Download and configure the Splunk Add-on for Windows
This topic discusses downloading and configuring the Splunk Add-on for Windows and deploying it to the deployment clients to gather Windows data and send it to the Splunk App for Windows Infrastructure indexers.
About the Splunk Add-on for Windows
The Splunk Add-on for Windows collects Windows data from Windows hosts. In the context of the Splunk App for Windows Infrastructure, the add-on collects Windows data and provides knowledge objects for the app. You should deploy the Splunk Add-on for Windows to:
- All hosts that run Active Directory Domain Services (including domain controllers and DNS servers).
- All Windows hosts from which you want Windows data.
- All indexers.
- All search heads.
- Basically, everywhere.
Download the Splunk Add-on for Windows
- Download the Splunk Add-on for Windows from Splunkbase and save it to an accessible place on the deployment server. You might need to sign in with your Splunk account before the download starts.
- When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
- Use an archive utility such as WinZip to unarchive the file to an accessible location.
Configure the Splunk Add-on for Windows
Before the add-on can collect Windows data, you must configure it.
- In the location where you unarchived the download file, locate the
Splunk_TA_Windows
directory. - Inside this directory, make a subdirectory
local
. - Copy the
inputs.conf
file in thedefault
subdirectory to thelocal
directory. - Open the
inputs.conf
in thelocal
subdirectory with a text editor, such as Notepad. - Enable the Windows inputs you want to get data for. Do this by changing the value of the
disabled
attribute in each input stanza from 1 to 0. Note: At a minimum, enable the following sets of inputs. Do not enable the[admon]
input:Input: Supported page(s): [WinEventLog://Application]
,[WinEventLog://Security]
,[WinEventLog://System]
Event Monitoring [perfmon://FreeDiskSpace], [perfmon://Memory], [perfmon://LocalNetwork], [perfmon://CPUTime]
Performance Monitoring [WinHostMon://Computer], [WinHostMon://Process], [WinHostMon://Processor], [WinHostMon://NetworkAdapter], [WinHostMon://Service], [WinHostMon://OperatingSystem], [WinHostMon://Disk], [WinHostMon://Driver], [WinHostMon://Roles]
(Host Monitoring inputs)Host Monitoring [WinPrintMon://printer], [WinPrintMon://driver], [WinPrintMon://port]
(Print Monitoring inputs)Print Monitoring [WinNetMon://inbound], [WinNetMon://outbound]
(Network Monitoring inputs)Network Monitoring - Save the
inputs.conf
file in thelocal
subdirectory.
What's next?
You have downloaded and configured the Splunk Add-on for Windows.
Next, you will deploy it to the deployment clients. Once they receive the add-on, they will use the configuration in the "send to indexer" app to send Windows data to the indexer.
Add the universal forwarder to the server class | Deploy the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.4.0
Feedback submitted, thanks!