Platform and hardware requirements
The Splunk App for Windows Infrastructure supports Splunk Enterprise 7.0.x to 7.3.x. All instances of Splunk Enterprise in a Splunk App for Windows Infrastructure deployment must run version 7.0.x to 7.3.x.
Distributed installation of this app
This table provides a quick reference for installing this app onto a distributed deployment of Splunk Enterprise.
If you're using TA-Windows v6.0.0, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows v6.0.0.
Splunk instance type | Supported | Required | Comments |
---|---|---|---|
Search Heads | Yes | Yes | Install this app onto all search heads where you require knowledge management. |
Indexers | No | No | The Splunk App for Windows Infrastructure does not require installation on indexers, but some components that the app needs to work, such as the Splunk Add-on for Windows, must be installed there. Indexes to which Splunk Add-on for Windows is sending data must be defined on indexers. |
Heavy Forwarders | No | No | The Splunk App for Windows Infrastructure does not do anything when you install it on a heavy forwarder, but you can install components that the app needs to function on HFs if you want. |
Universal Forwarders | No | No | Use universal forwarders to get the data you need for the app. See the following chapters for instructions on how to configure forwarders to get data (each link goes to the first topic in the chapter): |
Light Forwarders | No | No | You can use light forwarders to send data to indexers for the app, but remember that:
|
Distributed deployment compatibility
This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.
Distributed deployment feature | Supported | Comments |
---|---|---|
Search Head Clusters | Yes | You can install this app on a search head cluster. Follow the procedures that this manual outlines to get the data for the app, then install the app on the cluster. |
Indexer Clusters | Yes | Before you start the Splunk App for Windows Infrastructure installation, configure your indexer cluster. |
Deployment Server | Yes | These instructions use a deployment server to set up some of the basic environment for the Splunk App for Windows Infrastructure, including the "send to indexer" package, which tells forwarders that connect to the deployment server to send data to indexers or indexer clusters that you have configured for use with the app. |
Hardware requirements
The Splunk App for Windows Infrastructure installs onto a full Splunk Enterprise instance. The app does not install onto a universal forwarder or a light forwarder, because it requires Splunk Web to function fully.
The app has memory, CPU, and disk requirements that are above the standard hardware requirements for the core Splunk Enterprise platform. The added resource requirements depend on how you deploy the app. Be sure to deploy hardware that meets or exceeds the hardware requirements listed in the core Splunk Enterprise documentation.
- For additional details about supported versions of Windows for Splunk Enterprise, see "System requirements" in the core Splunk Enterprise documentation.
- For information about estimating hardware requirements for a Splunk deployment, read the following core Splunk Enterprise documentation topics:
- Introduction to capacity planning for Splunk Enterprise in the Capacity Planning Manual.
Operating system requirements
You can install the Splunk App for Windows Infrastructure on Splunk Enterprise instances that run on many current versions of Windows, including:
- Windows 7, 8.1, and 10 (64-bit only).
- Windows Server 2008/2008 R2, Server 2012/2012 R2 (64-bit only) and Server 2016.
The app requires a 64-bit version of Windows because of App Key Value Store.
You can also install the app on a non-Windows Splunk Enterprise instance to display Windows data coming from external Windows sources:
- Linux
Neither Splunk nor the Splunk App for Windows Infrastructure runs on:
- Windows 95, 98, or Me
- Windows NT Workstation or Server 3.1, 3.5, or 4.0
- Windows 2000 Workstation or Server
What browsers does the Splunk App for Windows Infrastructure support?
The Splunk App for Windows Infrastructure supports all browsers that the current version of Splunk Enterprise supports.
What are the other prerequisites?
If you're using TA-Windows v6.0.0, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows v6.0.0.
The Splunk Add-on for Windows v5.0.1 or v6.0.0
The Splunk Add-on for Windows 5.0.0 is not compatible with the Splunk App for Windows Infrastructure version 1.5.2. Use the Splunk Add-on for Windows 5.0.1 or 6.0.0 if using with this app.
Version Compatibility Table
Compatible TA-Windows version | Compatible Winfra version | Compatible Splunk platform version | Compatible Exchange Server version | Compatible Windows Server version | Compatible TA-AD version | Compatible TA-DNS version | Compatible SA-LDAP version |
---|---|---|---|---|---|---|---|
4.8.4 or 5.0.1 | 1.5.1 | 7.0.x to 7.2.x | 2007, 2010, 2013, 2016 | 2008, 2008 R2, 2012, 2012 R2, 2016 | 1.0.0 | 1.0.1 | 2.2.0 |
5.0.1 | 1.5.2 | 7.0.x to 7.3.x | 2010, 2013, 2016, 2019 | 2008, 2008 R2, 2012, 2012 R2, 2016 | 1.0.0 | 1.0.1 | 2.2.1 |
6.0.0 | 1.5.2 | 7.0.x to 7.3.x | 2010, 2013, 2016, 2019 | 2008, 2008 R2, 2012, 2012 R2, 2016 | N/A | N/A | 2.2.1 |
In order to collect data from the Windows and Exchange servers in your environment, you need the Splunk Technology Add-on for Windows version 5.0.1 or 6.0.0.
This add-on installs into the universal forwarder that you install on the Windows servers from which you want to collect Windows data. It also installs on search heads that run the Splunk App for Windows Infrastructure to provide knowledge objects to the app. Optionally, it also installs onto all indexers in the central Splunk App for Windows instance for data collection (on Windows hosts) and to add knowledge for extractions.
You can download the Splunk Add-on for Windows from Splunkbase.
The Splunk Add-ons for Microsoft Active Directory 1.0.0 or later and Windows DNS v1.0.1 or later
The suite of Splunk Add-ons for Active Directory must be installed on universal forwarders and search heads in the Windows deployment.
You can download the Splunk Add-ons for Microsoft Active Directory and Windows DNS from Splunkbase.
If you're using TA-Windows v6.0.0, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows v6.0.0.
The Splunk Supporting Add-on for Active Directory (SA-LDAPsearch) v2.2.1
The Splunk Supporting Add-on for Active Directory (SA-LDAPsearch) version 2.2.1 must be installed on the same instances of Splunk Enterprise that the Splunk App for Windows Infrastructure resides.
You can download the Splunk Supporting Add-on for Active Directory from Splunk Apps.
PowerShell v2.0 or later
All Windows hosts from which you want to collect data - including those that participate in Active Directory - require PowerShell 2.0 or later to be installed.
The Splunk Add-on for PowerShell
All of the add-ons that come with the Splunk App for Windows Infrastructure require the Splunk Add-on for PowerShell to function. You install this add-on into universal forwarders on machines that forward Active Directory and DNS data.
You can download the Splunk Add-on for PowerShell from Splunk Apps.
A proficient understanding of distributed Splunk deployments
If you plan for your Splunk App for Windows Infrastructure deployment to monitor a large number of Active Directory servers, or even a small number, you must understand how distributed Splunk works. You must understand how the instance of Splunk Enterprise that hosts the app interacts with the universal forwarders that send data to the app. You must also understand what you need to do to increase search and indexing performance to make the app run faster. Read the following core Splunk topics for additional information:
- Distributed overview - A high level description of distributed Splunk Enterprise.
- About forwarding and receiving data - A primer on how data forwarding works.
- About distributed search - A primer on how distributed search works.
Time and patience
The Splunk App for Windows Infrastructure is an advanced application that has several components that must be configured correctly in order for the app to run. Depending on the size of your Windows network, it can take a while to get a Splunk App for Windows Infrastructure deployment up and running correctly.
You will spend time procuring hardware, identifying servers you want to monitor, installing the app and its included add-ons, tweaking configurations, and troubleshooting any issues you come across.
The setup instructions in this manual span several chapters and uses the Splunk Enterprise deployment server for automation wherever possible. Still, expect to spend a minimum of 4 to 8 hours on the project, and longer if you have a large deployment.
If your deployment is large or complex, Splunk is here to help. You can contact Professional Services for assistance if you have an Enterprise support contract.
Do not install and configure the Splunk App for Windows Infrastructure and the Splunk App for Microsoft Exchange on the same search head
The Splunk App for Windows Infrastructure and the Splunk App for Microsoft Exchange should not be installed on the same search head, as both apps contain identical knowledge objects that may cause a conflict when installed on the same search head deployment. If you need dashboards and functionalities for both apps on the same search head, then install only the Splunk App for Microsoft Exchange as it covers all dashboards and functionalities of the Splunk App for Windows Infrastructure.
How to get support and find more information about Splunk Enterprise | Permissions checklist |
This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.5.2
Feedback submitted, thanks!