Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Download manual as PDF

This documentation does not apply to the most recent version of MSApp. Click here for the latest version.
Download topic as PDF

What a Splunk App for Windows Infrastructure deployment looks like

This topic explains the overall architecture of a Splunk App for Windows Infrastructure deployment.

For instructions on how to deploy the app, read "How to deploy the Splunk App for Windows Infrastructure."

Overview

At a minimum, the Splunk App for Windows Infrastructure consists of a "central" Splunk instance that contains the index and runs Splunk Web, and that users access to view the app.

The central Splunk instance can be one or more servers

A central Splunk instance can consist of one or more servers:

  • An indexer that collects the data from itself or other Windows servers
  • A search head that searches the data and hosts the application.

These services can be on the same server. If you want to scale the deployment for additional performance and incoming data volume, you can distribute the central Splunk instance by adding indexers and search heads.

The central Splunk instance can run on any Splunk-supported operating system

You can deploy the Splunk App for Windows Infrastructure on *nix search heads and use *nix indexers to index the data. In this scenario, *nix indexers must receive data sent to them from Windows forwarders - they cannot collect Windows data themselves.

The Splunk App for Windows Infrastructure can monitor many Windows servers at once

The Splunk App for Windows Infrastructure supports collecting data from hundreds of machines. There are many ways to configure the Splunk App for Windows Infrastructure, depending on your network's topology.

You monitor additional servers with your Splunk App for Windows Infrastructure deployment by:

  • Installing universal forwarders on each Windows server or Active Directory domain controller you want to include in the environment.
  • Configuring the forwarders to send data to the indexers in the central Splunk instance.
  • Deploying the Splunk Add-on for Windows onto those forwarders.

The central Splunk instance indexes the incoming data and makes it available for viewing, searching, and reporting within the app.

Example deployment

The diagram below depicts an example Splunk App for Windows Infrastructure deployment.

Each Windows server or Active Directory domain controller on your network gets a Splunk universal forwarder. On that forwarder, you install the Splunk Add-on for Windows. This add-on collects Windows or Active Directory data and sends it to the indexer(s) in the central Splunk App for Windows Infrastructure instance.

The central Splunk App for Windows Infrastructure instance has at least a search head (with the Splunk App for Windows Infrastructure installed on it) and an indexer. The indexer indexes the Windows or Active Directory data (as shown by the black arrows), and the search head searches the indexer for that data (as shown by the green arrow). The indexer returns events to the search head (blue arrow). Users log into the search head to use the app and see the data.

Optionally, if any server in the central Splunk App for Windows Infrastructure instance is a Windows server, you can install the Splunk Add-on for Windows on that server to get that server's Windows data.

Typical Splunk App for Windows Layout.png

Splunk's Professional Services can help with questions and provide assistance with large or complex layouts.

PREVIOUS
What data the Splunk App for Windows Infrastructure collects
  NEXT
How to deploy the Splunk App for Windows Infrastructure

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters