I agree with the comments so far. I just want to expand just a little more.
install the Universal Forwarder on the target Windows machines
Install the Windows app and see how much milage that gets you in monitoring the rest; also look at the Exchange and SQL apps as well
Browse the aforementioned apps directory structure explore such things as the inputs and savedsearches conf files to see how all this is working behind the scenes. Feel free to copy and paste these searches in the search bar and modify/tweak to gain additional insights into your data.
For more fine tuning, consider this:
- the application inputs SQL, IIS, Exchange, etc can get real chatty...that's both good and bad. Here is my suggestion on this:
Create a test-msft index and send your data from a couple of servers to that index for a couple of days. What you are looking for is what data is mere noise vs insights. You create a test index so that once you get the data you like coming in, you point it to either your default index or another index; afterwards, delete the test index. (this is a common practice for me)
Install the Deployment Monitor and the SoS apps to monitor what you will be doing next.
Grooming your data:
This will be done using the inputs.conf file one each forwarder. Here's the link: http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/Inputsconf
If you feel the need to throttle the amount of data being indexed, add information to the "whitelist" and "blacklist" sections. This restricts/ allows what data will be forwarded to the indexer.
... View more