How to get Windows data into your Splunk deployment
You can collect the following Windows data with Splunk software:
|Windows data you can collect||Link to supporting documentation|
|Event Logs||Monitor Windows event log data with|
|File system changes||Monitor file system changes on Windows|
|Active Directory||Monitor Active Directory|
|Data through the Windows Management Instrumentation (WMI) infrastructure||Monitor data through Windows Management Instrumentation (WMI)|
|Registry data||Monitor Windows Registry data|
|Performance metrics||Monitor Windows performance|
|Host information||Monitor Windows host information|
|Print information||Monitor Windows printer information|
|Network information||Monitor Windows network information|
Because only Windows machines provide these types of data, only the Windows version of the Splunk platform can get the data. Other operating systems cannot collect Windows data directly. You can send Windows data from Windows machines to Splunk platform instances that don't run Windows. If you use Splunk Cloud Platform and want to monitor these inputs, the Splunk universal forwarder is the only option.
How the Splunk platform interacts with Windows modular and scripted inputs on start-up and shutdown
When you configure a scripted or modular Windows data input in the Splunk platform, the splunkd service sends a signal to the input to begin collecting the data. Similarly, when you shut down the Splunk platform cleanly, the service sends a different signal to the inputs to tell them to stop collecting data, clean up, and exit.
The following table shows the signals, or control messages, that the splunkd service sends to modular and scripted Windows inputs during start-up and shutdown.
Use Splunk Web to collect Windows data
Almost all Windows inputs let you use the Splunk Web interface to get data in Splunk Enterprise. The exception is the
MonitorNoHandle input, which you must set up with a configuration file.
Follow these steps to collect Windows data in Splunk Web:
- Log into your Splunk deployment.
- Click Settings > Data inputs.
The Data inputs page appears.
- From the list of available inputs, find the Windows input that you want to add from the list of available inputs.
- Click Add new in the Actions column for the input.
- Follow the instructions for the input type you selected.
- Click Save. In most cases, data collection begins immediately.
Use configuration files to collect Windows data
In cases where you can't use Splunk Web to configure Windows inputs, such as on a universal forwarder, you must use configuration files. The universal forwarder installer on Windows lets you configure some Windows inputs at installation time.
Configuration files offer more control over Splunk Web in many cases. Some inputs can only be configured this way.
Follow these steps to use configuration files to collect Windows data:
- Open a command prompt or PowerShell window.
- Change the directory to the %SPLUNK_HOME%\etc\system\local directory on your Splunk platform instance.
- Edit the inputs.conf configuration file in this directory. You might need to create the file if it doesn't already exist.
- Add inputs to the inputs.conf file by defining input stanzas, settings, and values.
- Save the file and close it.
- Restart the Splunk platform instance.
The software reloads the configuration files and begins collecting data based on the new configuration.
Monitor Windows data with the Splunk platform
Considerations for deciding how to monitor remote Windows data
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.1, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 8.0.0, 8.0.10, 8.0.2
Feedback submitted, thanks!