Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

This documentation does not apply to the most recent version of Splunk® Add-on for Windows. For documentation on the most recent version, go to the latest release.

Source types and CIM data model info

The Splunk Add-on for Windows provides Common Information Model information, the index-time and search-time knowledge for Windows events, metadata, user and group information, collaboration data, and tasks in the following formats.

Source type Description CIM data model(s)
fs_notification File system notification changes Change Analysis
NTSyslog:* Windows Event Log data n/a
Snare:* Windows Event Log - Snare n/a
WinEventLog: Windows Event Log Inventory
DhcpSrvLog Microsoft DHCP Server Log information Network Sessions
MonitorWare:Application MonitorWare - Application Event Log n/a
WindowsUpdateLog Windows Update log file n/a
WinHostMon Windows host monitoring log Inventory, Performance
WinRegistry Windows Registry changes Change Analysis
wmi Information collected through Windows Management Instrumentation (WMI) n/a
WMI:ComputerSystem Computer system information collected through WMI Performance
Perfmon:CPUTime CPU usage time collected the through Performance Monitor input Performance
WMI:CPUTime CPU usage time collected the through WMI Performance
Perfmon:FreeDiskSpace Free Disk Space provided by the Performance Monitor input Performance
Perfmon:LogicalDisk Information about logical disks on the system, provided by the Performance Monitor input Performance
WMI:FreeDiskSpace Free Disk Space provided by WMI Performance
WMI:LogicalDisk Information about logical disks on the system, provided by WMI Performance
Perfmon:LocalNetwork Network statistics provided by the Performance Monitor input Performance
WMI:LocalNetwork Network statistics provided by WMI Performance
Script:InstalledApps List of installed applications n/a
WMI:InstalledUpdates List of installed updates/packages provided by WMI Updates
Script:ListeningPorts List of network ports that listen for traffic n/a
WMI:LocalProcesses Information on processes running locally, provided by WMI Application State
Perfmon:Memory Memory information provided by the Performance Monitor input Performance
WMI:Memory Memory information provided by WMI Performance
WMI:Service Information on services running locally, provided by WMI Application State
Script:TimesyncConfiguration Information on time synchronization service configuration n/a
Script:TimesyncStatus Information on time synchronization status n/a
WMI:Uptime Information on system uptime, provided by WMI Performance
WMI:UserAccounts Information on configured user accounts, provided by WMI Inventory
WMI:Version Information on the system version, provided by WMI Inventory

CIM data model tag population

Source type Tags
Alerts alert
Application State

listening
port
process
report
service

Authentication

authentication
cleartext
default
insecure
privileged

Change Analysis

account
audit
change
endpoint
network

Compute Inventory

cpu
default
inventory
memory
network
os
snapshot
storage
tools
user
virtual

Databases

database
instance
lock
query
session
stats
tablespace

JVM

classloading
compilation
jvm
memory
os
runtime
threading

Network Resolution (DNS)

dns
network
resolution

Network Sessions

dhcp
end
network
session
start
vpn

Network Traffic

communicate
network

Performance

cpu
facilities
memory
network
os
performance
storage
synchronize
time
uptime

Splunk Audit Logs error
Splunk CIM Validation

listening
port
synchronize
time
uptime

Ticket Management

change
incident
problem
ticketing

Updates

error
status
update

Vulnerabilities

report
vulnerability

Last modified on 23 February, 2018
Use the Splunk Add-on for Windows   Release notes

This documentation applies to the following versions of Splunk® Add-on for Windows: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters