Find enabled windows inputs by SPL query?

isoutamo · ‎06-28-2023

Hi

It's quite easy to find which monitor inputs are activated via host's inputs.conf by queuing those from UF's _internal log. But how I can check same for Windows additional components like WinRegMon or admon?

Basically I can see all known possible win monitoring components by

index=_internal host=* sourcetype=splunkd source=*splunkd.log component=ModularInputs

But how to find which are activated, when I have to look those from hundreds of nodes over long period like 30 days?

I hope to get something like this

_time	HOST	WinEventLog	<enabled or even which logs are enabled>
_time	HOST	batch	//$SPLUNK_HOME\var\run\splunk\search_telemetry\search_telemetry.json //$SPLUNK_HOME\var\spool\splunk //$SPLUNK_HOME\var\spool\splunk\...stash_hec //$SPLUNK_HOME\var\spool\splunk\...stash_new //$SPLUNK_HOME\var\spool\splunk\tracker.log
_time	HOST	monitor	//$SPLUNK_HOME\etc\splunk.version //$SPLUNK_HOME\var\log\splunk //$SPLUNK_HOME\var\log\splunk\configuration_change.log //$SPLUNK_HOME\var\log\splunk\license_usage_summary.log //$SPLUNK_HOME\var\log\splunk\metrics.log //$SPLUNK_HOME\var\log\splunk\splunk_instrumentation_cloud.log* //$SPLUNK_HOME\var\log\splunk\splunkd.log //$SPLUNK_HOME\var\log\watchdog\watchdog.log*

r. Ismo

Find enabled windows inputs by SPL query?

administration

search

troubleshooting

Index This | How many sides does a circle have?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?