How to get Windows data into your Splunk deployment
You can collect the following Windows data with Splunk software:
- Windows Event Logs
- File system changes
- Active Directory
- data over the Windows Management Instrumentation (WMI) infrastructure
- Registry data
- Performance metrics
- Host information
- Print information
- Network information
Since only Windows machines provide this data, only the Windows version of Splunk Enterprise can get the data. Other operating systems cannot collect Windows data directly. You can send Windows data from Windows machines to Splunk Enterprise instances that do not run Windows. If you have Splunk Cloud and want to monitor these inputs, the Splunk Universal Forwarder is your only option.
How Splunk Enterprise interacts with Windows modular and scripted inputs on start-up and shutdown
When you configure a scripted or modular Windows data input in Splunk Enterprise, the
splunkd service sends a signal to the input to begin collecting the data. Similarly, when you shut Splunk Enterprise down cleanly, the service sends a different signal to the inputs to tell them to stop collecting data, clean up, and exit.
The following table lists the control messages that the
splunkd service sends to modular and scripted Windows inputs during start-up and shutdown.
Use Splunk Web to collect Windows data
Nearly all Windows inputs let you use the Splunk Web interface to get the data. The exception is the
MonitorNoHandle input, which you must set up with a configuration file.
- Log into your Splunk deployment.
- Click Settings in the upper right corner, then click Data inputs. The Data inputs page appears.
- Find the Windows input that you want to add in the list of available inputs by clicking Add new in the Actions column for the input.
- Follow the instructions in the subsequent pages for the input type you selected.
- Click Save. In most cases, data collection begins immediately.
Use configuration files to collect Windows data
In cases where you cannot use Splunk Web to configure Windows inputs, such as when you use a universal forwarder to collect the data, you must use configuration files (the universal forwarder installer on Windows lets you configure some Windows inputs at installation time.)
Configuration files offer more control over Splunk Web in many cases. Some inputs can only be configured this way.
- Open a command prompt or PowerShell window,
- Change to the
inputs.confin this directory. You might need to create this file.
- Add inputs to the
inputs.conffile by defining input stanzas.
- Save the file and close it.
- Restart the Splunk instance. The software reloads the configuration files and begins collecting data based on the new configuration.
Monitoring Windows data with Splunk Enterprise
Considerations for deciding how to monitor remote Windows data
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1