Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

Sourcetypes for the Splunk Add-on for Windows

The latest version of documentation for this product can be found in the Splunk Supported Add-ons manual.

The Splunk Add-on for Windows provides Common Information Model mappings, the index-time and search-time knowledge for Windows events, metadata, user and group information, collaboration data, and tasks in the following formats.

The latest version of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its sourcetypes. See the Common Information Model and Field Mapping Changes for the Splunk Add-on for Microsoft Windows topic in the Reference chapter in this manual for information on changes to the mapping of this information.

Source type Description CIM data models
ActiveDirectory Active Directory related information n/a
DhcpSrvLog Microsoft DHCP Server Log information Network Sessions
Perfmon:CPU
PerfmonMk:CPU
CPU usage statistics provided by the Performance Monitor input Application State, Performance
Perfmon:LogicalDisk
PerfmonMk:LogicalDisk
Information about logical disks on the system provided by the Performance Monitor input in single or multikv mode. Performance
Perfmon:Memory
PerfmonMk:Memory
Memory statistics provided by the Performance Monitor input in single or multikv mode Performance
Perfmon:Network
PerfmonMk:Network
Network statistics provided by the Performance Monitor input in single or multikv mode Performance
Perfmon:PhysicalDisk
PerfmonMk:PhysicalDisk
Information about physical disks on the system provided by the Performance Monitor input in single or multikv mode n/a
Perfmon:Process
PerfmonMk:Process
Information about process running on the system provided by the Performance Monitor input in single or multikv mode Application State, Performance, Endpoint
Perfmon:ProcessorInformation
PerfmonMk:ProcessorInformation
Statistics related to processor state and performance Application State, Inventory, Endpoint, Performance, Vulnerabilities
Perfmon:System
PerfmonMk:System
System Information provided by the Performance Monitor input in single or multikv mode Application State, Performance
Script:InstalledApps List of installed applications n/a
Script:ListeningPorts List of network ports that listen for traffic Application State, Endpoint
Script:NetworkConfiguration To get local IP configurations n/a
Script:TimesyncConfiguration Information on time synchronization service configuration. n/a
Script:TimesyncStatus Information on time synchronization status. Performance
WindowsUpdateLog Windows Update log file Updates
WinHostMon Windows host monitoring log Inventory, Performance, Endpoint
WinNetMon Network related information n/a
WinPrintMon Windows Printer related changes n/a
WinRegistry Windows Registry changes Change Analysis, Endpoint, Change
WMI:ComputerSystem Computer system information provided by WMI Performance
WMI:CPUTime CPU usage time provided by WMI Application State, Performance
WMI:FreeDiskSpace Free Disk Space provided by WMI Application State, Performance
WMI:InstalledUpdates List of installed updates/packages provided by WMI Updates
WMI:LocalNetwork Network statistics provided by WMI Performance
WMI:LocalPhysicalDisk Physical Disk information provided by WMI n/a
WMI:LogicalDisk Information about logical disks on the system, provided by WMI Performance
WMI:LocalProcesses Information on processes running locally, provided by WMI Application State, Endpoint
WMI:Memory Memory information provided by WMI Application State, Performance
WMI:ScheduledJobs Information on Scheduled Jobs provided by WMI n/a
WMI:Service Information on services running locally, provided by WMI Application State, Endpoint
WMI:Uptime Information on system uptime, provided by WMI Application State, Performance
WMI:UserAccounts Information on configured user accounts, provided by WMI Application State, Inventory
WMI:Version Information on the system version, provided by WMI Application State, Inventory
WMI:WinEventLog:* Windows Event Log data for Application, System and Security - WMI Application State, Authentication, Change Analysis, Performance, Updates, Vulnerabilities, Endpoint, Event Signatures, Change
MSAD:NT6:Health Active Directory health information n/a
MSAD:NT6:SiteInfo Active Directory site information n/a
MSAD:NT6:Replication Active Directory site replication information n/a
MSAD:NT6:Netlogon Active Directory login statistics n/a
MSAD:SubnetAffinity Active Directory Domain Subnet Affinity problem information n/a
WinEventLog

XmlWinEventLog

Windows Event Log data for Application, System, Security, DFS Replication, Directory Service, File Replication Service, Key Management Service, DNS Server provided by WinEventLog in XML or standard format. Application State, Authentication, Change Analysis, Performance, Updates, Vulnerabilities, Endpoint, Event Signatures, Change
Perfmon:Processor

PerfmonMk:Processor

n/a
Perfmon:Network_Interface

PerfmonMk:Network_Interface

Network_Interface statistics provided by the Performance Monitor input in single or multikv mode n/a
Perfmon:DFS_Replicated_Folders

PerfmonMk:DFS_Replicated_Folders

Information about dfs replicated folders on the system provided by the Performance Monitor input in single or multikv mode. n/a
Perfmon:NTDS

PerfmonMk:NTDS

Information about NTDS on the system provided by the Performance Monitor input in single or multikv mode. n/a
Perfmon:DNS

PerfmonMk:DNS

Information about DNS on the system provided by the Performance Monitor input in single or multikv mode. n/a
MSAD:NT6:DNS-Zone-Information Information about DNS zones n/a
MSAD:NT6:DNS-Health Information about the health of DNS servers n/a
MSAD:NT6:DNS DNS server activity statistics n/a

In versions 5.0.0 and later of the Splunk add-on for Windows, the source type WinEventLog is subdivided into WinEventLog for Classic channels, and XmlWinEventLog for XML channels. See Source and sourcetype changes for WinEventLog data.

Source types for backward compatibility

The Splunk Add-on for Windows includes the following source types for backward compatibility.

Sourcetype Description CIM data model(s)
fs_notification File system notification changes. Included for backward compatibility. Change Analysis
Perfmon:CPUTime CPU usage statistics provided by the Performance Monitor input in single or multikv mode. Included for backward compatibility. Performance
Perfmon:FreeDiskSpace Free Disk Space statistics provided by the Performance Monitor input. Included for backward compatibility. Performance
Perfmon:LocalNetwork Free Disk Space statistics provided by the Performance Monitor input. Included for backward compatibility. Performance
Last modified on 06 November, 2023
Splunk Add-on for Windows   Release notes for the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Add-on for Windows: 8.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters