Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

Download manual as PDF

This documentation does not apply to the most recent version of WindowsAddOn. Click here for the latest version.
Download topic as PDF

Use the Splunk Add-on for Windows

The Splunk Add-on for Windows collects Windows data and provides knowledge objects for apps like the Splunk App for Windows Infrastructure, Splunk IT Service Intelligence, and other Splunk apps and add-ons.

Lookups

Search time lookup: Convert Windows Event Log eventType values to strings

The Splunk Add-on for Windows includes a lookup that lets you convert a Windows event EventType numerical value to a string. To use the lookup, enter the following in a search bar on a Splunk Enterprise instance with the add-on installed:

| lookup windows_eventtype_lookup EventType OUTPUTNEW Description AS <new field>

Confirmation and troubleshooting searches

Use the following searches to confirm that the Splunk Add-on for Windows operates properly. If these searches do not return data, a possible configuration problem exists and you should correct it before continuing to use the add-on.

index=wineventlog OR index=perfmon

This search confirms that the Splunk Add-on for Windows has properly installed and configured the inputs. If it fails, check that:

  • You have enabled the inputs included with the Splunk Add-on for Windows on each forwarder that runs the add-on.
  • You have installed the add-on into the indexers in your deployment.

sourcetype="WinEventLog*" OR sourcetype="Perfmon*"

This search confirms that the Splunk Add-on for Windows properly collects Windows Event Log and performance metrics. If it fails, check that that Splunk user that runs the add-on has the "windows_admin" role added.

eventtype=wineventlog_windows OR eventtype=perfmon_windows

This search confirms that Windows Event Log and performance metric data is present in Splunk Enterprise. If it fails, make sure that you have installed the add-on into all of search heads in your Splunk Enterprise deployment.

Last modified on 23 February, 2018
PREVIOUS
Configure the Splunk Add-on for Windows
  NEXT
Source types and CIM data model info

This documentation applies to the following versions of Splunk® Add-on for Windows: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters