Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Dashboard Reference for the Content Pack for Windows Dashboards and Reports

Use the Dashboard Reference to check the description of each dashboard.

Dashboard Category

Category Dashboard
Windows Help
  • Windows Overview - Windows
  • Event Monitoring - Windows
  • Performance Monitoring - Windows
Windows Help: Applications and Updates
  • Application crashes - Windows
  • Application installs - Windows
  • Windows Update - Windows
Windows Help: Host Monitoring
  • Hosts Overview - Windows
  • Host Inventory - Windows
  • Host monitoring Operations - Windows
  • Disk Information - Windows
  • Processes - Windows
  • Services - Windows
Windows Help: Network Monitoring
  • Network Activity - Windows
  • Top Network Hosts and Processes - Windows
Windows Help: Print Monitoring
  • Printers Overview - Windows
  • Top Printers and Users - Windows
  • Print Job Viewer - Windows
Active Directory Help Active Directory Overview - Windows
Active Directory Help: Domains
  • Domain Health Issues - Windows
  • Subnet Affinity Problems - Windows
  • Replication issues - Windows
  • Directory Performance - Windows
Active Directory Help: Domain Controllers
  • Domain Status - Windows
  • Site Status - Windows
  • DC Status - Windows
Active Directory Help: DNS
  • DNS Status - Windows
  • DNS Server Status - Windows
  • DNS Zone Information - Windows
  • DNS Performance - Windows
Active Directory Help: Users
  • User Overview - Windows
  • User Audit - Windows
  • Administrator Audit - Windows
  • User record Changes - Windows
  • Failed logons - Windows
  • Anomalous logons - Windows
Active Directory Help: Computers
  • Computer Audit - Windows
  • Computer Changes - Windows
Active Directory Help: Groups
  • Group Audit - Windows
  • Group Changes - Windows
Active Directory Help: Group Policy
  • Group Policy Audit - Windows
  • Group Policy Changes - Windows
Active Directory Help: Organisational Units Organisational Unit Audit - Windows

Windows Overview

The Overview dashboard contains three panels: Windows events, Windows performance counters, and All indexed data.

Panel Description
Windows events Provides information on the number of hosts from which event log data is being collected, the number of event logs, and a number of event IDs.
Windows performance counters Provides information on the number of hosts from which performance data is being collected, number of objects, and the total number of counters.
All indexed data Provides a chronologically sorted list of the sources, source types, and hosts that the Content Pack for Windows Dashboards and Reports has collected data on.

How to use this page

  • You can control how much data this panel displays by clicking the time picker and choosing one of the available range presets or selecting a custom time range.
  • You can click on the Windows events and Windows performance counters links. The Content Pack for Windows Dashboards and Reports takes you to a Search page that lists all of the events found for that particular counter.

Event Monitoring - Windows

The Event monitoring page contains dashboard panels for many Windows Event Log statistics. They include trend lines that help you isolate areas of peak activity. You can mouse over the trend lines to get individual values and click the trend lines to open a Search window that shows events collected in the time frame where you clicked.

The panels are:

  • Event source names
  • Task categories
  • Hosts
  • Event IDs
  • The number of events by the host over time
  • The number of events by event code over time
  • The number of events by log name over time
  • The number of events by event type over time

How to use this page

Filter event log data

At the top of the Event Monitoring page, there is a row of drop-down boxes that lets you filter the indexed data via a number of parameters:

  • Host
  • Event Log Name
  • Source Name
  • Task Category
  • Event Code
  • Type

The parameters filter out data based on what you pick in each dropdown. For example, if you select a host in the Host drop down, the other drop-downs update to show only data collected for that host. In this way, you can "drill down" to find the event log data for the host, log channel, source name, task category, event code, and type you seek.

Additionally, each drop down box is also a text field. You can click your mouse on any drop down box on the page to enter text into that box. The Content Pack for Windows Dashboards and Reports immediately filters the collected data to show only entries that match what you type into any of the boxes.

Finally, the Additional Search Criteria box allows you to search for a specific word or phrase across all of your indexed event log data.

Requirements

The dashboards on this page require you to enable one or more Windows event log inputs. Enable east the Application, System, Security, and Setup log channels.

Use the wildcard capability on the 'Host' drop down control

This page has a Host drop-down control box. You can type in text, including wildcards, and the Content Pack for Windows Dashboards and Reports filters the data to include only those events generated by hosts whose names match the text that you enter.

This works particularly well if you use a standard host naming convention in your environment. For example, if all domain controllers in the environment have host names which contain "DC", or all IIS servers' host names contain the string "IIS", you can type in "DC" in any Host control to display data collected from all domain controllers, or "IIS" to display information from all computers in your environment that run Internet Information Server.

Performance Monitoring - Windows

The Performance Monitoring page contains dashboards for CPU, Memory, Physical Disk, Logical Disk, Network Interface, and System metrics.

How to use this page

You can customize the data that appears in the panels by selecting different counters and instances. You can also drill into specifics on memory, CPU, disk and network traffic by host, process, and user.

The dashboard also provides a list of useful reports at the bottom of the page. These reports can be used as a guide to customizing new reports as you see fit.

Filter performance metrics

Each of the dropdowns in the dashboards on the Performance Monitoring page is also a text box. You can click on any dropdown box on the page to enter text. The Content Pack for Windows Dashboards and Reports immediately filters the collected performance metrics to show only entries that match the text you enter.

Requirements

The dashboards on this page require the following inputs to display data:

  • CPU Metrics: requires the Processor performance monitoring input.
  • Memory Metrics: requires the Memory performance monitoring input.
  • Physical Disk Metrics: requires the Physical Disk performance monitoring input.
  • Logical Disk Metrics: requires the Logical Disk performance monitoring input.
  • Network Metrics: requires the Network Interface performance monitoring input.
  • System Metrics: requires the System performance monitoring input.

Application Crashes - Windows

This page displays the status of application crashes on all of the machines in your environment. It has panels that show you information about:

  • Which applications are crashing
  • Which hosts these crashes occur on
  • The number of crashes over time, by host
  • The number of crashes over time, by application
  • The details of each crash, by host
  • A list of useful searches to customize the page

Requirements

This page requires you to enable one or more Windows event log inputs to function. Enable at least the Application Event Log.

Application Installs - Windows

This page displays the status of application installs on all of the machines in your environment. It has panels that show you information about:

  • The total number of installs, by host
  • The total number of installs, by application
  • The number of installs over time, by application
  • The number of installs over time, by host
  • The details of an installation, by host
  • A list of useful searches to customize the page

Requirements

This page requires you to enable the Windows event log inputs. We recommend you enable at least the Application log channel.

Windows Update - Windows

This page displays the status of Windows updates on all of the machines in your environment. It has panels that show you information on:

  • The number of failed Windows updates, by host
  • The number of failed Windows updates, by Knowledge Base (KB) number
  • The number of failed Windows updates over time, by host
  • The number of failed Windows updates over time, by KB number
  • The number of successful Windows updates, by host
  • The number of successful Windows updates, by Knowledge Base (KB) number
  • The number of successful Windows updates over time, by host
  • The number of successful Windows updates over time, by KB number
  • A list of useful searches to customize the page

Requirements

This page requires you to enable the Windowsupdate.log file monitoring input.

Hosts Overview - Windows

This page enables you see data that the Content Pack for Windows Dashboards and Reports has collected about the hosts in your Windows environment.

How to use this page

The top of the page has controls that let you filter the host list based on host name, OS version, domain name, and architecture. By default, the page shows all hosts that the app has data for.

Filter hosts by host name

To filter the host list based on host:

  1. Click the Host field.
  2. Choose a host from the pop-up list that appears. The Content Pack for Windows Dashboards and Reports updates the list to show only the host(s) you select. You can select as many hosts as you want to filter the list.
  3. (Optional) Remove hosts by clicking the x next to the host name.

Filter hosts by text string

To filter the host list based on a text string, enter that string in the Host search field and press Enter. The Content Pack for Windows Dashboards and Reports updates the list to show only those hosts that match the text string exactly. To specify a range of hosts, use a wildcard.

Filter hosts by OS version

To filter hosts by OS version, click the OS version list box and select a version of Windows. The Content Pack for Windows Dashboards and Reports updates the list to include only the hosts that run the version of Windows that you chose.

Filter hosts by domain

To filter hosts by domain, click the Domain list box and select a domain. The Content Pack for Windows Dashboards and Reports updates the list to include only the hosts that reside in the domain that you chose.

Filter hosts by architecture

To filter hosts by OS version, click the Architecture list box and select an architecture. The Content Pack for Windows Dashboards and Reports updates the list to include only the hosts that have the architecture that you chose.

Host Inventory - Windows

This topic discusses the Windows Host Inventory page, which you access from the Component Health page. The Host Inventory page lists detailed information about a host, including:

  • The host name
  • The domain that the host resides in
  • Host hardware information
  • The version of Windows (including platform architecture) that the host runs
  • The service pack version and last installed update
  • A sparkline that shows recent processor usage
  • The amount of installed memory and a sparkline that shows recent changes in free memory
  • The amount of total and available free space
  • A sparkline that shows recent disk read I/O
  • A sparkline that shows recent disk write I/O
  • A list of key Windows Event Log events that have occurred recently

How to use this page

See information on a specific host To see host inventory on a specific host, select the host in the Host Name list.

Change the time range of data To change the time range of data that the host inventory shows, use the time picker next to the Host Name field.

Sparklines

  • To see individual values that comprise each sparkline, mouse over the sparkline.
  • To get a detailed version of the data in the sparkline, click it. The Content Pack for Windows Dashboards and Reports loads the Performance Monitoring page for the counter you clicked.

Key Events Any key events that the host has logged show up in the left pane. To see more information about an event, click it. The details of the event show up in the right pane.

Host Monitoring Operations - Windows

This dashboard provides operations information about a specific host, and displays pie charts for:

  • The peak CPU utilization above 50% over the last 24 hours.
  • The peak memory utilization above 50% over the last 24 hours.
  • The free disk space distribution.

How to use this page

You can filter this dashboard to show a single host by selecting it from the Host drop-down list in the upper right side of the dashboard.

If you click on any of the pie chart slices, the Content Pack for Windows Dashboards and Reports loads the Host Monitoring Overview page, which is filtered to the selected host.

Host Monitoring Disk Information - Windows

This dashboard displays information on disk subsystems for each host. The dashboard has a single panel, which lists hostname, drive name, drive type, total disk space, free disk space, and percentage of free space.

How to use this page

You can filter the host list by selecting entries from the Host, File System, Type, Free Space %, or Total Space (GB) drop-down lists.

Host Monitoring Processes - Windows

This dashboard displays information on processes that run on each host. The dashboard has a single panel, which lists hostname, process name, start time, and any command-line arguments that might have been passed to the process.

How to use this page

You can filter the host list by selecting entries from the Host or Name drop-down lists. In this case, Name refers to the name of the process or processes you want to filter by.

Host Monitoring Services - Windows

This dashboard displays information on the services that run on each host. The dashboard has a single panel, which lists hostname, service name, start mode, and current service state.

How to use this page

You can filter the host list by selecting entries from the "Host", "StartMode", or "State" drop-down lists, or entering text into the "Name" text box. In this case, "Name" refers to the name of the service or services you want to filter by.

Network Activity - Windows

This topic discusses the Network Activity page, which shows you information about the network activity that has been collected from your Windows hosts.

How to use this page

Choose a list box to filter network activity based on that filter. You can either select an entry from the list box or select the search field and type in an entry. When you type in a string, the page only matches entries for events that have been collected previously.

You can choose or enter data from one of the following filters:

  • Local Host: Where the network transaction originated.
  • Direction: Whether the transaction was inbound or outbound from the local host.
  • Protocol: The protocol of the network activity (TCP or UDP).
  • Packet Type: The type of packet that was used in the transaction, one of "connect", "accept", or "transport".
  • Remote Host: Where the network transaction was destined.
  • Remote Port: The remote port that the network transaction used.
  • Local Port: The local port that the network transaction used.
  • Process Name: The program that initiated the network transaction.
  • User Name: The user that initiated the network transaction.

The Network Information pane shows all network transactions that apply to the filters you set. You can use the time picker in the upper right to limit the range of data that the panel shows.

Top Host and Processes - Windows

This topic discusses the Top Network Hosts and Processes page, which shows you information about the top users of network resources on a host.

This page has four panels:

Panel Description
Top Hostnames - Inbound connections Shows the top hosts that have inbound connections to the host you choose in the list box on the right.
Top Hostnames - Outbound connections Shows the top hosts that the host you choose in the list box has outbound connections to.
Top processes - Inbound connections Shows the processes on the host you choose in the list box that accept the most amount of network traffic.
Top processes - Outbound connections Shows the processes on the host you choose that generate the most amount of network traffic.

How to use this page

  • Choose a host from the Local Host list box on the top right to show the top network hosts and processes for that host.
  • Choose the time picker to change the time range that this page should use to display top hosts and processes.

Printers Overview - Windows

This dashboard displays the active printers in your organization.

The page lists the following printer information:

Panel Description
Host The host that defined the printer.
Printer The name of the printer.
Status The current status of the printer.
Operation Whether or not a baseline was written for the printer status.
Driver The driver that the printer uses to print.
Print processor The print processor for the printer.
Priority The print priority of the printer.
Port The port that the printer uses to send data to the print device.

How to use this page

Choose a list box to filter the number of printers the page shows. You can either select an entry from the list box or select the search field and type in an entry. When you type in a string, the page only matches entries for events that have been collected previously.

You can choose or enter data from one of the following filters:

  • Host: Shows only printers that have been defined on the selected host.
  • Printers: Shows only printers whose name matches the text you entered or name you selected.
  • Operation: Whether or not a baseline was written for the printer status.

You can sort the printer list by clicking on a column header. Clicking the header multiple times toggles an ascending or descending sort.

Top Printers and Users - Windows

This dashboard shows prints the most on your network.

The page has two panels:

  • Top Printers and Users
  • Top 10 users printing

Both panels are bar charts.

How to use this page

Use the time picker on the upper right of the page to change the time range of data that the panels show. Mouse over the charts to get the values for the number of printers and print jobs.

Print Job Viewer - Windows

This dashboard lets you view print jobs that have occurred over the time period that you select.

The page has one panel: Print Monitoring Job Browser. This panel lists print jobs that have occurred based on the filter controls you use at the top of the page.

How to use this page

Choose a list box to filter print job activity. You can either select an entry from the list box or select the search field and type in an entry. When you type in a string, the page only matches entries for events that have been collected previously.

You can choose to enter data from one of the following filters:

  • Host: The host that the printer resides on.
  • Printer: The printer that printed the job.
  • Document: A text field that lets you enter a partial or full string that represents the name of the job that was printed. To see all documents whose name matches a particular string, use an asterisk at the end of the string.
  • User: The user that initiated the print job.

Use the time picker on the upper right of the page to change the time range of data that the panels show.

Active Directory Reports

The Active Directory module of the Content Pack for Windows Dashboards and Reports contains several reports that let you view common security issues within Active Directory.

There are six groups of reports:

DNS Reports

The DNS Reports collection lets you generate reports on your DNS operations by running real-time searches against the collected DNS data. These reports include:

  • DNS Failing Domains: A list of the queries made by DNS servers that return failing responses (such as SERVFAIL, NXDOMAIN, etc.) This panel lets you sort by query, query type, response, count, and percentage of queries.
  • DNS Top Failing Domains: A list of the top queries made by clients for domains that return failures. You can sort by query, query type, count, and percentage of queries.
  • DNS Top Hosts sending failing queries: A list of the hosts that send the most failing DNS queries. You can sort by source IP address, count, and percentage of queries.
  • DNS Top Non-authoritative responses: A list of the queries that DNS servers returned non-authoritative responses for. You can sort by query, query type, count, and percentage of queries.
  • DNS Top Querying Hosts: A list of the hosts who made the highest number of DNS queries. You can sort by source IP address, count, and percentage of queries.
  • DNS Top Recursive Failure Domains: A list of domains whose DNS servers failed to perform recursion - the ability to query DNS information on remote names handled by other DNS servers - correctly. You can sort by query, query type, count, and percentage of queries.
  • DNS Top Requested Queries: A list of the top requested DNS queries. You can sort by query, query type, count, and percentage of queries.

Note: In order to view these statistics, your DNS servers must have debug logging enabled. If this feature is not turned on, then these reports will be blank.

User Reports

The User Reports report collection lets you generate reports on your users from your Active Directory servers.

These reports include:

Report name Description
All A list of all users in the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official (SAM) account name, LDAP Common Name, user principal name, and User Account Control (UAC) attribute settings.
New A list of newly created users in the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by user creation time, user added, and the user who performed the addition. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
Deleted A list of deleted accounts in the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by user deletion time, user deleted, and the user who performed the deletion. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
Active A list of users who are active (meaning they have recently logged on) to the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by username, full name, user principal name, and last logon time. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
Inactive A list of users who have not recently logged onto the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principal name, and UAC attribute settings. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
  • Unused: A list of users who have never logged onto the selected domain. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principal name, and UAC attribute settings.
Disabled A list of users whose ability to access the selected domain has been disabled. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principal name, and UAC attribute settings.
Non-expiring A list of accounts that do not expire. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
Password Not Required A list of accounts where a password is not required. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
No Password Expiry A list of accounts where the password does not expire. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings. You can also limit the list of accounts by selecting a time range with the time range picker at the top of the page.
  • Smartcard Not Required: A list of accounts where a smartcard is not required to authenticate. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
Smartcard Not Required A list of accounts where a smartcard is not required to authenticate. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
Smartcard Required A list of accounts where a smartcard is not required to authenticate. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
Password Too Old A list of accounts where the password is too old: YYou can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
No Manager A list of accounts that do not have a delegate assigned to them. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.
Sensitive accounts A list of accounts whose security contexts have not been delegated to a service even though the service account has been set as trusted for Kerberos delegation. You can choose the domain whose users you want to view by selecting the domain drop-down list. You can sort by official account name, LDAP Common Name, user principle name, and UAC attribute settings.

Computer Reports

The Computer Reports report collection lets you generate reports on computer accounts from your Active Directory servers.

These reports include:

Report name Description
All A list of all computers in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, User Account Control attributes, installed operating system, and any OS service packs that have been installed.
Domain controllers only A list of all domain controllers in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, User Account Control attributes, installed operating system, and any OS service packs that have been installed.
New A list of computers that have recently been added to the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computers that were added, installed operating system, OS service pack, and the user who performed the addition.
Deleted A list of computers that have recently been removed from the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computers that were deleted, installed operating system, OS service pack, and the user who performed the deletion. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page.
Active A list of computers that have recently logged on to the selected domain in Active Directory. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computer name, DNS host name, installed operating system, OS service pack, and last logon time. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page.
Inactive A list of computers that have not logged on to Active Directory recently. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computer name, DNS host name, installed operating system, OS service pack, and last logon time. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page.
Unused A list of computers that have never logged on to Active Directory. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name and DNS hostname.
Disabled A list of computers whose ability to log into Active Directory has been disabled. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by computer name, DNS host name, installed operating system, and OS service pack. You can also limit the list of computers by selecting a time range with the time range picker at the top of the page.
Trusted A list of computers that either manage or are managed by a domain trust relationship. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, UAC attributes, installed operating system, and OS service pack.
No Manager A list of computers that do not have a delegate assigned to them. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, DNS host name, UAC attributes, installed operating system, and OS service pack.

Security Group Reports

The Security Group Reports report collection lets you generate reports on group accounts from your AD servers.

These reports include:

Report name Description
All A list of all security groups in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Common Name, group type, LDAP member Distinguished Name, and member type.
New A list of recently-created groups in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by creation time, group name, group class, group type, and the user who performed the addition. You can also limit the list of groups by selecting a time range with the time range picker at the top of the page.
Deleted A list of recently-removed groups in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by creation time, group name, group class, group type, and the user who performed the addition. You can also limit the list of groups by selecting a time range with the time range picker at the top of the page.
Changed type A list of the changes that have been made to security groups in the selected domain, over the selected time period. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by the time that the group change occurred, the change action, the group name, the user who performed the change, the old group class or type, and the new group class or type. You can also limit the list of groups by selecting a time range with the time range picker at the top of the page.
Empty A list of groups in the selected domain that do not have any users in them. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by group name or type.
Large A list of groups in the selected domain that have a member count that is greater than a specified amount. You can use the Domain drop-down list to choose between domains known to the app. You can enter a positive number that represents the size of the group's membership into the Minimum Size text field. The page then shows only groups whose membership equals or is greater than the number entered. You can then sort that list by group name, group type, the number of members, the LDAP Member Distinguished Name, and the member type.
Nested A list of groups in the selected domain that have been nested into other groups. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by LDAP Distinguished Name, LDAP Common Name, group type, and member type.
No Manager A list of groups in the selected domain that do not have a delegate assigned to them. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by group name, group type, LDAP Member Distinguished Name, and member type.

Group Policy Object Reports

The Group Policy Object Reports report collection allows you to generate reports on group policy objects from your AD servers.

These reports include:

Report name Description
All A list of all group policy objects in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by group policy ID, group policy name, group policy object version number, and the list of containers that the object has been linked to.
New A list of recently-created group policy objects in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by add time, LDAP Common Name, group policy object display name, group policy object version number, and the list of containers that the object has been linked to. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page.
Deleted A list of recently-removed group policy objects in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by delete time and LDAP Common Name. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page.
Disabled A list of group policy objects that have been disabled. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by group policy object ID, group policy object name, group policy object version number, group policy object status, change time, and the list of containers that the object has been linked to.

Organizational Unit Reports

The Organizational Unit Reports report collection allows you to generate reports on group policy objects from your AD servers.

These reports include:

Report name Description
All A list of all organizational units in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by name, description, and the list of linked group policy objects.
New A list of recently-created OUs in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by the time the OU was added, the OU name, description, and the list of linked group policy objects. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page.
Deleted A list of recently-deleted OUs in the selected domain. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by delete time, OU name, and description. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page.
No Manager A list of OUs in the selected domain that do not have a delegate assigned to them. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by OU name, description, and the list of linked group policy objects. You can also limit the list of objects by selecting a time range with the time range picker at the top of the page.
GPO Linked A list of OUs with a direct GPO link. You can use the Domain drop-down list to choose between domains known to the app. You can sort the list by OU name, description, and the list of linked group policy objects.

Active Directory Overview - Windows

The Topology Report page displays a view of all of the Active Directory forests, domains, and domain controllers known to the Content Pack for Windows Dashboards and Reports at the present time.

To return to this dashboard, select Active Directory > Active Directory Overview.

Choose the forests, sites, domains, and domain controllers using the selection panel close to the top of the page.

Based on the options selected, additional information on the domain controllers in the selected forest and domain display on the page and include the following statistics:

  • The host name of the domain controller (DC)
  • The Active Directory (AD) site that the DC belongs to.
  • The operating system and version of Windows the server runs.
  • The AD Flexible Single Master Operation (FSMO) role(s) the server holds.
  • Information on the Directory Service Agent (DSA) options available for the DC.
  • Information on the status of the AD services that the machine runs.
  • Information on whether or not the server has registered itself in DNS.
  • Information on whether or not the machine's SYSVOL share is available on the network.

In this dashboard, icons in the "Masters Roles" column indicate the operations master roles for each server.

Role Details
Schema Master The Schema Master controls all updates to the Active Directory's schema, then replicates it to all other domain controllers in the forest. There can be only one Schema Master in an entire forest.
The Schema Master controls all updates to the Active Directory's schema, then replicates it to all other domain controllers in the forest. There can be only one Schema Master in an entire forest. The Domain Naming Master controls the naming of all domains within the forest. It is the only domain controller that can add or remove domains from Active Directory. As such, only one Domain Naming Master can be present in a forest.
Relative ID Master The Relative ID Master domain controller maintains the relative ID (RID) resource pool and is responsible for allocating RIDs to other domain controllers within a domain when they are requested during the creation of security principle objects like users and groups. There can only be one RID Master in a domain.
PDC Emulator Master This domain controller emulates the Primary Domain Controller (PDC) role for a domain and handles time synchronization across the domain. It also handles various PDC duties (such as password changes, account lockouts and GPO manipulation) for domains which have both Windows Server 2000 and Server 2003 domain controllers present. Only one PDC emulator can be present in a domain.
Infrastructure Master The Infrastructure Master handles updates to the security identifier (SID) and distinguished name (DN) of an object that is cross-referenced by another object in another domain. There can only be one Infrastructure Master in a domain.

The DSA options are listed as icons under the DSA Options column:

  • A globe indicates that the server is a Global Catalog (GC).
  • A padlock indicates that the server is a Read-only Domain Controller (RODC).

How to use this page

You can click on any domain controller in the list to get additional information about that domain controller. See Domain Controller status for more details.

You can limit the number of domain controller objects displayed by selecting the Show n entries list box on the left. You can also search for a specific string (such as the name of a domain controller) by typing in the string in the Search field.

Domain Health Issues - Windows

The Health Issues dashboard displays active problems occurring with the domain controllers within your AD. It also displays anomalous events that you should be aware of, such as reboots, problems with Knowledge Consistency Checkers (KCCs) on domain controllers, and other unexpected circumstances.

How to use this page

This selection panel lets you filter results based on Forest, Site, Domain, and Server.

You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

Domain Subnet Affinity Problem - Windows

Occasionally, a server will appear from an IP address that is not associated with a site. The Subnet Affinity Issues dashboard provides a concise report for handling this case. When you see an IP address in this page, log on to your Forest Infrastructure Master and use the Active Directory Sites and Services tool to add the subnet and associate it with a Site. IP addresses that report more frequently are closer to the top of the list.

How to use this page

You can control how much information the page displays by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

Domain Replication Issues - Windows

This dashboard lets you review current Active Directory (AD) replication agreements, and the status of those agreements.

How to use this page

This selection panel lets you filter results based on Forest, Site, Domain, and Server. You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

You can change the context in which you view the replication agreements by selecting the Naming Context drop-down in the selection panel.

You can also adjust how much time is considered when constructing the reports by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

Directory Performance - Windows

This dashboard lets you view all Active Directory (AD) related performance metrics across all domain controllers in your AD forest in a chart.

How to use this page

To view a metric, select the desired domain controller from the Server drop-down list on the top of the dashboard. Then, select the performance Object and, finally, the desired Counter in the same fashion.

The Content Pack for Windows Dashboards and Reports displays the chart on the lower portion of the dashboard.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

Domain Status - Windows

The Domain Status dashboard gives you information on the selected domain, including:

  • Which domain controllers in the domain hold AD operations masters roles
  • Which site(s) the domain is a part of
  • Which domain controllers control the domain

You can choose which domain you want to view by choosing it in the Domain drop-down list in the upper right side of the dashboard.

You can click on one of the listed sites to get additional information about the site. See Site status for more information.

You can click on one of the listed domain controllers to get additional information about that controller. See DC status.

You can also adjust how much data you see by selecting the time range you desire in the time range picker.

Site Status - Windows

The Site Status dashboard gives you information about the sites in your Active Directory forest, including:

  • A list of the domains included in the site.
  • A list of the domain controllers included in the site.
  • A list of the IP network subnets configured for the site.
  • The number and replication status of any site links between this and other AD sites.
  • The targeted and actual weighting of Active Directory-related activity across all of the domain controllers for a particular domain.

In the selection panel for this dashboard, you can select the site you want to view by choosing it in the Site Name drop-down list. This automatically updates the Domain drop down list next to it, which lets you select domains that are in the site you selected.

You can click on a domain in the Domains in Site list to get more information about that domain.

You can click on a domain controller in the Domain Controllers in Site list to get details about that domain controller.

You can also adjust how much data you see by selecting the time range you desire in the time range picker in the upper right side of the dashboard.

DC Status - Windows

The Domain Controller Status dashboard gives you information on the domain controllers in your Active Directory environment, including:

Information on Directory Services performance, with average values over time for important DS related performance counters. Information on replication performance. Any anomalous events that you should be aware of. In the selection panel for this dashboard, you can select the domain you want to view by choosing it in the Domain Controller drop-down list.

You can click on individual counters in both the Directory Services performance and Replication Performance sections of the dashboard to review specifics about the values returned by those objects.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

DNS Status - Windows

The DNS Status dashboard displays an overview of current DNS operations and includes:

  • A selectable list of known DNS servers in your AD environment. This includes the server host name, the status of DNS on the server, the zones in which it participates, the OS version and service pack level, and a sparkline depicting the average amount of DNS queries per second.
  • A selectable list of known DNS zones in the environment. This consists of the zone name, the servers that control the zone, the number of records in the zone and a breakdown of specific record types.
  • A list of anomalous DNS related events that have recently occurred.

You can select a server in the DNS Servers list to get more information about that server. See DNS Server status.

You can select a zone in the DNS Zones list to get additional details about that zone. See DNS Zone Information.

You can click on an anomalous event in the Anomalous events list to get specifics about that event.

You can also adjust how much data gets displayed by selecting the time range you desire in the time range picker at the upper right side of the dashboard.

DNS Server Status - Windows

The DNS Server Status dashboard is similar to the Domain Controller status dashboard described above. However, this dashboard contains information about DNS Query Performance and Recursion Performance instead of Active Directory Services and replication performance.

In the selection panel for this dashboard, you can select the DNS server that you want to view by choosing it in the DNS Server drop-down list.

You can click on a performance metric in either performance panel to get details about the selected metric. An Anomalous Events panel at the bottom of the dashboard lists events that warrant further investigation.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker at the upper right side of the dashboard.

DNS Zone Information - Windows

The DNS Zone Information dashboard contains details about a known Active Directory DNS zone, including:

  • Important DNS zone configuration settings.
  • A list of the DNS servers that control the zone.
  • The status of replication of DNS servers that control the zone, and whether or not those servers are out of sync.

Note: You cannot change DNS settings in this dashboard. To change DNS settings, you must use the Windows DNS configuration tool on the DNS server(s) that control the zone that you wish to change.

You can get additional information about the DNS servers that control the zone by selecting the desired server in the DNS Servers - Zone list. See DNS Server status for additional information.

You can choose which DNS Zone you want to display by selecting it in the DNS Zone: drop-down list at the top of the dashboard.

You can also adjust how much data is displayed by selecting the time range you desire in the time range picker.

DNS Performance - Windows

The DNS Performance dashboard lets you view specific DNS performance metrics in chart form, based on the server and performance metrics you choose in the drop-down lists in the dashboard selection panel.

In the selection panel for this dashboard, you can select the server whose performance metrics you want to view by choosing it in the Server drop-down list. This automatically updates the Counter drop down list next to it, which lets you select performance metrics for the server you selected.

Each metric is overlaid with CPU performance information so that you can correlate anomalous readings with CPU usage in real time.

You can adjust how much data gets displayed by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

User Overview - Windows

The Users series of dashboards give you vision into the defense mechanisms of your Active Directory operations. They provide information on logon failures, attempts to controvert user security settings, and user utilization, as well as display audits and reports on all AD objects in your environment.

How to use this page

Each of the User dashboards has two sections: upper and lower. The upper section of the dashboard is a selection panel that lets you filter the user list based on the forests, sites, domains, and domain controllers that you choose. You can filter with multiple objects at a time. The lower portion of the dashboard displays additional information based on what you select on the top half.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

User Audit - Windows

The User Audit dashboard displays information about Active Directory user objects, and includes specifics on:

  • Active Directory record
  • Group Membership
  • Accounts that were locked out after failing to logon properly
  • Failed logons by the selected user

In this dashboard's selection panel, you can choose the domain from which you want to display user audit data by selecting the Account Domain drop-down list You must do so in order to get information on user account activity within the domain

You can further narrow down your search by typing in the name of a valid user object in the User Account field. If you type in '*' (asterisk), the Content Pack for Windows Dashboards and Reports searches against all users.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper left side of the dashboard.

Administrator Audit - Windows

The Administrator Audit dashboard displays information about Active Directory user objects, and includes specifics on:

  • Active Directory record
  • Group Membership
  • Accounts that were locked out after failing to logon properly
  • Failed logons by the selected user

How to use this page

In this selection panel, you can choose the domain from which you want to display user audit data by selecting the Account Domain drop-down list. You must do so in order to get information on user account activity within the domain.

You can further narrow down your search by typing in the name of a valid user object in the User Account field. If you type in '*' (asterisk), the Content Pack for Windows Dashboards and Reports searches against all users.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper left side of the dashboard.

User Record Changes - Windows

This dashboard shows information about changes to user objects in the Active Directory environment, from both a security and a directory services perspective.

How to use this page

This selection panel lets you filter results based on Forest, Site, Domain, and Server.

You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

You can narrow your search by typing in the name of a user in the Account User field in the upper portion of the dashboard.

Failed Logons - Windows

This dashboard provides insight into recent failed attempts by users to log into your domain. Specific statistics include:

  • Failed logons over time
  • Failed interactive logons by IP address
  • Failed logons by reason (for example, expired password, locked account, or disabled account)
  • Failed interactive logons by username
  • Failed logons by logon type
  • Users failing to logon from multiple IPs (for example, an active attempt to break into the network)

How to use this page

This selection panel lets you filter results based on Forest, Site, Domain, and Server

You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

Anomalous Logons - Windows

This dashboard contains information about questionable user activity on your network. It also shows the more sinister attempts to access restricted network resources. Specific statistics displayed here include:

  • Users logging on from more than one AD site
  • Users logging on from more than one workstation
  • Attempts to log on to disabled or expired accounts

How to use this page

Use the Forest', "Site, Domain, and Server fields to limit results to the forest(s), site(s), domain(s), and user(s) that you want to see.

To filter using these fields:

  1. Select a field with your mouse.
  2. Type the name of an element in the appropriate field. For example, type in the name of a forest in the Forest field. The Content Pack for Windows Dashboards and Reports displays entries for forests and updates the page to contain only relevant information that matches the specified forest.
    1. This method works identically for sites, domains, and users.

Use the time range picker to limit results to the range of time that you want the app to display.

Computer Audit - Windows

The Computer Audit dashboard displays information about access to Active Directory from computer accounts, and includes statistics on:

  • Active Directory record
  • Group Membership
  • Accounts that were locked out after attempting a logon from a specific workstation
  • Failed logons from specific computers

How to use this page

You can choose the domain from which you want to display computer audit data by selecting the Account Domain drop-down list. You must do so in order to get information on computer account activity within the domain.

You can further narrow down your search by typing in the name of a valid computer object in the Computer Account field. If you type in '*' (asterisk), the Content Pack for Windows Dashboards and Reports searches against all computers.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper left side of the dashboard.

Computer Changes - Windows

The Computer Changes dashboard displays information about changes to Active Directory computer objects.

How to use this page

This selection panel lets you filter results based on Forest, Site, Domain, and Server. You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

You can narrow your search by using one of the available drop downs to limit results based on Administrator (who made the changes) and Computer Name.

Group Audit - Windows

The Group Audit dashboard displays information about Active Directory group objects, and includes statistics on:

  • Active Directory record
  • A full Group Membership list
  • Recent changes to the group membership

How to use this page

In this selection panel, you can choose the domain from which you want to display group audit data by selecting the Account Domain drop-down list. You must do so in order to get information on group account activity within the domain.

You can further narrow down your search by typing in the name of a valid group object in the Group Name field. If you type in '*' (asterisk), the Content Pack for Windows Dashboards and Reports searches against all groups.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper left side of the dashboard.

Group Changes - Windows

The Group Changes dashboard shows information about changes to AD group objects, from the context of both changes to the group object itself and changes to the membership of the group.

How to use this page

This selection panel lets you filter results based on Forest, Site, Domain, and Server. You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

You can also narrow your search by using one of the available drop-downs to limit results based on:

  • Administrator (who made the changes)
  • Group, Group Class (Security or Distribution)
  • Group Scope (Global, Local or Universal)

Group Policy Audit - Windows

The dashboard displays information about Active Directory Group Policy objects (GPOs), and includes statistics on:

  • Which group policy objects are linked to which containers.
  • Recent changes to group policy.

How to use this page

In the upper portion of the dashboard, you can choose the domain from which you want to display user audit data by selecting the Domain drop-down list.

You can further narrow down your search by typing in a valid GPO in the Group Policy Name field.

Group Policy Changes - Windows

The dashboard shows information about changes to AD group policy objects, from the context of both changes to the GPO itself and changes to the membership of the group.

How to use this page

This selection panel allows you to filter results based on Domain, Administrator, and Group Policy name. You can also control how much information the app displays by selecting the time range you desire in the time range picker on the upper right side of the dashboard.

You can also narrow your search by using one of the available drop-downs to limit results based on:

  • Administrator (who made the changes)
  • Account Domain
  • Group Policy Name

Organization Unit Audit - Windows

This dashboard displays information about Active Directory Organizational Units and includes statistics on Active Directory records.

How to use this page

In this selection panel, you can choose the domain from which you want to display organization unit (OU) audit data by selecting the Account Domain drop-down list. You must do so in order to get information on OUs within the domain.

You can further narrow down your search by typing in the name of a valid OU in the Group Policy Name field. If you type in '*' (asterisk), the Content Pack for Windows Dashboards and Reports searches against all OUs.

You can also control how much data gets displayed by selecting the time range you desire in the time range picker on the upper left side of the dashboard.

Last modified on 19 January, 2022
PREVIOUS
Get Active Directory Data 		  NEXT
Reports Reference for Content Pack for Windows Dashboards and Reports

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters