All Apps and Add-ons

Is it a best practice to use the Splunk Add-on for Microsoft Windows?

Ultra Champion

Since the out-of-the-box version of Splunk can collect data from Windows endpoints, what's the benefit of using the add-on?

0 Karma
1 Solution

Ultra Champion

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

You're right! The out-of-the-box version of Splunk can collect a great deal of data from Windows endpoints. See the Install a Windows universal forwarder from an installer for details. However, the Splunk Add-on for Microsoft Windows amplifies this functionality with three realms of features, additional data collection functionality, a rich set of knowledge objects for all Windows data, and prebuilt panels. This post reviews those features and highlights easily, overlooked best practices for deploying the add-on and searching its data.

Functionality

Starting with version 6.0.0, the Splunk Add-on for Microsoft Windows introduced new functionality for data collection of Microsoft Active Directory and Microsoft DNS. These were previously provided in separate apps. See the Release notes for the Splunk Add-on for Windows for additional information. Additionally, the Splunk Add-on for Microsoft Windows includes a variety of scripts that introduce functionality for collecting complex data from the Windows system. See Source types for the Splunk Add-on for Windows for a complete list and summary of all data inputs available by adding the Splunk Add-on for Microsoft Windows to a Splunk installation.

Knowledge objects

The Splunk Add-on for Microsoft Windows contains preconfigured knowledge objects that are Common Information Model compatible. They already have field extractions, lookups, aliases, and more to enable the Windows data to work seamlessly with other Splunk products such as Splunk Enterprise Security, the Splunk App for PCI Compliance, the Splunk ITSI Operating System Module, the Splunk App for Windows Infrastructure, Splunk User Behavior Analytics, and the Splunk App for Microsoft Exchange. See About the Splunk Add-on for Windows for more information. Manually creating the knowledge objects the Splunk Add-on for Microsoft Windows has, would take months of work and rework to get right.

App vs Add-on

The Splunk Add-on for Microsoft Windows contains no dashboards or prebuilt panels. Be sure not to confuse this add-on with the Splunk App for Windows Infrastructure which is all dashboards but does not collect data. Learn more about the Microsoft related apps and add-ons in our post What are the Splunk apps and add-ons for Microsoft technologies, and what do I use them for?

Deployment

It's often overlooked that the servers in your Splunk deployment don't need to be Windows to search data from the Windows endpoints. Learn more by reading Search Windows data on a non-Windows instance of Splunk Enterprise. In fact, follow the Install this add-on topic to properly install the Splunk Add-on for Windows on Search Heads and Indexers to properly search and index of your Windows data.

Searching data from Windows and UNIX

After the basic event data for the Windows systems are available in Splunk, check out our post What are the best practice searches for Server & OS monitoring? to see searches that can span both Windows and UNIX data in your deployment.

View solution in original post

0 Karma

Ultra Champion

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

You're right! The out-of-the-box version of Splunk can collect a great deal of data from Windows endpoints. See the Install a Windows universal forwarder from an installer for details. However, the Splunk Add-on for Microsoft Windows amplifies this functionality with three realms of features, additional data collection functionality, a rich set of knowledge objects for all Windows data, and prebuilt panels. This post reviews those features and highlights easily, overlooked best practices for deploying the add-on and searching its data.

Functionality

Starting with version 6.0.0, the Splunk Add-on for Microsoft Windows introduced new functionality for data collection of Microsoft Active Directory and Microsoft DNS. These were previously provided in separate apps. See the Release notes for the Splunk Add-on for Windows for additional information. Additionally, the Splunk Add-on for Microsoft Windows includes a variety of scripts that introduce functionality for collecting complex data from the Windows system. See Source types for the Splunk Add-on for Windows for a complete list and summary of all data inputs available by adding the Splunk Add-on for Microsoft Windows to a Splunk installation.

Knowledge objects

The Splunk Add-on for Microsoft Windows contains preconfigured knowledge objects that are Common Information Model compatible. They already have field extractions, lookups, aliases, and more to enable the Windows data to work seamlessly with other Splunk products such as Splunk Enterprise Security, the Splunk App for PCI Compliance, the Splunk ITSI Operating System Module, the Splunk App for Windows Infrastructure, Splunk User Behavior Analytics, and the Splunk App for Microsoft Exchange. See About the Splunk Add-on for Windows for more information. Manually creating the knowledge objects the Splunk Add-on for Microsoft Windows has, would take months of work and rework to get right.

App vs Add-on

The Splunk Add-on for Microsoft Windows contains no dashboards or prebuilt panels. Be sure not to confuse this add-on with the Splunk App for Windows Infrastructure which is all dashboards but does not collect data. Learn more about the Microsoft related apps and add-ons in our post What are the Splunk apps and add-ons for Microsoft technologies, and what do I use them for?

Deployment

It's often overlooked that the servers in your Splunk deployment don't need to be Windows to search data from the Windows endpoints. Learn more by reading Search Windows data on a non-Windows instance of Splunk Enterprise. In fact, follow the Install this add-on topic to properly install the Splunk Add-on for Windows on Search Heads and Indexers to properly search and index of your Windows data.

Searching data from Windows and UNIX

After the basic event data for the Windows systems are available in Splunk, check out our post What are the best practice searches for Server & OS monitoring? to see searches that can span both Windows and UNIX data in your deployment.

View solution in original post

0 Karma

Path Finder

Wonderfully explained @SloshBurch . I would just want to suggest a minor edit. Windows 5.0.1 and above don't have prebuilt panels any more available in the package.

0 Karma

Ultra Champion

Well I'll be... Great catch and thank you! I'll remove it from the answer and send you some delicious karma points for your help!

0 Karma