Knowledge Management

What datamodel is "windows" tag belong

jadengoho
Builder

I always saw these "OS" and "Windows" tags on the eventtypes.conf and tags.conf.
It's on the production environment and splunkbase applications even we're only using default Splunk CIM.
OS- can be part of Performance datamodel, how about windows ? What datamodel does it belongs ?

alt text

Labels (3)
Tags (2)
0 Karma
1 Solution

PavelP
Motivator

Hello @jadengoho

the tag "windows" doesn't belong to the default Splunk CIM and can be set by Splunk Add-on for Microsoft Windows, here is an excerpt from default/tags.conf:

###### Global Windows Eventtype ######

[eventtype=fs_notification]
endpoint = enabled
change = enabled

[eventtype=wineventlog_windows]
os = enabled
windows = enabled

[eventtype=wineventlog_application]
os = enabled
windows = enabled

[eventtype=wineventlog_system]
os = enabled
windows = enabled

[eventtype=wineventlog_security]
os = enabled
windows = enabled

[eventtype=perfmon_windows]
os = enabled
windows = enabled

[eventtype=perfmon_processorinformation]
process = enabled
report = enabled
performance = enabled
cpu = enabled

[eventtype=hostmon_windows]
os = enabled
windows = enabled

[eventtype=hostmon_os]
os = enabled
windows = enabled
memory = enabled
performance = enabled
oshost = enabled

you can run btool command to find out which add-on sets this tag:

splunk btool tags list --debug

View solution in original post

0 Karma

PavelP
Motivator

Hello @jadengoho

the tag "windows" doesn't belong to the default Splunk CIM and can be set by Splunk Add-on for Microsoft Windows, here is an excerpt from default/tags.conf:

###### Global Windows Eventtype ######

[eventtype=fs_notification]
endpoint = enabled
change = enabled

[eventtype=wineventlog_windows]
os = enabled
windows = enabled

[eventtype=wineventlog_application]
os = enabled
windows = enabled

[eventtype=wineventlog_system]
os = enabled
windows = enabled

[eventtype=wineventlog_security]
os = enabled
windows = enabled

[eventtype=perfmon_windows]
os = enabled
windows = enabled

[eventtype=perfmon_processorinformation]
process = enabled
report = enabled
performance = enabled
cpu = enabled

[eventtype=hostmon_windows]
os = enabled
windows = enabled

[eventtype=hostmon_os]
os = enabled
windows = enabled
memory = enabled
performance = enabled
oshost = enabled

you can run btool command to find out which add-on sets this tag:

splunk btool tags list --debug
0 Karma

jadengoho
Builder

Hi @PavelP what's the purpose of this tag if it doesn't belong to any datamodel ?

0 Karma

PavelP
Motivator

@jadengoho
tags are not exclusive for data models and used generally to assign names to specific field and value combinations, so if you search for tag=windows or tag::windows you get windows-related (coming from) events.

https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Abouttagsandaliases

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...