Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

How to get Windows data into Splunk Enterprise

Splunk Enterprise lets you collect many different kinds of Windows data.

When you download and install Splunk Enterprise on a Windows machine, you can collect the following Windows statistics:

You can collect all of these types of data only on Windows machines. Other operating systems cannot collect Windows data locally. You can forward Windows data from Windows systems to Splunk Enterprise instances that run on systems other than Windows.

Use Splunk Web to collect Windows data

Nearly all Windows inputs let you collect Windows data by using the Splunk Web interface. The exception is the MonitorNoHandle input, which you must set up by using a configuration file.

1. Log into your Splunk Enterprise instance.

2. Click Settings in the upper right corner, then click Data inputs. The Data inputs page appears.

3. Find the input that you want to add in the list of available inputs by clicking Add new in the Actions column for the input.

4. Follow the instructions in the subsequent pages for the input type you select.

See the pages above for specific instructions.

5. Click Save.

Splunk Enterprise begins collecting the data immediately in most cases.

Use configuration files to collect Windows data

In cases where you cannot use Splunk Web to create and enable data inputs, such as when you use a Splunk universal forwarder to collect the data, you must use configuration files. Using configuration files offers more control and configurability than Splunk Web does in many cases. Some inputs can only be configured using configuration files.

Note: The universal forwarder installer on Windows offers the ability to configure some of the Windows inputs at installation time.

1. From a command prompt or PowerShell window, go to the %SPLUNK_HOME%\etc\system\default directory.

2. Make a copy of inputs.conf in this directory and move it to the %SPLUNK_HOME%\etc\system\local directory.

Note: You need to perform this step only once, or if you want to overwrite inputs.conf in the local directory.

3. Use Notepad or another editor to open the inputs.conf file in the local directory for editing.

4. Add your inputs to the inputs.conf file by defining stanzas, or change existing stanzas to meet your needs.

5. Save the file and close it.

6. Restart Splunk Enterprise. The software reloads the configuration files and begins collecting data based on the new configuration.

Last modified on 12 October, 2015
About Windows data and Splunk Enterprise
Considerations for deciding how to monitor remote Windows data

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters