All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it a best practice to use the Splunk Add-on for Microsoft Windows?

sloshburch
Splunk Employee
Splunk Employee
‎04-26-2019 07:12 AM

Since the out-of-the-box version of Splunk can collect data from Windows endpoints, what's the benefit of using the add-on?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎04-26-2019 07:13 AM

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

You're right! The out-of-the-box version of Splunk can collect a great deal of data from Windows endpoints. See the Install a Windows universal forwarder from an installer for details. However, the Splunk Add-on for Microsoft Windows amplifies this functionality with three realms of features, additional data collection functionality, a rich set of knowledge objects for all Windows data, and prebuilt panels. This post reviews those features and highlights easily, overlooked best practices for deploying the add-on and searching its data.

Functionality

Starting with version 6.0.0, the Splunk Add-on for Microsoft Windows introduced new functionality for data collection of Microsoft Active Directory and Microsoft DNS. These were previously provided in separate apps. See the Release notes for the Splunk Add-on for Windows for additional information. Additionally, the Splunk Add-on for Microsoft Windows includes a variety of scripts that introduce functionality for collecting complex data from the Windows system. See Source types for the Splunk Add-on for Windows for a complete list and summary of all data inputs available by adding the Splunk Add-on for Microsoft Windows to a Splunk installation.

Knowledge objects

The Splunk Add-on for Microsoft Windows contains preconfigured knowledge objects that are Common Information Model compatible. They already have field extractions, lookups, aliases, and more to enable the Windows data to work seamlessly with other Splunk products such as Splunk Enterprise Security, the Splunk App for PCI Compliance, the Splunk ITSI Operating System Module, the Splunk App for Windows Infrastructure, Splunk User Behavior Analytics, and the Splunk App for Microsoft Exchange. See About the Splunk Add-on for Windows for more information. Manually creating the knowledge objects the Splunk Add-on for Microsoft Windows has, would take months of work and rework to get right.

App vs Add-on

The Splunk Add-on for Microsoft Windows contains no dashboards or prebuilt panels. Be sure not to confuse this add-on with the Splunk App for Windows Infrastructure which is all dashboards but does not collect data. Learn more about the Microsoft related apps and add-ons in our post What are the Splunk apps and add-ons for Microsoft technologies, and what do I use them for?

Deployment

It's often overlooked that the servers in your Splunk deployment don't need to be Windows to search data from the Windows endpoints. Learn more by reading Search Windows data on a non-Windows instance of Splunk Enterprise. In fact, follow the Install this add-on topic to properly install the Splunk Add-on for Windows on Search Heads and Indexers to properly search and index of your Windows data.

Searching data from Windows and UNIX

After the basic event data for the Windows systems are available in Splunk, check out our post What are the best practice searches for Server & OS monitoring? to see searches that can span both Windows and UNIX data in your deployment.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎04-26-2019 07:13 AM

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

You're right! The out-of-the-box version of Splunk can collect a great deal of data from Windows endpoints. See the Install a Windows universal forwarder from an installer for details. However, the Splunk Add-on for Microsoft Windows amplifies this functionality with three realms of features, additional data collection functionality, a rich set of knowledge objects for all Windows data, and prebuilt panels. This post reviews those features and highlights easily, overlooked best practices for deploying the add-on and searching its data.

Functionality

Starting with version 6.0.0, the Splunk Add-on for Microsoft Windows introduced new functionality for data collection of Microsoft Active Directory and Microsoft DNS. These were previously provided in separate apps. See the Release notes for the Splunk Add-on for Windows for additional information. Additionally, the Splunk Add-on for Microsoft Windows includes a variety of scripts that introduce functionality for collecting complex data from the Windows system. See Source types for the Splunk Add-on for Windows for a complete list and summary of all data inputs available by adding the Splunk Add-on for Microsoft Windows to a Splunk installation.

Knowledge objects

The Splunk Add-on for Microsoft Windows contains preconfigured knowledge objects that are Common Information Model compatible. They already have field extractions, lookups, aliases, and more to enable the Windows data to work seamlessly with other Splunk products such as Splunk Enterprise Security, the Splunk App for PCI Compliance, the Splunk ITSI Operating System Module, the Splunk App for Windows Infrastructure, Splunk User Behavior Analytics, and the Splunk App for Microsoft Exchange. See About the Splunk Add-on for Windows for more information. Manually creating the knowledge objects the Splunk Add-on for Microsoft Windows has, would take months of work and rework to get right.

App vs Add-on

The Splunk Add-on for Microsoft Windows contains no dashboards or prebuilt panels. Be sure not to confuse this add-on with the Splunk App for Windows Infrastructure which is all dashboards but does not collect data. Learn more about the Microsoft related apps and add-ons in our post What are the Splunk apps and add-ons for Microsoft technologies, and what do I use them for?

Deployment

It's often overlooked that the servers in your Splunk deployment don't need to be Windows to search data from the Windows endpoints. Learn more by reading Search Windows data on a non-Windows instance of Splunk Enterprise. In fact, follow the Install this add-on topic to properly install the Splunk Add-on for Windows on Search Heads and Indexers to properly search and index of your Windows data.

Searching data from Windows and UNIX

After the basic event data for the Windows systems are available in Splunk, check out our post What are the best practice searches for Server & OS monitoring? to see searches that can span both Windows and UNIX data in your deployment.

0 Karma
Reply
Solved! Jump to solution

bhargavnariyani
Path Finder
‎04-26-2019 10:28 PM

Wonderfully explained @SloshBurch . I would just want to suggest a minor edit. Windows 5.0.1 and above don't have prebuilt panels any more available in the package.

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎04-30-2019 01:11 PM

Well I'll be... Great catch and thank you! I'll remove it from the answer and send you some delicious karma points for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

What’s New in Splunk Enterprise 9.4: Tools for Digital ResilienceTune in to What’s New in Splunk Enterprise ...

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...
Top