Splunk® App for Windows Infrastructure (Legacy)

Deploy and Use the Splunk App for Windows Infrastructure

Acrobat logo Download manual as PDF


On October 20, 2021, the Splunk App for Windows Infrastructure will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Windows Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for Windows Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Windows Help

This topic discusses each of the pages within the Windows module of the Splunk App for Windows Infrastructure. It describes actions you can perform in each of the panels, as well as what data inputs drive each page.

You can access any of these pages by selecting the appropriate item under the Windows menu.

Overview

The Splunk App for Windows Infrastructure has several sets of pages, each of which displays a different element of Windows data collection.

  • The Event Monitoring page set displays information on Windows event log data that has been collected.
  • The Performance Monitoring page group displays information about performance monitor statistics that has been collected.
  • The System Monitoring page group displays information on applications that have been installed or have crashed, as well as Windows Update information.
  • The Host Monitoring page group displays information on hosts on the Windows network.
  • The Network Monitoring page group displays information on network statistics, including network usage by host and process.
  • The Print Monitoring page group displays information on printers, print jobs, and print queues for each host.
  • The Settings pages allow you to configure and generate lookups for the app.

Use the wild card capability on 'Host' drop down control

Nearly all of the pages in the Windows module of the Splunk App for Windows Infrastructure have a Host drop-down control box. In all such controls, you can type in text, including wildcards, and the Splunk App for Windows Infrastructure filters the data to include only those events generated by hosts whose names match the text that you enter.

This works particularly well if you use a standard host naming convention in your environment. For example, if all domain controllers in the environment have host names which contain the strong "DC", or all IIS servers' host names contain the string "IIS", you can type in "DC" in any Host control to display data collected from all domain controllers, or "IIS" to display information from all computers in your environment that run Internet Information Server.

This feature is only available for 'Host' drop-down controls.

Overview

The Overview page contains three panels: Windows events, Windows performance counters and All indexed data. The "Windows events" and "Windows performance counters" panels have counters which, when clicked, take you to a Search page that lists all of the events found for that particular counter.

The "Windows events" panel has counters for numbers of hosts, log names, and event IDs. The "Windows performance counters" panel has counters for numbers of hosts, performance objects, and performance counters.

Windows events: Provides information on the number of hosts from which event log data is being collected, the number of event logs and number of event IDs.

Windows performance counters: Provides information on the number of hosts from which performance data is being collected, number of objects and total number of counters.

All indexed data: Provides a chronologically-sorted list of the sources, source types, and hosts that the Splunk App for Windows Infrastructure has collected data on.

You can control how much data this panel displays by clicking the time picker and choosing one of the available range presets or selecting a custom time range.

Event Monitoring

The Event monitoring page contains panels for many Windows Event Log statistics. They include trend lines which help you isolate areas of peak activity. You can mouse over the trend lines to get individual values, and click the trend lines to open a Search window that shows events collected in the time frame where you clicked.

The panels are:

  • Event source names
  • Task categories
  • Hosts
  • Event IDs
  • The number of events by host over time
  • The number of events by event code over time
  • Event codes
  • Event log names
  • Event types

Filter event log data

At the top of the Event Monitoring page, there is a row of drop-down boxes that lets you filter the indexed data via a number of parameters:

  • Host
  • Event Log Name
  • Source Name
  • Task Category
  • Event Code
  • Type

The parameters filter out data based on what you pick in each drop down. For example, if you select a host in the Host drop down, the other drop-downs update to show only data collected for that host. In this way, you can "drill down" to find the event log data for the host, log channel, source name, task category, event code, and type you seek.

Additionally, each drop down box is also a text field. You can click your mouse on any drop down box on the page to enter text into that box. The Splunk App for Windows immediately filters the collected data to show only entries that match what you type into any of the boxes.

Finally, the Additional Search Criteria text entry box allows you to search for a specific word or phrase across all of your indexed event log data.

Requirements

The panels on this page require you to enable one or more Windows event log inputs (Splunk recommends that you enable at least the Application, System, Security, and Setup log channels).

Performance Monitoring

The Performance Monitoring page contains panels for CPU, Memory, Physical Disk, Logical Disk, Network Interface, and System metrics.

You can customize the data that appears in the panels by selecting different counters and instances. You can also drill into specifics on memory, CPU, disk and network traffic by host, process, and user.

The page also provides a list of useful reports at the bottom of the page. These reports can be used as a guide to customize new reports as you see fit.

Filter performance metrics

Each of the drop downs on the Performance Monitoring page is also a text box. You can click your mouse on any drop down box on the page to enter text into that box. The Splunk App for Windows immediately filters the collected performance metrics to show only entries that match what you type into any of the boxes.

Requirements

The panels on this page require the following inputs to display data:

  • CPU Metrics: Requires Performance monitoring input "Processor".
  • Memory Metrics: Requires Performance monitoring input "Memory".
  • Physical Disk Metrics: Requires Performance monitoring input "PhysicalDisk".
  • Logical Disk Metrics: Requires Performance monitoring input "LogicalDisk".
  • Network Metrics: Requires Performance monitoring input "Network Interface".
  • System Metrics: Requires Performance monitoring input "System".

System Monitoring

The System monitoring menu contains information about application crashes, application installs and Windows Updates.

Application Crashes

This page displays the status of application crashes on all of the machines in your environment. It shows you information on which applications are crashing and on which hosts these crashes occur. It also provides a list of useful searches that can be used as a guide to customize the page as the user sees fit.

This page requires you to enable one or more Windows event log inputs to function correctly. We recommend you enable at least the Application log channel.

Application installs

This page displays the status of application installs on all of the machines in your environment. It shows you information about successful and failed installs, and on which hosts these successes or failures occur. It shows which applications have been installed, and also provides a list of useful searches that can be used as a guide to customize the page as the user sees fit.

This page requires you to enable the Windows event log inputs to function correctly. We recommend you enable at least the Application log channel.

Windows updates

This page displays the status of Windows updates on all of the machines in your environment. It shows you information on which updates were successful and which were not, both by the Knowledge Base (KB) number of the update, and by the host applying the update. It also displays a list of useful searches at the bottom of the page that can be used as a guide to customize the page as the user sees fit.

This page requires you to enable the Windowsupdate.log file monitoring input to function correctly.

Settings

The Settings menu contains links to reviewing and generating lookups for the app.

Get Data In

The Setup Menu allows you to enable or disable the various inputs as described earlier in the Configuration pane.

It is only available if you run the Splunk App for Windows Infrastructure on a Windows search head.

List Lookups

View the lookup files that are used to populate dropdown lists in the Performance Monitoring and Event Monitoring pages.

Build Lookups

Create / Update lookup files that are used to populate dropdown lists in the Performance Monitoring and Event Monitoring page. The lookup files automatically get updated every hour via a background search. This functionality only need be used to explicitly invoke an update in the interim.

Last modified on 31 March, 2014
PREVIOUS
Dashboard reference
  NEXT
Active Directory Help

This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters