Splunk® App for Windows Infrastructure (Legacy)

Deploy and Use the Splunk App for Windows Infrastructure

Acrobat logo Download manual as PDF


On October 20, 2021, the Splunk App for Windows Infrastructure will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Windows Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for Windows Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Download and configure the Splunk Add-on for Windows

This topic discusses downloading and configuring the Splunk Add-on for Windows and deploying it to the deployment clients to gather Windows data and send it to the Splunk App for Windows Infrastructure indexers.

About the Splunk Add-on for Windows

The Splunk Add-on for Windows collects Windows data from Windows hosts. In the context of the Splunk App for Windows Infrastructure, the add-on collects Windows data and provides knowledge objects for the app. You should deploy the Splunk Add-on for Windows to:

  • All hosts that run Active Directory Domain Services (including domain controllers and DNS servers).
  • All Windows hosts from which you want Windows data.
  • All indexers.
  • All search heads.
  • Basically, everywhere.

Download the Splunk Add-on for Windows

  1. Download the Splunk Add-on for Windows from Splunkbase and save it to an accessible place on the deployment server. You might need to sign in with your Splunk account before the download starts.
  2. When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
  3. Use an archive utility such as WinZip to unarchive the file to an accessible location.

Configure the Splunk Add-on for Windows

Before the add-on can collect Windows data, you must configure it.

  1. In the location where you unarchived the download file, locate the Splunk_TA_Windows directory.
  2. Inside this directory, make a subdirectory local.
  3. Copy the inputs.conf file in the default subdirectory to the local directory.
  4. Open the inputs.conf in the local subdirectory with a text editor, such as Notepad.
  5. Enable the Windows inputs you want to get data for. Do this by changing the value of the disabled attribute in each input stanza from 1 to 0. Note: At a minimum, enable the following sets of inputs. Do not enable the [admon] input:
    Input: Supported page(s):
    [WinEventLog://Application], [WinEventLog://Security], [WinEventLog://System] Event Monitoring
    [perfmon://FreeDiskSpace], [perfmon://Memory], [perfmon://LocalNetwork], [perfmon://CPUTime] Performance Monitoring
    [WinHostMon://Computer], [WinHostMon://Process], [WinHostMon://Processor], [WinHostMon://NetworkAdapter], [WinHostMon://Service], [WinHostMon://OperatingSystem], [WinHostMon://Disk], [WinHostMon://Driver], [WinHostMon://Roles] (Host Monitoring inputs) Host Monitoring
    [WinPrintMon://printer], [WinPrintMon://driver], [WinPrintMon://port] (Print Monitoring inputs) Print Monitoring
    [WinNetMon://inbound], [WinNetMon://outbound] (Network Monitoring inputs) Network Monitoring
  6. Save the inputs.conf file in the local subdirectory.

What's next?

You have downloaded and configured the Splunk Add-on for Windows.

Next, you will deploy it to the deployment clients. Once they receive the add-on, they will use the configuration in the "send to indexer" app to send Windows data to the indexer.

Last modified on 17 August, 2017
PREVIOUS
Add the universal forwarder to the server class
  NEXT
Deploy the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.4.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters