Splunk® App for Windows Infrastructure (Legacy)

Deploy and Use the Splunk App for Windows Infrastructure

On October 20, 2021, the Splunk App for Windows Infrastructure will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Windows Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for Windows Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.

Lookup table reference

This topic discusses the lookup tables that drive the Splunk App for Windows.

Overview

The Splunk App for Windows uses lookup tables - comma-separated value (CSV) files which contain fields extracted from any indexed Windows data in the system - to populate some of its dashboards.

About once an hour around the clock, the app updates these lookup tables using saved searches. These searches add data to the lookup tables with new data that it has indexed within the last 24 hours.

The app also updates the lookup tables on demand when you select the appropriate Settings menu item within the app (see "Lookup tables" below for specific information about the lookup tables).

For additional information on the dashboards in the Splunk App for Windows, read "Dashboard reference" in this manual.

Large amounts of already-indexed data can slow lookup table generation

If you have already indexed a large amount of Windows event log data and/or performance metrics prior to configuring the Splunk App for Windows, the app might require a significant amount of additional time and resources to create lookup tables for the data. To ameliorate this potential issue, we strongly suggest that you create the lookup tables manually when starting to use the app. See "Create or update lookup tables" later in this topic for instructions.

Lookup tables

The Splunk App for Windows has several lookup tables, the details of which appear below. The app updates all of these lookup tables hourly:

Lookup table: Description: View(s):
windows_event_system.csv A table of hosts from which the app has indexed Windows event log data. * Overview
* Event Monitoring
* Application Crashes
* Application Installs
* Windows Update
windows_event_details.csv A table of Windows events which the app has indexed from accessible computers. * Overview
* Event Monitoring
* Application Crashes
* Application Installs
* Windows Update
windows_perfmon_system.csv A table of hosts from which the app has collected Windows performance metrics. * Overview
* Performance Monitoring
windows_perfmon_events.csv A table of Windows performance metrics which the app has indexed from accessible computers. * Overview
* Performance Monitoring

View and update lookup tables

While the application updates the lookup tables about once an hour, you can look at and update the tables manually whenever you wish.

To look at the tables, use the Settings > Lookup Management > List lookups menu items.

Event log lookups

  • Event Log > WinApp_Lookup_Event - Event Details: Displays information about all of the Windows event log events that the app has collected, sorted initially by event log channel name.
  • Event Log > WinApp_Lookup_Event - Event Code: Displays a list of indexed Windows event log codes.
  • Event Log > WinApp_Lookup_Event - EventCode Description: Displays a list of indexed event code descriptions, sorted by event code.
  • Event Log > WinApp_Lookup_Event - Host: Shows a list of hosts for which the app has collected event log events.
  • Event Log > WinApp_Lookup_Event - LogName: Displays a list of event log channels that the app has collected event log events on.
  • Event Log > WinApp_Lookup_Event - Task Category: Displays a list of event log task categories for events that the app has collected.

Performance counters

  • Performance counters > WinApp_Lookup_Perfmon - Collections, Object, and counters: Lists the performance monitor objects that the app as indexed, as well as the counters that belong to those objects.
  • Performance counters > WinApp_Lookup_Perfmon - Combined: Displays a table of collected performance objects, counters, and instances, sorted initially by object.
  • Performance counters > WinApp_Lookup_Perfmon - counters and instances: Displays a list of collected counters and the instances available under those counters.
  • Performance counters > WinApp_Lookup_Perfmon - Host: Displays a list of hosts for which the app has collected performance metrics.
  • Performance counters > WinApp_Lookup_Perfmon - Object: Displays a list of performance objects that the app has collected.

Create or update lookup tables

To create the lookup tables after initial installation, or update the tables manually with indexed data on demand, use the Settings > Lookup Management menu items:

  • Event Log > WinApp_Lookup_Build_Event - CreateNew - Details: Creates a new windows_event_details.csv file.
  • Event Log > WinApp_Lookup_Build_Event - CreateNew - Server: Creates a new windows_event_system.csv file.
  • Event Log > WinApp_Lookup_Build_Event - Update - Details: Updates the details of the existing windows_event_details.csv file.
  • Event Log > WinApp_Lookup_Build_Event - Update - Server: Updates the details of the existing windows_event_server.csv file.
  • Performance counters > WinApp_Lookup_Build_Perfmon - CreateNew - Details: Creates a new windows_perfmon_details.csv file.
  • Performance counters > WinApp_Lookup_Build_Perfmon - CreateNew - Server: Creates a new windows_perfmon_system.csv file.
  • Performance counters > WinApp_Lookup_Build_Perfmon - Update - Details: Updates the details of the existing windows_perfmon_details.csv file.
  • Performance counters > WinApp_Lookup_Build_Perfmon - Update - Server: Updates the details of the existing windows_perfmon_server.csv file.
Last modified on 04 January, 2014
Active Directory Reports   Troubleshoot the Splunk App for Windows Infrastructure

This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters