Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Download manual as PDF

Download topic as PDF

Download and configure the Splunk Add-on for Windows version 6.0.0 or later

This topic discusses downloading and configuring the Splunk Add-on for Windows v6.0.0 or later and deploying it to the deployment clients to gather Windows/AD/DNS data and send it to the Splunk App for Windows Infrastructure indexers.

To deploy the Splunk Add-on for Windows v6.0.0 or later, see Deploy the Splunk Add-on for Windows.

To confirm and troubleshoot the Splunk Add-on for Windows v6.0.0 or later, see Confirm and Troubleshoot Data Collection.

For Sample searches and dashboards the Splunk Add-on for Windows v6.0.0 or later, see Sample searches and dashboards.

About the Splunk Add-on for Windows v6.0.0 or later

The Splunk Add-on for Windows collects Windows data from Windows hosts. In the context of the Splunk App for Windows Infrastructure, the add-on collects Windows data and provides knowledge objects for the app. You should deploy the Splunk Add-on for Windows to:

  • All hosts that run Active Directory Domain Services (including domain controllers and DNS servers).
  • All Windows hosts from which you want Windows data.
  • All indexers.
  • All search heads.
  • Basically, everywhere.

Download the Splunk Add-on for Windows v6.0.0 or later

  1. Download the Splunk Add-on for Windows from Splunkbase and save it to an accessible place on the deployment server. You might need to sign in with your Splunk account before the download starts.
  2. When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
  3. Use an archive utility such as WinZip to unarchive the file to an accessible location.

Configure the Splunk Add-on for Windows v6.0.0 or later

Before the add-on can collect Windows data, you must configure it.

Microsoft Windows event logs that are rendered in XML format will not populate in the Splunk App for Windows Infrastructure

  1. In the location where you unarchived the download file, locate the Splunk_TA_Windows directory.
  2. Inside this directory, make a subdirectory local.
  3. Copy the inputs.conf file in the default subdirectory to the local directory.
  4. Open the inputs.conf in the local subdirectory with a text editor, such as Notepad.
  5. Edit the disabled and mode attributes. Optionally, as shown below, add an index attribute to use specific indexes.
    • From version 5.0.1 onwards, Splunk Add-on for Windows collects data in multikv mode by default. This mode has a different event format over the existing single mode and the Splunk App for Windows Infrastructure app supports single mode only, so please change the value of mode parameter to single in the perfmon stanzas in /Splunk_TA_Windows/default/inputs.conf on forwarder.
    [perfmon://CPU]
    counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
    disabled = 0
    instances = *
    interval = 10
    mode = single
    object = Processor
    useEnglishOnly=true
    
    ## Logical Disk
    [perfmon://LogicalDisk]
    counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
    disabled = 0
    instances = *
    interval = 10
    mode = single
    object = LogicalDisk
    useEnglishOnly=true
    
    ## Physical Disk
    [perfmon://PhysicalDisk]
    counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
    disabled = 0
    instances = *
    interval = 10
    mode = single
    object = PhysicalDisk
    useEnglishOnly=true
    
    ## Memory
    [perfmon://Memory]
    counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
    disabled = 0
    interval = 10
    mode = single
    object = Memory
    useEnglishOnly=true
    
    ## Network
    [perfmon://Network]
    counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size 
    disabled = 0
    instances = *
    interval = 10
    mode = single
    object = Network Interface
    useEnglishOnly=true
    
    ## Process
    [perfmon://Process]
    counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
    disabled = 0
    instances = *
    interval = 10
    mode = single
    object = Process
    useEnglishOnly=true
    
    ## ProcessInformation
    [perfmon://ProcessorInformation]
    counters = % Processor Time; Processor Frequency
    disabled = 0
    instances = *
    interval = 10
    mode = single
    object = Processor Information
    useEnglishOnly=true
    
    ## System
    [perfmon://System]
    counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
    disabled = 0
    instances = *
    interval = 10
    mode = single
    object = System
    useEnglishOnly=true
    
    [perfmon://Processor]
    object = Processor
    counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
    instances = *
    interval = 10
    disabled = 0
    mode = single
    useEnglishOnly=true
    index = perfmon
    
    [perfmon://Network_Interface]
    object = Network Interface
    counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size 
    instances = *
    interval = 10
    disabled = 0
    mode = single
    useEnglishOnly=true
    index = perfmon
    
    [perfmon://DFS_Replicated_Folders]
    object = DFS Replicated Folders
    counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
    instances = *
    interval = 30
    disabled = 0
    mode = single
    useEnglishOnly=true
    index = perfmon
    
    [perfmon://NTDS]
    object = NTDS
    counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run 
    interval = 10
    disabled = 0
    mode = single
    useEnglishOnly=true
    index = perfmon
    
    [perfmon://DNS]
    object = DNS
    counters = Total Query Received; Total Query Received/sec; UDP Query Received; UDP Query Received/sec; TCP Query Received; TCP Query Received/sec; Total Response Sent; Total Response Sent/sec; UDP Response Sent; UDP Response Sent/sec; TCP Response Sent; TCP Response Sent/sec; Recursive Queries; Recursive Queries/sec; Recursive Send TimeOuts; Recursive TimeOut/sec; Recursive Query Failure; Recursive Query Failure/sec; Notify Sent; Zone Transfer Request Received; Zone Transfer Success; Zone Transfer Failure; AXFR Request Received; AXFR Success Sent; IXFR Request Received; IXFR Success Sent; Notify Received; Zone Transfer SOA Request Sent; AXFR Request Sent; AXFR Response Received; AXFR Success Received; IXFR Request Sent; IXFR Response Received; IXFR Success Received; IXFR UDP Success Received; IXFR TCP Success Received; WINS Lookup Received; WINS Lookup Received/sec; WINS Response Sent; WINS Response Sent/sec; WINS Reverse Lookup Received; WINS Reverse Lookup Received/sec; WINS Reverse Response Sent; WINS Reverse Response Sent/sec; Dynamic Update Received; Dynamic Update Received/sec; Dynamic Update NoOperation; Dynamic Update NoOperation/sec; Dynamic Update Written to Database; Dynamic Update Written to Database/sec; Dynamic Update Rejected; Dynamic Update TimeOuts; Dynamic Update Queued; Secure Update Received; Secure Update Received/sec; Secure Update Failure; Database Node Memory; Record Flow Memory; Caching Memory; UDP Message Memory; TCP Message Memory; Nbstat Memory; Unmatched Responses Received 
    interval = 10
    disabled = 0
    mode = single
    useEnglishOnly=true
    index = perfmon
    

    Note: If you do not complete the above step, then windows perfmon data will not be considered in dashboards.

    • From version 5.0.1 onwards, Splunk Add-on for Windows has removed indexes so you have two options either you can use default windows index as mentioned in below table or you can create your own custom index. For the former one, you have to add index parameter with the values mentioned in below table in /Splunk_TA_Windows/default/inputs.conf on forwarder. As AD and DNS inputs are merged with TA-Windows those inputs are also mentioned in below table. User has to do the same for them also.

    Table A

    Input Stanza Indexes Macro
    [WinEventLog://Application], [WinEventLog://Security], [WinEventLog://System], [WinEventLog://ForwardedEvents], [WinEventLog://DFS Replication], [WinEventLog://Directory Service], [WinEventLog://File Replication Service], [WinEventLog://Key Management Service], [WinEventLog://DNS Server] wineventlog wineventlog-index
    [monitor://$WINDIR\System32\DHCP], [monitor://$WINDIR\WindowsUpdate.log], [script://.\bin\win_listening_ports.bat], [script://.\bin\win_installed_apps.bat], [script://.\bin\win_timesync_status.bat], [script://.\bin\win_timesync_configuration.bat],script://.\bin\win_installed_apps.bat, [WinHostMon://Computer], [WinHostMon://Process], [WinHostMon://Processor], [WinHostMon://NetworkAdapter], [WinHostMon://Service], [WinHostMon://OperatingSystem], [WinHostMon://Disk], [WinHostMon://Driver], [WinHostMon://Roles], [WinPrintMon://printer], [WinPrintMon://driver], [WinPrintMon://port], [WinNetMon://inbound], [WinNetMon://outbound] windows windows-index
    [perfmon://CPU], [perfmon://LogicalDisk], [perfmon://PhysicalDisk], [perfmon://Memory], [perfmon://Network], [perfmon://Process], [perfmon://ProcessorInformation], [perfmon://System], [perfmon://Processor], [perfmon://Memory], [perfmon://Network_Interface], [perfmon://DFS_Replicated_Folders], [perfmon://NTDS], [perfmon://Processor], [perfmon://DNS] perfmon perfmon-index
    [admon://default], [WinRegMon://default], [WinRegMon://hkcu_run], [WinRegMon://hklm_run] windows windows-index
    [script://.\bin\runpowershell.cmd nt6-repl-stat.ps1], [powershell://Replication-Stats], [script://.\bin\runpowershell.cmd nt6-health.ps1], [powershell://AD-Health], [script://.\bin\runpowershell.cmd nt6-siteinfo.ps1], [powershell://Siteinfo],[monitor://$WINDIR\debug\netlogon.log], [MonitorNoHandle://$WINDIR\System32\Dns\dns.log], [script://.\bin\runpowershell.cmd dns-zoneinfo.ps1], [script://.\bin\runpowershell.cmd dns-health.ps1] msad msad-index
    • Here are the few examples of inputs stanzas. Similarly, you can configure others.
    [perfmon://CPU]
    counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
    disabled = 0
    instances = *
    interval = 10
    mode = single
    object = Processor
    useEnglishOnly=true
    index = perfmon
    
    [WinEventLog://Application]
    disabled = 0
    start_from = oldest
    current_only = 0
    checkpointInterval = 5
    renderXml=false
    index = wineventlog
    
    [WinPrintMon://port]
    type = port
    interval = 600
    baseline = 1
    disabled = 0
    index = windows
    
    [script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
    source=Powershell
    sourcetype=MSAD:NT6:SiteInfo
    interval=3600
    disabled=0
    index=msad
    

    All the wineventlog inputs (Windows, AD, and DNS) will have renderXml=true (Xml Format) by default. Make it false for all WinEventLog Inputs as XML data is not supported.

    [WinEventLog://Application]
    disabled = 1
    start_from = oldest
    current_only = 0
    checkpointInterval = 5
    renderXml=false
    
    [WinEventLog://Security]
    disabled = 1
    start_from = oldest
    current_only = 0
    evt_resolve_ad_obj = 1
    checkpointInterval = 5
    blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
    blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
    renderXml=false
    
    [WinEventLog://System]
    disabled = 1
    start_from = oldest
    current_only = 0
    checkpointInterval = 5
    renderXml=false
    
    [WinEventLog://ForwardedEvents]
    disabled = 1
    start_from = oldest
    current_only = 0
    checkpointInterval = 5
    renderXml=false
    host=WinEventLogForwardHost
    
    [WinEventLog://DFS Replication]
    disabled = 1
    renderXml=false
    
    [WinEventLog://Directory Service]
    disabled = 1
    renderXml=false
    
    [WinEventLog://File Replication Service]
    disabled = 1
    renderXml=false
    
    [WinEventLog://Key Management Service]
    disabled = 1
    renderXml=false
    
    [WinEventLog://DNS Server]
    disabled=1
    renderXml=false
    
  6. Save the inputs.conf file in the local subdirectory.

How to change the configuration files to handle custom indexes

Update the following conf files for using custom index(es)

Update inputs.conf

  1. Copy the inputs.conf file from the default subdirectory /Splunk_TA_Windows/default/ to the local directory folder /Splunk_TA_Windows/local/ folder of forwarder.
  2. Open the inputs.conf in the local subdirectory with a text editor, such as Notepad.
  3. If you are using <<CUSTOM INDEX>> instead of TA_windows default indexes then add index = <<CUSTOM INDEX>> under stanzas as defined in the table (Table A) for TA_windows default index(es). Refer to the above table (Table A) for TA_windows default indexes.

Here are the few examples of inputs stanzas. Similarly, you can configure others.

[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 1
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = <<CUSTOM INDEX>>

[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index = <<CUSTOM INDEX>>

[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 1
index = <<CUSTOM INDEX>>-

[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:SiteInfo
interval=3600
disabled=0
index = <<CUSTOM INDEX>>

Update macros.conf

  1. Copy the macros.conf file from the default subdirectory /splunk_app_windows_infrastructure/default/ to the local directory folder /splunk_app_windows_infrastructure/local/ folder on search head.
  2. Open the macros.conf in the local subdirectory with a text editor, such as Notepad.
  3. If you are using <<CUSTOM INDEX>> instead of TA_windows default indexes then update the following macro definitions as shown below.
Default Index Custom Index Updated Macro
perfmon <<CUSTOM INDEX 1>> [perfmon-index], definition = index=perfmon OR index=<<CUSTOM INDEX 1>>
wineventlog <<CUSTOM INDEX 2>> [wineventlog-index], definition = index=wineventlog OR index=<<CUSTOM INDEX 2>>
windows <<CUSTOM INDEX 3>> [windows-index], definition = index=windows OR index=<<CUSTOM INDEX 3>>
msad <<CUSTOM INDEX 4>> [msad-index], definition = index=msad OR index=<<CUSTOM INDEX 4>>

Update authorize.conf

  1. Copy the authorize.conf file in the default subdirectory /splunk_app_windows_infrastructure/default/ to the local directory folder /splunk_app_windows_infrastructure/local/ on Searchhead.
  2. Open the authorize.conf in the local subdirectory with a text editor, such as Notepad.
  3. Add those main(default) index(es) in authorize.conf under role_winfra-admin stanza against srchIndexesDefault parameter like shown below.
[role_exchange-admin] srchIndexesDefault = msad;msexchange;windows;perfmon;wineventlog;<<CUSTOM INDEX 1>>;<<CUSTOM INDEX 2>>;<<CUSTOM INDEX 3>>;<<CUSTOM INDEX 4>>;

Note: If no custom index or default TA_windows indexes are defined then all data will be stored in main index.

Update the following conf files for using main index

Update macros.conf

  1. Copy the macros.conf file from the default subdirectory /splunk_app_windows_infrastructure/default/ to the local directory folder /splunk_app_windows_infrastructure/local/ folder on search head.
  2. Open the macros.conf in the local subdirectory with a text editor, such as Notepad.
  3. If you are using index=main instead of TA_windows default indexes then update the following macro definitions as shown below.
Default Index Main Index Updated Macro
perfmon main [perfmon-index], definition = index=perfmon OR index=main
wineventlog main [wineventlog-index], definition = index=wineventlog OR index=main
windows main [windows-index], definition = index=windows OR index=main
msad main [msad-index], definition = index=msad OR index=main

Update authorize.conf

  1. Copy the authorize.conf file in the default subdirectory /splunk_app_windows_infrastructure/default/ to the local directory folder /splunk_app_windows_infrastructure/local/ on Searchhead.
  2. Open the authorize.conf in the local subdirectory with a text editor, such as Notepad.
  3. Add those main(default) index(es) in authorize.conf under role_winfra-admin stanza against srchIndexesDefault parameter like shown below.
[role_winfra-admin]
srchIndexesDefault = msad;msexchange;windows;perfmon;wineventlog;default

Note: If you skip this step, your Splunk platform will not have the index configurations which can result into data loss.

What's next?

You have downloaded and configured the Splunk Add-on for Windows.

Next, you will deploy it to the deployment clients. Once they receive the add-on, they will use the configuration in the "send to indexer" app to send Windows data to the indexer.

PREVIOUS
Sample searches and dashboards
  NEXT
Configure Active Directory audit policy

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.5.2, 2.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters