Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Download manual as PDF

This documentation does not apply to the most recent version of MSApp. Click here for the latest version.
Download topic as PDF

Download and configure the Splunk Add-on for Windows

This topic discusses downloading and configuring the Splunk Add-on for Windows and deploying it to the deployment clients to gather Windows data and send it to the Splunk App for Windows Infrastructure indexers.

About the Splunk Add-on for Windows

The Splunk Add-on for Windows collects Windows data from Windows hosts. In the context of the Splunk App for Windows Infrastructure, the add-on collects Windows data and provides knowledge objects for the app. You should deploy the Splunk Add-on for Windows to:

  • All hosts that run Active Directory Domain Services (including domain controllers and DNS servers).
  • All Windows hosts from which you want Windows data.
  • All indexers.
  • All search heads.
  • Basically, everywhere.

Download the Splunk Add-on for Windows

You can download the Splunk Add-on for Windows from Splunkbase.

Download the app and save it to an accessible place on the deployment server:

1. In a web browser, proceed to the Splunk Add-on for Windows download page.

2. Click the download link to begin the download process.

  • Make sure you download the latest version of the add-on.
  • You might need to sign in with your Splunk account before the download starts.

3. When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.

4. Use an archive utility such as WinZip to unarchive the file to an accessible location.

Configure the Splunk Add-on for Windows

Before the add-on can collect Windows data, you must configure it.

  1. In the location where you unarchived the download file, locate the Splunk_TA_Windows directory.
  2. Inside this directory, make a subdirectory local.
  3. Copy the inputs.conf file in the default subdirectory to the local directory.
  4. Open the inputs.conf in the local subdirectory with a text editor, such as Notepad.
  5. Enable the Windows inputs you want to get data for. Do this by changing the value of the disabled attribute in each input stanza from 1 to 0. Note: At a minimum, enable the following sets of inputs. Do not enable the [admon] input:
    Input: Supported page(s):
    [WinEventLog://Application], [WinEventLog://Security], [WinEventLog://System] Event Monitoring
    [perfmon://FreeDiskSpace], [perfmon://Memory], [perfmon://LocalNetwork], [perfmon://CPUTime] Performance Monitoring
    [WinHostMon://Computer], [WinHostMon://Process], [WinHostMon://Processor], [WinHostMon://NetworkAdapter], [WinHostMon://Service], [WinHostMon://OperatingSystem], [WinHostMon://Disk], [WinHostMon://Driver], [WinHostMon://Roles] (Host Monitoring inputs) Host Monitoring
    [WinPrintMon://printer], [WinPrintMon://driver], [WinPrintMon://port] (Print Monitoring inputs) Print Monitoring
    [WinNetMon://inbound], [WinNetMon://outbound] (Network Monitoring inputs) Network Monitoring
  6. Save the inputs.conf file in the local subdirectory.

What's next?

You have downloaded and configured the Splunk Add-on for Windows.

Next, you will deploy it to the deployment clients. Once they receive the add-on, they will use the configuration in the "send to indexer" app to send Windows data to the indexer.

Add the universal forwarder to the server class
Deploy the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.3.0


Actually, you don't want to specify anything for admon in the inputs.conf for the Windows TA. The Domain Controller TAs (described in the "Get Active Directory data" chapter) handle the admon inputs.

Malmoore, Splunker
July 20, 2015

It's also a good idea to specify an index for the `[admon://default]` input when you edit the local inputs.conf. The current version (4.7.5) of Splunk_TA_windows will otherwise send the data to the default index (usually `main`).

Steven swor
June 3, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters