Find enabled windows inputs by SPL query?

isoutamo — Wed, 28 Jun 2023 14:57:12 GMT

It's quite easy to find which monitor inputs are activated via host's inputs.conf by queuing those from UF's _internal log. But how I can check same for Windows additional components like WinRegMon or admon?

Basically I can see all known possible win monitoring components by

index=_internal host=* sourcetype=splunkd source=*splunkd.log component=ModularInputs

But how to find which are activated, when I have to look those from hundreds of nodes over long period like 30 days?

I hope to get something like this

_time	HOST	WinEventLog	<enabled or even which logs are enabled>
_time	HOST	batch	//$SPLUNK_HOME\var\run\splunk\search_telemetry\search_telemetry.json //$SPLUNK_HOME\var\spool\splunk //$SPLUNK_HOME\var\spool\splunk\...stash_hec //$SPLUNK_HOME\var\spool\splunk\...stash_new //$SPLUNK_HOME\var\spool\splunk\tracker.log
_time	HOST	monitor	//$SPLUNK_HOME\etc\splunk.version //$SPLUNK_HOME\var\log\splunk //$SPLUNK_HOME\var\log\splunk\configuration_change.log //$SPLUNK_HOME\var\log\splunk\license_usage_summary.log //$SPLUNK_HOME\var\log\splunk\metrics.log //$SPLUNK_HOME\var\log\splunk\splunk_instrumentation_cloud.log* //$SPLUNK_HOME\var\log\splunk\splunkd.log //$SPLUNK_HOME\var\log\watchdog\watchdog.log*

r. Ismo

topic Find enabled windows inputs by SPL query? in All Apps and Add-ons

Find enabled windows inputs by SPL query?