Configure the Splunk Add-on for Windows
The Splunk Add-on for Windows must be configured with configuration files. You can configure the add-on manually or push a configuration with a deployment server. See deploy the Splunk Add-on for Windows with Forwarder Management.
The default configuration files for the Splunk Add-on for Windows reside in
%SPLUNK_HOME%\etc\apps\Splunk_TA_windows\default. Do not edit the files in this directory because Splunk overwrites them whenever you upgrade the add-on. Create configuration files in the
$SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local directory and make your edits there.
Only modify input stanzas whose defaults you want to change. If you do not edit any files, the add-on does not collect any Windows data.
For more information about configuration files, see About configuration files in the Splunk Enterprise Admin Manual.
To reduce index volume, you can take advantage of the following advanced configuration option. Windows 5.0.1 provides an option to remove extra text and normalize inappropriate values in both Classic and XML
WinEventLog events by using
SEDCMD configurations are commented in
default/props.conf. The explanation for each
SEDCMD extraction is under the
##### Explanation line in each of the following stanzas:
[source::WinEventLog:System] [source::WinEventLog:Security] [source::WinEventLog:ForwardedEvents] [WMI:WinEventLog:System] [WMI:WinEventLog:Security]
You can use the extractions by copying the lines beginning with
SEDCMD-<code> in these stanzas from <code>default/props.conf and pasting them in
local/props.conf. For each one you want to use, uncomment the line.
indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.0. See upgrade the Splunk Add-on for Windows.
Before the Splunk Add-on for Windows can collect data, you must configure
inputs.conf and change the
disabled attribute for the stanzas you want to enable to
[admon] input should only be enabled on one domain controller in a single domain. The
[admon] input directly queries the Active Directory domain controllers. Enabling this input on multiple Splunk instances can disrupt your Active Directory servers and eventually make them unresponsive, preventing users from accessing needed services.
%SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\local\inputs.confdoes not exist, create it.
- Using a text editor, open the
- Enable the inputs that you want the add-on to collect data for by setting the
disabledattribute for those input stanzas to
- Save the file and close it.
- Copy the contents of the
%SPLUNK_HOME%\etc\appson other forwarders or use a deployment server and Forwarder Management to distribute the add-on to other forwarders in your deployment.
Configure Windows Update Logs in inputs.conf
The following may cause data duplication.
Windows 8, Windows 8.1, Windows Server 2012, Windows 2008R2, and Windows 2012R2 overwrite the
WindowsUpdate.Log file after it reaches a certain size, and then truncate the log file from the beginning. The size of the truncation depends on the size of new events.
The following causes re-indexing of the entire file, which may cause data duplication.
In Windows 10 And Windows Server 2016, the
Get-WindowsUpdateLog command will generate a static
WindowsUpdate.log file every time the command runs.
The following applies only to Windows 10 and Windows Server 2016.
Windows update logs in Windows 10 and Windows Server 2016 are generated using Event Tracing for Windows (ETW). Run the
Get-WindowsUpdateLog powershell command at regular intervals to convert ETW traces into a readable
To index data of the generated
WindowsUpdate.log file, update the following monitor stanza with the path where you have generated the file after conversion. By default, the converted file is generated on desktop.
[monitor://<path to WindowsUpdate.log file>] disabled = 0 sourcetype = WindowsUpdateLog
Configure File System change notifications in inputs.conf
To monitor a specific file or folder in the file system and index all change notifications in your Splunk instance, add a new stanza in
[fschange:<path to monitor>] signedaudit = <true|false>
Change notifications will be indexed with sourcetype
Configure the add-on to render Windows Event Log events in XML
You can configure the Splunk Add-on for Windows to render Windows Event Log events in eXtensible Markup Language (XML) format. This feature only works on Windows Server 2008 R2 and later operating systems.
To enable XML Event Log events,
%SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\local\inputs.confdoes not already exist, create it.
- Using a text editor, open both
- Copy the Event Log monitoring stanzas whose defaults you want to change from
- Add the following line to Event Log monitoring stanzas that you want to generate XML Event Log events:
renderXml = 1
For example, if you want the Security Event Log channel to render events in XML, the Security Event Log stanza should look like this:
[WinEventLog://Security] index=security current_only=1 evt_resolve_ad_obj=0 renderXml=1 disabled=0
- Save the
%SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\local\inputs.conffile and close it.
- Deploy the add-on manually by copying the entire contents of the
%SPLUNK_HOME%\etc\appson other Splunk Enterprise Instances, or use Forwarder Management to distribute the add-on to all forwarders in your deployment.
Collect data for forwarded Windows Event Logs using Windows Event Forwarding
The Splunk Add-on for Windows supports collecting forwarded Windows Event Logs in the default Forwarded Events channel of the Windows Event Viewer.
To collect data for the Forwarded Events channel, do the following steps.
- Enable Windows Remote Management on a Windows Server 2008 or later collector Windows machine.
- Create a subscriptionin the collector Windows machine and set the destination log as Forwarded Events.
- Copy the following input stanzas in
local/inputs.confand enable them.
[WinEventLog://ForwardedEvents] disabled = 1 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true
To identify the source of forwarded events, use the host field.
The Splunk Add-on for Microsoft Windows 5.0.x supports only XML format for the collection of WinEventLogs using WEF. If you collect forwarded Windows event logs in plain text format, you might experience issues with indexed events and their extractions.
For performance information and considerations, refer to the Performance reference for the Splunk Add-on for Windows.
When the Windows collector machine collects forwarded security, system, and application events, the forwarded events contain an additional <RenderingInfo> stanza in the Eventviewer in XML view that causes field extractions to be multivalued. To resolve this, copy
#SEDCMD-clean_rendering_info_block = s/<RenderingInfo Culture='.*'>(?s)(.*)<\/RenderingInfo>// in the
[source::WinEventLog:ForwardedEvents] stanza from
local/props.conf. Then, uncomment it.
Collect perfmon data and wmi:uptime data in metric index
The Splunk Add-on for Windows supports metric indexes for the following source types.
- Splunk Enterprise 7.0 or above.
- Create a metric index for the supported sourcetype that you would like to collect data.
Steps for collecting perfmon data in a Splunk metric index
inputs.conf, replace the
mode=multikvline from the supported Perfmon sourcetype with
- In the same stanza, add a new line
index=metric_index_namewith the name of the metric index.
[perfmon://CPU] counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec disabled = 0 instances = * interval = 10 mode = single object = Processor useEnglishOnly=true index = metric_poc
- Restart your Splunk Enterprise to enable the new configuration.
Steps for collecting WMI:Uptime data in a Splunk metric index
wmi.conf, add a new line
index= metric_index_namewith the name of the metric index in the WMI:Uptime sourcetype.
- Restart Splunk Enterprise to enable the new configuration.
Upgrade the Splunk Add-on for Windows in a distributed deployment
Troubleshoot the Splunk Add-on for Windows
This documentation applies to the following versions of Splunk® Add-on for Windows: 5.0.0, 5.0.1