
Splunk app for Window infrastructure


I have installed Windows infrastructure app on Splunk search head (which is  a server)

The app requires multiple indexes(msad, perfmon, wineventlog) and all indexes are

receiving data except for msad


This is my inputs.conf file



# Copyright (C) 2019 Splunk Inc. All Rights Reserved.
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.

###### OS Logs ######
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index= wineventlog

disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index= wineventlog

disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index= wineventlog

###### Forwarded WinEventLogs (WEF) ######
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
index= wineventlog

###### WinEventLog Inputs for Active Directory ######

## Application and Services Logs - DFS Replication
[WinEventLog://DFS Replication]
disabled = 0
index= wineventlog
## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 0
index= wineventlog
## Application and Services Logs - File Replication Service
[WinEventLog://File Replication Service]
disabled = 0
index= wineventlog
## Application and Services Logs - Key Management Service
[WinEventLog://Key Management Service]
disabled = 0
index= wineventlog

###### WinEventLog Inputs for DNS ######
[WinEventLog://DNS Server]
index= wineventlog

###### DHCP ######
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows

###### Windows Update Log ######
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
disabled = 0
sourcetype = WindowsUpdateLog
index = windows

## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
## Below stanza will automatically generate WindowsUpdate.log daily
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 0
index = windows

## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
disabled = 0
sourcetype = WindowsUpdateLog
index = windows

###### Monitor Inputs for Active Directory ######
index = msad

###### Monitor Inputs for DNS ######
index = msad

###### Scripted Input (See also wmi.conf)
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:ListeningPorts

disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
index = windows

disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncStatus
index = windows

disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncConfiguration
index = windows

disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:NetworkConfiguration
index = windows

###### Scripted/Powershell Mod inputs Active Directory ######

## Replication Information NT6
[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
source = Powershell
sourcetype = MSAD:NT6:Replication
interval = 300
disabled = 0
index = msad
## Replication Information 2012r2 and 2016
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype = MSAD:NT6:Replication
disabled = 0
index = msad
## Health and Topology Information NT6
[script://.\bin\runpowershell.cmd nt6-health.ps1]
sourcetype = MSAD:NT6:Health
interval = 300
disabled = 0
index = msad
## Health and Topology Information 2012r2 and 2016
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype = MSAD:NT6:Health
disabled = 0
index = msad
## Site, Site Link and Subnet Information NT6
[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
source = Powershell
sourcetype = MSAD:NT6:SiteInfo
interval = 3600
disabled = 0
index = msad
## Site, Site Link and Subnet Information 2012r2 and 2016
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
schedule = 0 15 * ? * *
source = Powershell
sourcetype = MSAD:NT6:SiteInfo
disabled = 0
index = msad

##### Scripted Inputs for DNS #####

## DNS Zone Information Collection
[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
source = Powershell
sourcetype = MSAD:NT6:DNS-Zone-Information
interval = 3600
disabled = 0
index = msad
## DNS Health Information Collection
[script://.\bin\runpowershell.cmd dns-health.ps1]
source = Powershell
sourcetype = MSAD:NT6:DNS-Health
interval = 3600
disabled = 0
index = msad

###### Host monitoring ######
interval = 600
disabled = 0
type = Computer
index = windows

interval = 600
disabled = 0
type = Process
index = windows

interval = 600
disabled = 0
type = Processor
index = windows

interval = 600
disabled = 0
type = NetworkAdapter
index = windows

interval = 600
disabled = 0
type = Service
index = windows

interval = 600
disabled = 0
type = OperatingSystem
index = windows

interval = 600
disabled = 0
type = Disk
index = windows

interval = 600
disabled = 0
type = Driver
index = windows

interval = 600
disabled = 0
type = Roles
index = windows

###### Print monitoring ######
type = printer
interval = 600
baseline = 1
disabled = 0
index = windows

type = driver
interval = 600
baseline = 1
disabled = 0
index = windows

type = port
interval = 600
baseline = 1
disabled = 0
index = windows

###### Network monitoring ######
direction = inbound
disabled = 0
index = windows

direction = outbound
disabled = 0
index = windows

###### Splunk 5.0+ Performance Counters ######
## CPU
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
index = perfmon

## Logical Disk
disabled = 0
instances = *
interval = 10
mode = single
object = LogicalDisk
index = perfmon

## Physical Disk
disabled = 0
instances = *
interval = 10
mode = single
object = PhysicalDisk
index = perfmon

## Memory
disabled = 0
interval = 10
mode = single
object = Memory
index = perfmon

## Network
disabled = 0
instances = *
interval = 10
mode = single
object = Network Interface
index = perfmon

## Process
disabled = 0
instances = *
interval = 10
mode = single
object = Process
useEnglishOnly = true
index = perfmon

## ProcessInformation
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 10
mode = single
object = Processor Information
useEnglishOnly = true
index = perfmon

## System
disabled = 0
instances = *
interval = 10
mode = single
object = System
useEnglishOnly = true
index = perfmon

###### Perfmon Inputs from TA-AD/TA-DNS ######
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
object = Network Interface
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
object = DFS Replicated Folders
instances = *
interval = 30
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
object = NTDS 
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon

object = DNS
counters = Total Query Received; Total Query Received/sec; UDP Query 
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon

disabled = 0
monitorSubtree = 1
index = perfmon

disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
index = perfmon

disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = perfmon

disabled = 0
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = perfmon




0 Karma


Thank you for sharing.  Do you have a question?

If this reply helps you, Karma would be appreciated.


My question is: how do I get the msad  index to receive data?

Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...