What data the Splunk Add-on for Windows collects
The Splunk Add-on for Windows collects the following data:
- CPU statistics.
- Memory usage and availability by process and host.
- Disk usage including average read/write speed, disk queue length, and available disk space by host.
- Network usage including average bytes transferred per second and total network data transferred over time, by host.
- Windows Update patch history, including successful and unsuccessful updates, by host and Knowledge Base (KB) number.
- Longest and most frequent logins, by host and user name.
- Unsuccessful logins, by host and user name.
- All event logs.
- Information on Security IDentifiers (SIDs) and Globally Unique IDentifiers (GUIDs).
- Information on Windows services that either failed, or failed to start.
- Information on how Windows hosts were shut down.
- Information on successful privilege escalations, by user name.
Index usage and creation
The Splunk Add-on for Windows creates three indexes to store its data when installed:
windows: For DHCP, Windows Update logs, Windows network, host, printer, and Registry monitoring.
wineventlog: For all Windows Event Log channels.
perfmon: For all Windows Performance Monitoring events.
When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. You can install the add-on onto the indexer to set those indexes up automatically.
Platform and hardware requirements
Other deployment considerations
This documentation applies to the following versions of Splunk® Add-on for Windows: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4