Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

This documentation does not apply to the most recent version of Splunk® Add-on for Windows. For documentation on the most recent version, go to the latest release.

What data the Splunk Add-on for Windows collects

The Splunk Add-on for Windows collects the following data:

  • CPU statistics.
  • Memory usage and availability by process and host.
  • Disk usage including average read/write speed, disk queue length, and available disk space by host.
  • Network usage including average bytes transferred per second and total network data transferred over time, by host.
  • Windows Update patch history, including successful and unsuccessful updates, by host and Knowledge Base (KB) number.
  • Longest and most frequent logins, by host and user name.
  • Unsuccessful logins, by host and user name.
  • All event logs.
  • Information on Security IDentifiers (SIDs) and Globally Unique IDentifiers (GUIDs).
  • Information on Windows services that either failed, or failed to start.
  • Information on how Windows hosts were shut down.
  • Information on successful privilege escalations, by user name.

Index usage and creation

The Splunk Add-on for Windows creates three indexes to store its data when installed:

  • windows: For DHCP, Windows Update logs, Windows network, host, printer, and Registry monitoring.
  • wineventlog: For all Windows Event Log channels.
  • perfmon: For all Windows Performance Monitoring events.

When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. You can install the add-on onto the indexer to set those indexes up automatically.

Last modified on 23 February, 2018
Platform and hardware requirements   Other deployment considerations

This documentation applies to the following versions of Splunk® Add-on for Windows: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters