Use the Splunk Add-on for Windows

The Splunk Add-on for Windows collects Windows data and provides knowledge objects for apps like the Splunk App for Windows Infrastructure, Splunk IT Service Intelligence, and other Splunk apps and add-ons.

Lookups

Search time lookup: Convert Windows Event Log eventType values to strings

The Splunk Add-on for Windows includes a lookup that lets you convert a Windows event EventType numerical value to a string. To use the lookup, enter the following in a search bar on a Splunk Enterprise instance with the add-on installed:

| lookup windows_eventtype_lookup EventType OUTPUTNEW Description AS <new field>

Confirmation and troubleshooting searches

Use the following searches to confirm that the Splunk Add-on for Windows operates properly. If these searches do not return data, a possible configuration problem exists and you should correct it before continuing to use the add-on.

index=wineventlog OR index=perfmon

This search confirms that the Splunk Add-on for Windows has properly installed and configured the inputs. If it fails, check that:

• You have enabled the inputs included with the Splunk Add-on for Windows on each forwarder that runs the add-on.
• You have installed the add-on into the indexers in your deployment.

sourcetype="WinEventLog*" OR sourcetype="Perfmon*"

This search confirms that the Splunk Add-on for Windows properly collects Windows Event Log and performance metrics. If it fails, check that that Splunk user that runs the add-on has the "windows_admin" role added.

eventtype=wineventlog_windows OR eventtype=perfmon_windows

This search confirms that Windows Event Log and performance metric data is present in Splunk Enterprise. If it fails, make sure that you have installed the add-on into all of search heads in your Splunk Enterprise deployment.