Make configuration changes to match your existing environment
The Splunk App for Windows Infrastructure expects to find data in certain indexes by default. If you want to change where the app looks for data, you must make changes to the app's configuration. In addition, if you have an existing Splunk App for Windows or Splunk App for Active Directory installation, you must make configuration changes to match the index locations that those apps used.
To make these changes, you must edit configuration files. For information about how Splunk configuration files work, refer to "About configuration files" in the core Splunk Enterprise documentation.
By default, the Splunk App for Windows Infrastructure stores data in the following indexes:
perfmonfor performance metrics collected from Exchange servers.
msadfor Active Directory information and metrics.
wineventsfor Windows event log information.
If you need to change where the Splunk App for Windows Infrastructure stores its data, then use these instructions to configure the Splunk App for Windows Infrastructure to use existing indexes in your Splunk deployment.
Change the index(es) that the app sends data to
Follow these instructions to configure the index locations:
Edit inputs.conf to change the index
1. Unpack the
splunk_app_windows_infrastructure-x.x.x-xxxxxx.tar.gz package into an accessible location, if you haven't already.
2. Determine the add-ons that you need to install, based on your Windows or Active Directory layout.
Note: Read "Install the add-ons into universal forwarders" in this manual for a table that shows which add-ons you need to install for each Windows server role.
3. Once you have determined which add-ons you need to install, edit the configuration files for each of those add-ons, as follows:
- a. Locate the add-on folder within the
- Note: You can find the add-on folders within
splunk_app_windows_infrastructure\appserver\addonsin the installation package.
- b. In the
localdirectory within each add-on folder, create and open an
- Note: You might need to create the
localdirectory within the add-on folder, if it does not exist.
- c. Open the
defaultdirectory of the add-on folder.
- d. Copy the input stanza text (in this case, the stanza which represents the input whose destination index you want to change) from
- f. Paste the copied stanza into the newly-created
local\inputs.confwithin the add-on directory.
- g. Change the index for that stanza by specifying the appropriate index for the
- h. Save the
localand close it.
- i. Close the
4. Repeat Step 3 for all
inputs.conf stanzas whose indexes you want to change.
For example, if your environment runs Active Directory on Windows Server 2008 R2, and you want the Performance Monitoring logs to go into an index called
winperf instead of the default
perfmon, do the following:
- Create and open
- Copy the
- Paste the copied stanza in the new
- Configure the attribute/value pair
index=activedirectoryin the stanza, so that it looks like this:
[perfmon://Processor] object = Processor counters = * instances = * interval = 10 disabled = 0 index=winperf
In this example, you must also change the index locations in the
[perfmon://DNS] stanzas, since they send data to the same index.
Edit eventtypes.conf to ensure the app sees the new index
Make changes to the Splunk App for Windows Infrastructure event types configuration file, as follows:
1. In the
splunk_app_windows_infrastructure\local directory, create an
2. Open that file for editing.
4. Copy the input stanza whose destination index you want to change from
5. Paste the stanza into the
6. Modify the stanza within
eventtypes.conf to use the new index.
Continuing from the previous example, the
[perfmon] stanza defines event types for performance monitoring statistics. Copy that stanza into
splunk_app_windows_infrastructure\local\eventtypes.conf and change the
index= attribute like this:
[perfmon] search = index=winperf source="Perfmon:*"
Deploy your changes
Once you have made the changes you need to match your existing Splunk App for Windows or Active Directory environment, you can deploy the add-ons and the Splunk App for Windows Infrastructure.
- If you use a deployment server to deploy the add-ons, then place the relevant add-ons for each Windows server role into
%SPLUNK_HOME%\etc\deployment-appson the deployment server.
- If you do not use a deployment server, then you must edit the configuration files for each add-on manually on each universal forwarder in the Splunk App for Windows Infrastructure deployment. The configuration file edits you must make depend specifically on which role(s) each Windows server performs. Refer to "Install the add-ons into universal forwarders" for specifics on where you should install the add-ons in your Windows deployment.
Prepare and configure the add-ons
Install the add-ons into universal forwarders
This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4