Splunk® Enterprise

Getting Data In

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Monitor Windows data with the Splunk platform

You can bring any kind of Windows data into the Splunk platform. For example, you can index an Event Log channel, the Registry, or Active Directory. You also have available the standard set of Splunk inputs, such as files and directories, network monitoring inputs, and scripted inputs.

With Splunk Cloud, as with many other input types, you must use either a universal or heavy forwarder that runs on Windows to collect data and send it to your Splunk Cloud instance. Splunk Enterprise comes with installers for several versions of Windows and Windows Server. If you run Splunk Enterprise, you can install it or the universal forwarder on your Windows machines directly.

The following specialized inputs are available only on Windows installations:

Input Description Documentation
Windows Event Logs Monitor events that the Windows Event Log service generates on any available event log channel on the machine. You can collect events on the local Windows machine or remotely by using either a universal forwarder or Windows Management Instrumentation (WMI). Monitor Windows event log data with Splunk Cloud
Performance monitoring Collect performance data on Windows machines with Splunk Cloud and then alert or report on that data. Any performance counter that is available in Performance Monitor is also available to Splunk Cloud. You can monitor performance locally or remotely through a universal forwarder, or by using WMI. Monitor Windows performance
Remote monitoring over WMI Splunk Cloud can use WMI through a universal forwarder to access event log and performance data on remote machines. Monitor data through Windows Management Instrumentation (WMI)
Registry monitoring You can monitor changes to the local Windows Registry using the Registry monitoring capability. You can use a universal forwarder to gather Registry data from Windows machines and send the data to Splunk Cloud. Monitor Windows Registry data
Active Directory monitoring Splunk Cloud can audit any changes to the Active Directory, including changes to user, group, machine, and group policy objects. You can forward Active Directory data to another Splunk Enterprise server. Monitor Active Directory

Forwarding Windows data to Splunk Cloud

A Splunk Cloud deployment that monitors Windows data consists of the following components:

  • The Splunk Cloud instance, where you see the Windows data.
  • Universal forwarders on every Windows machine from which you want to collect Windows data.

Depending on the size of your Windows network, you might want to set up a tier of intermediate forwarders to aggregate and send the data to your Splunk Cloud instance. If you want to transform this data in any way before you index it, you must use at least one Splunk Enterprise heavy forwarder to perform the transformations.

The universal forwarders on the Windows instances collect the Windows data. They then send the data to Splunk Cloud using the Splunk Cloud universal forwarder credentials package, which handles connecting and authenticating into the instance. If you set up an intermediate forwarder, this forwarder also uses the same credentials package to connect to and authenticate in Splunk Cloud.

The Splunk Cloud instance indexes the data and makes it available for you to search. You can install the Splunk App for Windows Infrastructure to view the Windows data in prebuilt dashboards and reports.

The universal forwarder must run as a user with access to the particular Windows data you want to collect. See Choose the Windows user the universal forwarder should run as for information on determining this Windows user.

Forwarding Windows data to Splunk Enterprise

Similar to forwarding Windows data to Splunk Cloud, a Splunk Enterprise deployment that monitors Windows data consists of the Splunk Enterprise installation and, optionally, forwarders on every Windows machine from which you want to collect Windows data. Unlike a Splunk Cloud deployment, Splunk Enterprise can exist on the same Windows machine.

If you want to forward Windows data from another Windows machine you can use a universal forwarder, like you can and must with a Splunk Cloud deployment.

Considerations for installing Splunk Enterprise on Windows machines

When you install and deploy Splunk Enterprise on Windows, consider the following:

Consideration Description
Authentication To perform any operations on remote Windows machines in your network, Splunk Enterprise must run as a user with credentials to access those machines. Make these credentials available before deploying. See Considerations for deciding how to monitor remote Windows data.
Disk bandwidth Splunk Enterprise indexers require lots of disk I/O bandwidth, particularly when indexing large amounts of data. Make sure that you configure any installed antivirus software to avoid monitoring Splunk Enterprise directories or processes, because such scans significantly reduce performance.
Shared hosts Before you install Splunk Enterprise on a host that runs other services, such as Exchange, SQL Server, or a hypervisor, see Introduction to capacity planning for Splunk Enterprise in the Capacity Planning manual.
Last modified on 31 March, 2021
PREVIOUS
Send SNMP events to your Splunk deployment
  NEXT
How to get Windows data into your Splunk deployment

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.2.0, 8.2.1, 8.2.2


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters