wineventlog_index_windows], definition = index=wineventlog OR index=main
windows main [windows_index_windows], definition = index=windows OR index=main
Last modified on 17 August, 2021
PREVIOUS
Migrate from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports
  NEXT
Get Active Directory Data

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters