Data requirements for the Content Pack for Monitoring Microsoft Windows

The IT Service Intelligence (ITSI) Content Pack for Monitoring Microsoft Windows requires that you install the Splunk Add-on for Windows and configure it to collect and send data to your deployment.

Note: While configuring the Splunk Add-on for Windows, use metrics based indexes. Event indexes are also supported.

Prerequisite

Install a universal forwarder or heavy forwarder on any host that you want to send data to your ITSI or ITE Work deployment. See About forwarding and receiving in the Splunk Enterprise Forwarding Data manual to learn how to install and configure forwarders.

Create indexes

The Content Pack for Monitoring Microsoft Windows requires the following 2 indexes for indexing and showing the event data coming from the Splunk Add-on for Windows:

  • perfmon (required if performance monitoring data is ingested in events index)
  • windows

For instructions to create indexes in Splunk Enterprise, see Create events indexes. For Splunk Cloud, contact Splunk Support to set up, manage, and maintain their cloud index parameters. See Manage Splunk Cloud Platform indexes.

Configure the inputs.conf file for Windows OS performance collection

To allow centralized management of multiple forwarders, create a custom app and use a deployment server or another management solution.

Once you deploy the inputs.conf file to one or more Windows servers, use the Search and Reporting app to confirm that your hosts are receiving data.

These steps are required for all Windows servers you monitor.

Configure the add-on to collect metrics data with custom sourcetype and send to your Splunk deployment

Note: WinHostMon data is ingested in the events index. The Splunk Add-on for Windows doesn't provide a metrics version of that source.
  1. Download the Splunk Add-on for Windows from Splunkbase.
  2. From a command shell, place the add-on in the $SPLUNK_HOME/etc/apps directory.
  3. Create an inputs.conf file in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/. If this file already exists, merge the stanzas in the next step.
  4. Paste the following stanzas into the configuration file to generate the KPIs for the content pack:
[WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index = windows

[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index = windows

[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index = windows

[perfmon://CPU]
counters=% C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Reserved Time;% Interrupt Time;% Privileged Time; Interrupts/sec;
instances=*
object=Processor
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:CPU
disabled=false

[perfmon://LogicalDisk]
counters=Free Megabytes;% Free Space; Avg. Disk sec/Transfer
instances=*
object=LogicalDisk
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:LogicalDisk
disabled=false

[perfmon://Memory]
counters=Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes; Available MBytes
object=Memory
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:Memory
disabled=false

[perfmon://Network]
counters=Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors;Current Bandwidth
instances=*
object=Network Interface
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:Network
disabled=false

[perfmon://PhysicalDisk]
counters=% Disk Read Time;% Disk Write Time;Avg. Disk Queue Length;% Idle Time; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write
instances=*	
object=PhysicalDisk
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:PhysicalDisk
disabled=false

[perfmon://Process]
counters=% Processor Time;% User Time;% Privileged Time;Elapsed Time;ID Process;Virtual Bytes;Working Set;Private Bytes;IO Read Bytes/sec;IO Write Bytes/sec;
instances=*
object=Process
mode=single
index=itsi_im_metrics
interval=60
sourcetype=PerfmonMetrics:Process
disabled=false

[perfmon://System]
counters = Processor Queue Length;Threads;System Up Time
instances = *
object = System
mode = single
index = itsi_im_metrics
interval = 60
sourcetype = PerfmonMetrics:System
disabled = false

Configure the add-on to collect metrics data with default sourcetype and send to your Splunk deployment

Note: WinHostMon data is ingested in the events index. The Splunk Add-on for Windows doesn't provide a metrics version of that source.
[/topic/topic/body/section/li {""}) Download the Splunk Add-on for Windows from [/topic/topic/body/section/li/xref {""}) Splunkbase (xref]. (li] [/topic/topic/body/section/li {""}) From a command shell, place the add-on in the $SPLUNK_HOME/etc/apps directory. (li] [/topic/topic/body/section/li {""}) Create an inputs.conf file in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/. If this file already exists, merge the stanzas in the next step. (li] [/topic/topic/body/section/li {""}) Paste the following stanzas into the configuration file to generate the KPIs for the content pack: [/topic/topic/body/section/li/codeblock {""}) [WinHostMon://Processor] interval = 600 disabled = 0 type = Processor index = windows [WinHostMon://OperatingSystem] interval = 600 disabled = 0 type = OperatingSystem index = windows [WinHostMon://Disk] interval = 600 disabled = 0 type = Disk index = windows [perfmon://CPU] counters=% C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Reserved Time;% Interrupt Time;% Privileged Time; Interrupts/sec; instances=* object=Processor mode=single index=itsi_im_metrics interval=60 disabled=false [perfmon://LogicalDisk] counters=Free Megabytes;% Free Space; Avg. Disk sec/Transfer instances=* object=LogicalDisk mode=single index=itsi_im_metrics interval=60 disabled=false [perfmon://Memory] counters=Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes; Available MBytes object=Memory mode=single index=itsi_im_metrics interval=60 disabled=false [perfmon://Network] counters=Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors;Current Bandwidth instances=* object=Network Interface mode=single index=itsi_im_metrics interval=60 disabled=false [perfmon://PhysicalDisk] counters=% Disk Read Time;% Disk Write Time;Avg. Disk Queue Length;% Idle Time; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write instances=* object=PhysicalDisk mode=single index=itsi_im_metrics interval=60 disabled=false [perfmon://Process] counters=% Processor Time;% User Time;% Privileged Time;Elapsed Time;ID Process;Virtual Bytes;Working Set;Private Bytes;IO Read Bytes/sec;IO Write Bytes/sec; instances=* object=Process mode=single index=itsi_im_metrics interval=60 disabled=false [perfmon://System] counters = Processor Queue Length;Threads;System Up Time instances = * object = System mode = single index = itsi_im_metrics interval = 60 disabled = false (codeblock] (li] [/topic/topic/body/section/li {""}) You can also create your own custom metrics index and ingest the data in that index. Replace [/topic/topic/body/section/li/codeph {""}) itsi_im_metrics (codeph] with the name of your custom metrics index. For more information, see [/topic/topic/body/section/li/xref {"unresolved-reference"}) ERROR - unresolved reference (Splunk_9.4.2_Indexer_Setupmultipleindexes__Create_metrics_indexes) (xref]. (li]
[/topic/topic/body/section {""}) [/topic/topic/body/section/title {""}) Configure the add-on to collect events data and send to your Splunk deployment[/topic/topic/body/section/title/abbreviated-form {""}) (abbreviated-form] (title] [/topic/topic/body/section/li {""}) Download the Splunk Add-on for Windows from [/topic/topic/body/section/li/xref {""}) Splunkbase (xref]. (li] [/topic/topic/body/section/li {""}) From a command shell, place the add-on in the $SPLUNK_HOME/etc/apps directory. (li] [/topic/topic/body/section/li {""}) Create an inputs.conf file in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/. If this file already exists, merge the stanzas in the next step. (li] [/topic/topic/body/section/li {""}) Paste the following stanzas into the configuration file to generate the KPIs for the content pack: [/topic/topic/body/section/li/codeblock {""}) [WinHostMon://Processor] interval = 600 disabled = 0 type = Processor index = windows [WinHostMon://OperatingSystem] interval = 600 disabled = 0 type = OperatingSystem index = windows [WinHostMon://Disk] interval = 600 disabled = 0 type = Disk index = windows [perfmon://CPU] counters=% C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Reserved Time;% Interrupt Time;% Privileged Time; Interrupts/sec; instances=* object=Processor mode=single index=perfmon interval=60 disabled=false [perfmon://LogicalDisk] counters=Free Megabytes;% Free Space; Avg. Disk sec/Transfer instances=* object=LogicalDisk mode=single index=perfmon interval=60 disabled=false [perfmon://Memory] counters=Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes; Available MBytes object=Memory mode=single index=perfmon interval=60 disabled=false [perfmon://Network] counters=Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors;Current Bandwidth instances=* object=Network Interface mode=single index=perfmon interval=60 disabled=false [perfmon://PhysicalDisk] counters=% Disk Read Time;% Disk Write Time;Avg. Disk Queue Length;% Idle Time; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write instances=* object=PhysicalDisk mode=single index=perfmon interval=60 disabled=false [perfmon://Process] counters=% Processor Time;% User Time;% Privileged Time;Elapsed Time;ID Process;Virtual Bytes;Working Set;Private Bytes;IO Read Bytes/sec;IO Write Bytes/sec; instances=* object=Process mode=single index=perfmon interval=60 disabled=false [perfmon://System] counters = Processor Queue Length;Threads;System Up Time instances = * object = System mode = single index = perfmon interval = 60 disabled = false (codeblock] (li] (section]