Use the Splunk Add-on for Windows
The Splunk Add-on for Windows collects Windows data and provides knowledge objects for apps like the Splunk App for Windows Infrastructure, Splunk IT Service Intelligence, and other Splunk apps and add-ons.
Search time lookup: Convert Windows Event Log eventType values to strings
The Splunk Add-on for Windows includes a lookup that lets you convert a Windows event EventType numerical value to a string. To use the lookup, enter the following in a search bar on a Splunk Enterprise instance with the add-on installed:
| lookup windows_eventtype_lookup EventType OUTPUTNEW Description AS <new field>
Confirmation and troubleshooting searches
Use the following searches to confirm that the Splunk Add-on for Windows operates properly. If these searches do not return data, a possible configuration problem exists and you should correct it before continuing to use the add-on.
index=wineventlog OR index=perfmon
This search confirms that the Splunk Add-on for Windows has properly installed and configured the inputs. If it fails, check that:
- You have enabled the inputs included with the Splunk Add-on for Windows on each forwarder that runs the add-on.
- You have installed the add-on into the indexers in your deployment.
sourcetype="WinEventLog*" OR sourcetype="Perfmon*"
This search confirms that the Splunk Add-on for Windows properly collects Windows Event Log and performance metrics. If it fails, check that that Splunk user that runs the add-on has the "windows_admin" role added.
eventtype=wineventlog_windows OR eventtype=perfmon_windows
This search confirms that Windows Event Log and performance metric data is present in Splunk Enterprise. If it fails, make sure that you have installed the add-on into all of search heads in your Splunk Enterprise deployment.
Configure the Splunk Add-on for Windows
Source types and CIM data model info
This documentation applies to the following versions of Splunk® Add-on for Windows: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4