Splunk® Enterprise

Getting Data In

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

How to get Windows data into your Splunk deployment

You can collect the following Windows data with Splunk software:

Windows data you can collect Link to supporting documentation
Event Logs Monitor Windows event log data with
File system changes Monitor file system changes on Windows
Active Directory Monitor Active Directory
Data through the Windows Management Instrumentation (WMI) infrastructure Monitor data through Windows Management Instrumentation (WMI)
Registry data Monitor Windows Registry data
Performance metrics Monitor Windows performance
Host information Monitor Windows host information
Print information Monitor Windows printer information
Network information Monitor Windows network information

Because only Windows machines provide these types of data, only the Windows version of the Splunk platform can get the data. Other operating systems cannot collect Windows data directly. You can send Windows data from Windows machines to Splunk platform instances that don't run Windows. If you use Splunk Cloud Platform and want to monitor these inputs, the Splunk universal forwarder is the only option.

How the Splunk platform interacts with Windows modular and scripted inputs on start-up and shutdown

When you configure a scripted or modular Windows data input in the Splunk platform, the splunkd service sends a signal to the input to begin collecting the data. Similarly, when you shut down the Splunk platform cleanly, the service sends a different signal to the inputs to tell them to stop collecting data, clean up, and exit.

The following table shows the signals, or control messages, that the splunkd service sends to modular and scripted Windows inputs during start-up and shutdown.

Process Signal
Start-up CreateProcess
Shut-down CTRL_BREAK_EVENT

Use Splunk Web to collect Windows data

Almost all Windows inputs let you use the Splunk Web interface to get data in Splunk Enterprise. The exception is the MonitorNoHandle input, which you must set up with a configuration file.

Follow these steps to collect Windows data in Splunk Web:

  1. Log into your Splunk deployment.
  2. Click Settings > Data inputs.
    The Data inputs page appears.
  3. From the list of available inputs, find the Windows input that you want to add from the list of available inputs.
  4. Click Add new in the Actions column for the input.
  5. Follow the instructions for the input type you selected.
  6. Click Save. In most cases, data collection begins immediately.

Use configuration files to collect Windows data

In cases where you can't use Splunk Web to configure Windows inputs, such as on a universal forwarder, you must use configuration files. The universal forwarder installer on Windows lets you configure some Windows inputs at installation time.

Configuration files offer more control over Splunk Web in many cases. Some inputs can only be configured this way.

Follow these steps to use configuration files to collect Windows data:

  1. Open a command prompt or PowerShell window.
  2. Change the directory to the %SPLUNK_HOME%\etc\system\local directory on your Splunk platform instance.
  3. Edit the inputs.conf configuration file in this directory. You might need to create the file if it doesn't already exist.
  4. Add inputs to the inputs.conf file by defining input stanzas, settings, and values.
  5. Save the file and close it.
  6. Restart the Splunk platform instance.
    The software reloads the configuration files and begins collecting data based on the new configuration.
Last modified on 16 May, 2022
Monitor Windows data with the Splunk platform   Considerations for deciding how to monitor remote Windows data

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0, 8.1.10, 8.1.12, 8.1.14, 8.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters