Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of MSApp. Click here for the latest version.
Acrobat logo Download topic as PDF

Prepare and configure the add-ons

This topic discusses the preparations you need to make before installing the add-ons needed for the Splunk App for Windows Infrastructure into the universal forwarders installed on your servers.

As described previously, the suite of add-ons for the Splunk App for Windows Infrastructure collects Windows and Active Directory data, which they then send to the central Splunk App for Windows Infrastructure instance for viewing, reporting, and alerting. To ensure that you are collecting the right data, especially if you have an existing Splunk App for Windows or Splunk App for Active Directory installation, you should take a few moments to ensure that the suite of add-ons points toward the appropriate indexes and has the correct event types configured.

More information about the add-ons

The following table reminds you where you can find the add-ons that the Splunk App for Windows Infrastructure needs, and what each add-on provides.

Add-on: Where to find it: What it provides:
TA-DomainController-NT5 /
TA-DomainController-NT6
In the Splunk App for Windows Infrastructure installation package, at splunk_app_windows_infrastructure \ appserver \ addons Active Directory statistics
TA-DomainController-2012r2 In the Splunk App for Windows Infrastructure installation package, at splunk_app_windows_infrastructure \ appserver \ addons Active Directory statistics for computers that run Windows Server 2012 R2 only. Requires the Splunk Add-on for Microsoft PowerShell.
TA-DNSserver-NT5 /
TA-DNSServer-NT6
In the Splunk App for Windows Infrastructure installation package, at splunk_app_microsoft_exchange \ appserver \ addons Windows DNS server statistics, DNS server logs
Splunk Add-on for Windows (Splunk_TA_Windows) On Splunk Apps. Windows statistics (Event logs, Registry/network/host/print monitoring)
Splunk Add-on for PowerShell (SA-ModularInput-PowerShell On Splunk Apps. Extensions for PowerShell. The TA-DomainController-2012r2 add-on requires this add-on.

Active Directory Add-ons

Add-on: Description:
TA-DNSServer-NT5 For DNS Servers running Windows Server 2003/2003 R2 and earlier
TA-DNSServer-NT6 For DNS Servers running Windows Server 2008/2008 R2 and later
TA-DomainController-NT5 For Active Directory domain controllers running Windows Server 2003/2003 R2 and earlier
TA-DomainController-NT6 For Active Directory domain controllers running Windows Server 2008/2008 R2 and later
TA-DomainController-2012r2 For Active Directory domain controllers running Windows Server 2012 R2 and later. Requires the Splunk Add-on for PowerShell.

Configure the add-ons you downloaded separately

You must also configure the add-ons that you downloaded separately as part of the Splunk App for Windows Infrastructure installation. These add-ons are:

Add-on: Description:
Splunk_TA_Windows Provides Windows data. Enable specific inputs in inputs.conf depending on the data that you want to collect. Then, deploy onto Windows servers. Read "Review and edit configuration files" for details on how to enable the inputs.
SA-ModularInput-PowerShell Provides PowerShell extensions. The TA-DomainController-2012r2 add-on requires this add-on.

Review and edit configuration files

The Active Directory add-ons ship with inputs enabled by default, and have been configured to send data to specific indexes. In a brand new installation, you do not need to make changes to these add-ons.

The Splunk Add-on for Windows, however, ships with all inputs disabled by default. It requires you to enable inputs prior to deployment.

To enable inputs:

1. Unpack the installation to an accessible location.

2. In the package, at Splunk_TA_Windows\default, copy inputs.conf to Splunk_TA_Windows\local.

3. Using a text editor, open Splunk_TA_Windows\local\inputs.conf for editing.

4. Enable the inputs for which you want data collected. Achieve this by setting the disabled attribute for the input to 0. For example, to enable the [WinEventLog://Security] event log input, change the input stanza so that it looks like the following:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

5. Save the file and close it.

Which inputs must be enabled?

To ensure maximum data coverage in the Splunk App for Windows Infrastructure, enable the following inputs in the Splunk Add-on for Windows:

Input: Supported page(s):
[WinEventLog://Application], [WinEventLog://Security], [WinEventLog://System] Event Monitoring
[perfmon://FreeDiskSpace], [perfmon://Memory], [perfmon://LocalNetwork], [perfmon://CPUTime] Performance Monitoring
Network Monitoring inputs Network Monitoring
Print Monitoring inputs Print Monitoring
Host Monitoring inputs Host Monitoring
Last modified on 29 April, 2014
PREVIOUS
Install a universal forwarder on each Windows server
  NEXT
Make configuration changes to match your existing environment

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters