From looking at the available apps, I see that this app is only available for Splunk Enterprise 5.x. I have a windows Server 2008 installed and want to get the events fed into Splunk in syslog format but more importantly I want some assistance with figuring out what the events logs are telling me. I don't want an app to monitor my Windows servers as I only have one server but do want an app that can help me figure out what the windows event logs are indicating. We have installed the Universal Forwarder on our Windows server but this only forwards the events and does nothing with formatting, so the logs look like 3 lines of info per event and not any more intuitive than reviewing them manually.
ChrisG, That is not an answer to his question, but it is in line with the answers I always seem to get from Splunk, which invariably are links to documents I've already read that don't answer my question.
That's kind of a fair comment, and I apologize for what must have been a very hasty original answer on my part.
Pointing to the newer Splunk Add-on for Microsoft Windows is a partial answer to the question: that is the add-on that is compatible with Splunk Enterprise 6 and will normalize Windows events to the Common Information Model. It collects CPU, disk, I/O, memory, log, configuration, and user data. If you are looking for an app that helps you understand and interpret those events, that's the Splunk App for Windows Infrastructure.
If the question is about what information Windows event logs contain and how to understand Windows events, there are a lot of good resources available on the web.
Did you have a specific follow-up question that the community can help you with?
Thanks for update on this. There doesn't seem to be any documentation associated with the Add-on. Most people asking questions here are looking for answers on how to get value from importing their Windows logs into Splunk. Most Windows admins know what the events are or how to find information on them on the web. The question again is how get value out of Splunk when it comes to Windows. Windows-centric log managers, of which there are plenty provide a great deal of analysis of the logged data. I think that is the point that plj3736 was making. Why use Splunk if all it does is collect my logs when it doesn't seem to give me anything more than an archive?
I've been searching for answers to issues I'm experiencing with the Splunk Application for Windows Infrastructure and volume of indexing that is generated by Windows event logs. Based on the 1000's of views on questions on Splunk and Windows (with no votes and rarely a real answer by the way) it would appear that I'm not the only one with lots of questions. You would think with the volume of interest on the subject that the Splunk Documentation, Development and Support groups would take interest. From what I've viewed and experienced with a support agreement, that doesn't seem to be the case. From this experience, I suggest that anyone interested in managing the Windows logs look for another solution from a vendor that has real interest in supporting the Windows platform.
If it is possible to find useful answers to Splunk Windows support and configuration I would love to learn how to find it. I've found Google less than useful in this matter because of the volume of out of date references to older versions and apps.
I have yet to find any current, comprehensive documentation on tuning the Splunk Application for Windows Infrastructure, TA fore Windows or the Windows Universal Forwarder.
This question viewed by 1.4k users has an answer which links to http://docs.splunk.com/Documentation/WindowsApp/latest/User/InstalltheSplunkTechnologyAdd-onforWindo... (which doesn't exist)
I can tell you this, lots of windows configurations are slightly different but not documented as such. For example you'll almost always see Unix style file paths in examples and documentation. Regex has some subtle differences, etc. Rest assured though, I've used windows since 3.0 and I absolutely LOVE Splunk for windows solutions.
You've nailed it there. To me Windows Splunk looks like a lazy port from Linux and it shows (keep looking for Cygwin). Splunk users and devs appear to be overwhelmingly *nix heads where "real men user the CLI" fully school in AWK, Pearl, Python and Grep.
I spent enough time on Solaris in the 80s and Linux in the 90s to recognize the patterns. Never a big fan of the the reliance on Regex. Not really a fan of Widows, but it's paid the bills for the last 20 years. A lot of the fun comes from, "which of the 5 /local directories on which server are you talking about where I put my modified config file?" At least with a mainstream Linux distribution you can find fairly detailed Linux How To docs for most things and you haven't had to worry about dependencies for years with the different package managers. This experience is taking me back to the days when I'd have to build a custom kernel to fit what I needed with the drivers I needed into an old x286 box that only had 512k memory, hand tuning .rc scripts.
Boy, I haven't seen anyone reference IRC in a long time. I thought it was little more than a dark alley to be avoided anymore. If that's the place for useful Splunk answers, it explains why they are hard to find.
Fact remains, Splunk is the best thing since sliced bread for monitoring just about anything. That and the op to this question didn't use a
Single question mark so it's difficult to know where to begin to answer them.