Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Download manual as PDF

This documentation does not apply to the most recent version of MSApp. Click here for the latest version.
Download topic as PDF

Make configuration changes to match your existing environment

The Splunk App for Windows Infrastructure expects to find data in certain indexes by default. If you want to change where the app looks for data, you must make changes to the app's configuration. In addition, if you have an existing Splunk App for Windows or Splunk App for Active Directory installation, you must make configuration changes to match the index locations that those apps used.

To make these changes, you must edit configuration files. For information about how Splunk configuration files work, refer to "About configuration files" in the core Splunk Enterprise documentation.

Overview

By default, the Splunk App for Windows Infrastructure stores data in the following indexes:

  • perfmon for performance metrics collected from Exchange servers.
  • msad for Active Directory information and metrics.
  • winevents for Windows event log information.

If you need to change where the Splunk App for Windows Infrastructure stores its data, then use these instructions to configure the Splunk App for Windows Infrastructure to use existing indexes in your Splunk deployment.

Change the index(es) that the app sends data to

Follow these instructions to configure the index locations:

Edit inputs.conf to change the index

1. Unpack the splunk_app_windows_infrastructure-x.x.x-xxxxxx.tar.gz package into an accessible location, if you haven't already.

2. Determine the add-ons that you need to install, based on your Windows or Active Directory layout.

Note: Read "Install the add-ons into universal forwarders" in this manual for a table that shows which add-ons you need to install for each Windows server role.

3. Once you have determined which add-ons you need to install, edit the configuration files for each of those add-ons, as follows:

a. Locate the add-on folder within the splunk_app_windows_infrastructure installation package.
Note: You can find the add-on folders within splunk_app_windows_infrastructure\appserver\addons in the installation package.
b. In the local directory within each add-on folder, create and open an inputs.conf for editing.
Note: You might need to create the local directory within the add-on folder, if it does not exist.
c. Open the inputs.conf in the default directory of the add-on folder.
d. Copy the input stanza text (in this case, the stanza which represents the input whose destination index you want to change) from default\inputs.conf.
f. Paste the copied stanza into the newly-created local\inputs.conf within the add-on directory.
g. Change the index for that stanza by specifying the appropriate index for the index= attribute/value pair.
h. Save the inputs.conf file in local and close it.
i. Close the inputs.conf file in default.

4. Repeat Step 3 for all inputs.conf stanzas whose indexes you want to change.

For example, if your environment runs Active Directory on Windows Server 2008 R2, and you want the Performance Monitoring logs to go into an index called winperf instead of the default perfmon, do the following:

  • Open TA-DomainController-NT6\default\inputs.conf inside the TA-DomainController-NT6 add-on folder.
  • Create and open inputs.conf in TA-DomainController-NT6\local.
  • Copy the [perfmon://Processor] stanza from TA-DomainController-NT6\default\inputs.conf.
  • Paste the copied stanza in the new inputs.conf in TA-DomainController-NT6\local\
  • Configure the attribute/value pair index=activedirectory in the stanza, so that it looks like this:
[perfmon://Processor]
object = Processor
counters = *
instances = *
interval = 10
disabled = 0
index=winperf

In this example, you must also change the index locations in the [perfmon://Memory], [perfmon://Network_Interface], and [perfmon://DNS] stanzas, since they send data to the same index.

Edit eventtypes.conf to ensure the app sees the new index

Make changes to the Splunk App for Windows Infrastructure event types configuration file, as follows:

1. In the splunk_app_windows_infrastructure\local directory, create an eventtypes.conf file.

2. Open that file for editing.

3. Open splunk_app_windows_infrastructure\default\eventtypes.conf.

4. Copy the input stanza whose destination index you want to change from splunk_app_windows_infrastructure\default\eventtypes.conf.

5. Paste the stanza into the splunk_app_windows_infrastructure\local\eventtypes.conf file.

6. Modify the stanza within eventtypes.conf to use the new index.

Continuing from the previous example, the [perfmon] stanza defines event types for performance monitoring statistics. Copy that stanza into splunk_app_windows_infrastructure\local\eventtypes.conf and change the index= attribute like this:

[perfmon]
search = index=winperf source="Perfmon:*"

Deploy your changes

Once you have made the changes you need to match your existing Splunk App for Windows or Active Directory environment, you can deploy the add-ons and the Splunk App for Windows Infrastructure.

Note:

  • If you use a deployment server to deploy the add-ons, then place the relevant add-ons for each Windows server role into %SPLUNK_HOME%\etc\deployment-apps on the deployment server.
  • If you do not use a deployment server, then you must edit the configuration files for each add-on manually on each universal forwarder in the Splunk App for Windows Infrastructure deployment. The configuration file edits you must make depend specifically on which role(s) each Windows server performs. Refer to "Install the add-ons into universal forwarders" for specifics on where you should install the add-ons in your Windows deployment.
Last modified on 20 June, 2014
PREVIOUS
Prepare and configure the add-ons
  NEXT
Install the add-ons into universal forwarders

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters