Information - Icon Legend for this Guide:

...
= A toggle button to show steps, step details or explanation for the specific step.
= A toggle button to show more information about a specific step or section.
= A toggle button to show specific configuration settings for the specific step.
= A toggle button to show specific information, examples, on the step's results.
= An Action button to a popup window of a screenshot.
= An Action button to show a popup with more information about the specific item.
= An Action button to show a popup with important information that should be reviewed for verification of a setting or step.
Rerun Autocheck
 = An Action button to rerun the data and configuration searches.
= Link to external information.
= Information with tips or other details to consider for the specific task or step.
= Important information for the specific task or step.

Information - Messages for the Selected Choices:

# Message
1
  • Question: Is this the first time installing the MS Windows AD Objects application in this Splunk environment?
  • Message ($tok_h_state_input_1$):
2
  • Question: Splunk Environment Type?
  • Message ($tok_h_state_input_2$):
2.1
  • Question: Are all the Splunk Core Compoents (Search Head/Indexer) on a Single instance or Distributed Systems?
  • Message ($tok_h_state_input_3$):
3
  • Question: Is the Splunk Universal Forwarder already installed on all the target Windows systems?
  • Message ($tok_h_state_input_4$):
3.1
  • Question: Has the Splunk_TA_windows application been deployed to the target Windows systems?
  • Message ($tok_h_state_input_5$):
4
  • Question: Will you be using Splunk's Deployment Server or Manually deploying the Windows TA's to the target systems?
  • Message ($tok_h_state_input_6$):
4.1
  • Question: Is the Deployment Server already installed in your environment?
  • Message ($tok_h_state_input_7$):
5
  • Question: Will you be using a Splunk Heavy Forwarder?
  • Message ($tok_h_state_input_8$):
5.1
  • Question: Is the Splunk Heavy Forwarder already installed?
  • Message ($tok_h_state_input_9$):
5.2
  • Question: Is the Splunk_TA_windows already installed on Splunk Heavy Forwarder?
  • Message ($tok_h_state_input_10$):

Question (1) - Is this your first time installing the MS Windows AD Objects application in this Splunk environment?

  • MS Windows Upgrade Information
    • The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data.
    • The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers.
    • Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.

Question (2) - Verify your Splunk Environment Type?

  • Universal Forwarder.
    • The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data.
    • The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers.
    • Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.

Question (2.1) - Are all the Splunk Enterprise Components (Search Head/Indexer) on a Single instance or Distributed Systems?

  • Universal Forwarder.
    • The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data.
    • The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers.
    • Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.

Question (3) - Is the Splunk Universal Forwarder already installed on all the target Windows systems?

Question Details: This question is asking if you have already deployed the Splunk Universal Forwarder to all of the Target Systems. If the answer is Yes then the Preparation Task that walks through the installation of the Splunk Universal Forwarder will Not be shown.

Descriptions of the different types of Forwarders:

  • Universal Forwarder Description:
    • The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data.
    • The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers.
    • Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.
  • Heavy Forwarder Description:
    • A type of forwarder, which is a Splunk Enterprise instance that sends data to another Splunk Enterprise instance or to a third-party system.
    • A heavy forwarder has a smaller footprint than a Splunk Enterprise indexer but retains most of the capabilities of an indexer. An exception is that it cannot perform distributed searches. You can disable some services, such as Splunk Web, to further reduce its footprint size.
    • Unlike other forwarder types, a heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event. It can also index data locally while forwarding the data to another indexer.
    • In most situations, the universal forwarder is the best way to forward data to indexers. Its main limitation is that it forwards only unparsed data, except in certain cases, such as structured data. You must use a heavy forwarder to route data based on event contents.
  • Splunk Gateway Forwarder Description:
    • A forwarder that accepts data from other forwarders and sends the data to a Splunk deployment. If you are forwarding data to Splunk Cloud, you can use a gateway forwarder to minimize the number of ports you must open in your corporate firewall. If you want to anonymize data before sending it to your Splunk deployment, this configuration enables you to create a single point at which all anonymization occurs.
    • For more information in the Splunk Universal Forwarder Forwarder Manual (http://docs.splunk.com/Documentation/Forwarder/8.0.4/Forwarder/Forwarderdeploymenttopologies#Minimize_open_ports_for_Splunk_Cloud)

Question (3.1) - Has the Splunk_TA_windows application been deployed to the target Windows systems?

  • Universal Forwarder.
    • The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data.
    • The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers.
    • Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.

Question (4) - Will you be using Splunk's Deployment Server or Manually deploying the Windows TA's to the target systems?

Question Details: This question is asking if you have already deployed the Splunk Universal Forwarder to all of the Target Systems. If the answer is Yes then the Preparation Task that walks through the installation of the Splunk Universal Forwarder will Not be shown.

Deployment Server architecture

Key elements of the architecture

A deployment server is a Splunk Enterprise instance that acts as a centralized configuration manager for any number of other instances, called "deployment clients". Any full Splunk Enterprise instance - even one indexing data locally - can act as a deployment server. A deployment server cannot be a client of itself.

A deployment client is a Splunk instance remotely configured by a deployment server. Deployment clients can be universal forwarders, heavy forwarders, indexers, or search heads. Each deployment client belongs to one or more server classes.

A deployment app is a set of content (including configuration files) maintained on the deployment server and deployed as a unit to clients of a server class. A deployment app might consist of just a single configuration file, or it can consist of many files. Over time, an app can be updated with new content and then redeployed to its designated clients. The deployment app can be an existing Splunk Enterprise app or one developed solely to group some content for deployment purposes.

Note: The term "app" has a somewhat different meaning in the context of the deployment server from its meaning in the general Splunk Enterprise context. For more information on Splunk Enterprise apps in general, see "What are apps and add-ons?" in the Admin manual.

A server class is a group of deployment clients that share one or more defined characteristics. For example, you can group all Windows clients into one server class and all Linux clients into another server class. You use server classes to map a group of deployment clients to one or more deployment apps. By creating a server class, you are telling the deployment server that a specific set of clients should receive configuration updates in the form of a specific set of apps.

How it all fits together

This diagram provides a conceptual overview of the relationship between a deployment server and its set of deployment clients and server classes:

In this example, each deployment client is a Splunk Enterprise forwarder that belongs to two server classes, one for its OS and the other for its geographical location. The deployment server maintains the list of server classes and uses those server classes to determine what content to distribute to each client. For an example of how to implement this type of arrangement to govern the flow of content to clients, see "Deploy configurations to several forwarders".

For more information on deployment apps, see "Create deployment apps". For more information on server classes, see "About server classes". For more information on deployment clients, see "Configure deployment clients".

Summary of key terminology

Here's a recap of the key definitions:

Term Meaning
deployment server A Splunk Enterprise instance that acts as a centralized configuration manager. It deploys configuration updates to other instances. Also refers to the overall configuration update facility comprising deployment server, clients, and apps.
deployment client A remotely configured Splunk Enterprise instance. It receives updates from the deployment server.
server class A deployment configuration category shared by a group of deployment clients. A deployment client can belong to multiple server classes.
deployment app A unit of content deployed to the members of one or more server classes.
  • You use a deployment server to distribute content and configurations (collectively called deployment apps) to deployment clients, grouped into server classes. Deployment apps can be full-fledged apps, such as those available on Splunkbase, or they can be just simple groups of configurations.

    • Question (4.1) - Is your Single Splunk instance also going to be your Deployment Server?

    • Universal Forwarder.
      • The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data.
      • The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers.
      • Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.

    Question (4.1) - Is the Deployment Server already installed in your environment?

    • Universal Forwarder.
      • The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data.
      • The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers.
      • Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.

    Question (4.2) - Is your Deployment Server also going to be your Splunk Heavy Forwarder?

    • Universal Forwarder.
      • The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data.
      • The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers.
      • Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.

    Question (5) - Will you be using a Splunk $tok_inp_splk_hf_label$ Forwarder to send the Windows data to your Splunk Instance?

    Question Details: This question is asking if you are going to use an Splunk Heavy Forwarder in-between your Splunk Universal Forwarder's and the Splunk Indexers. This is commonly used for either Splunk Cloud Environments to limit the allowed systems that will be sending their data to the Splunk Cloud environment, or in Splunk Enterprise (On-Premise) environments where network channels are limited between different sites and the centralized Splunk Indexers.

    Descriptions of the different types of Forwarders:

    • Heavy Forwarder Description:
      • A type of forwarder, which is a Splunk Enterprise instance that sends data to another Splunk Enterprise instance or to a third-party system.
      • A heavy forwarder has a smaller footprint than a Splunk Enterprise indexer but retains most of the capabilities of an indexer. An exception is that it cannot perform distributed searches. You can disable some services, such as Splunk Web, to further reduce its footprint size.
      • Unlike other forwarder types, a heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event. It can also index data locally while forwarding the data to another indexer.
      • In most situations, the universal forwarder is the best way to forward data to indexers. Its main limitation is that it forwards only unparsed data, except in certain cases, such as structured data. You must use a heavy forwarder to route data based on event contents.
    • Splunk Gateway Forwarder Description:
      • A forwarder that accepts data from other forwarders and sends the data to a Splunk deployment. If you are forwarding data to Splunk Cloud, you can use a gateway forwarder to minimize the number of ports you must open in your corporate firewall. If you want to anonymize data before sending it to your Splunk deployment, this configuration enables you to create a single point at which all anonymization occurs.
      • For more information in the Splunk Universal Forwarder Forwarder Manual (http://docs.splunk.com/Documentation/Forwarder/8.0.4/Forwarder/Forwarderdeploymenttopologies#Minimize_open_ports_for_Splunk_Cloud)
    • Universal Forwarder.
      • The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data.
      • The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers.
      • Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.

    Question (5.1) - Is the Splunk $tok_inp_splk_hf_label$ Forwarder already installed in your environment?

    • Universal Forwarder.
      • The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data.
      • The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers.
      • Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.

    Question (5.2) - Is the Splunk_TA_windows already installed on Splunk $tok_inp_splk_hf_label$ Forwarder?

    • Universal Forwarder.
      • The universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data.
      • The universal forwarder does not support python and does not expose a UI. In most situations, the universal forwarder is the best way to forward data to indexers.
      • Its main limitation is that it forwards unparsed data, except in certain cases, such as structured data.

    Pre-Defined Inputs - Splunk_TA_windows_admon and Splunk_TA_windows_dc

    Below are the inputs for the two Pre-Defined Example TA's, \\Network Share\ms_ad_obj_ta_examples\Splunk_TA_windows_admon\... and Splunk_TA_windows_dc\...

    • Example TA: Splunk_TA_windows_admon
      • Active Directory (admon):
        • The baseline = 1 setting is required for the MS Windows AD Objects application
        • This TA, and subsequent admon input, should only be enabled on One designated Domain Controller or Domain Member Server Per AD Domain.
        • The index=msad will need to be adjusted if you have specified a different index than msad for your Active Directory data.
        [admon://default]
disabled = 0
monitorSubtree = 1
baseline = 1
index=msad
    • Example TA: Splunk_TA_windows_dc
      • Active Directory Inputs (AD WinEventLogs):
        • The index=wineventlog setting will need to be adjusted if you have specified a different index than wineventlog.
        ## Application and Services Logs - DFS Replication
[WinEventLog://DFS Replication]
disabled = 0
renderXml=false
index=wineventlog
 
## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 0
renderXml=false
index=wineventlog
 
## Application and Services Logs - File Replication Service
[WinEventLog://File Replication Service]
disabled = 0
renderXml=false
index = wineventlog
 
## Application and Services Logs - Key Management Service
[WinEventLog://Key Management Service]
disabled = 0
renderXml=false
index = wineventlog

###### WinEventLog Inputs for DNS ######
[WinEventLog://DNS Server]
disabled=0
renderXml=false
index = wineventlog
      • Active Directory (Log Files and Scripts):
        • It is recommended that either the [script://.\bin\runpowershell.cmd nt6-health.ps1] or the [powershell://AD-Health] input is enabled (disabled = 0), depending on the Windows OS version for the targeted AD Domain Controller.
          • If you chose not to enable either of the these inputs, then you will need to manually enter your AD Domain details in the Completed part of this Getting Started wizard.
        • The index=msad setting will need to be adjusted if you have specified a different index than msad.
        ###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = msad

###### Monitor Inputs for Active Directory ######
[monitor://$WINDIR\debug\netlogon.log]
sourcetype=MSAD:NT6:Netlogon
disabled=0
index=msad

###### Monitor Inputs for DNS ######
[MonitorNoHandle://$WINDIR\System32\Dns\dns.log]
sourcetype=MSAD:NT6:DNS
disabled=0
index=msad

###### Scripted/Powershell Mod inputs Active Directory ######
## Replication Information NT6
[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
source=Powershell
sourcetype=MSAD:NT6:Replication
interval=300
disabled=1
index=msad
 
## Replication Information 2012r2 and 2016
[powershell://Replication-Stats]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows_dc\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype=MSAD:NT6:Replication
disabled=0
index=msad
 
## Health and Topology Information Windows (Version 2008)
[script://.\bin\runpowershell.cmd nt6-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:Health
interval=300
disabled=1
index=msad
 
## Health and Topology Information Windows (Version 2012r2 and 2016)
[powershell://AD-Health]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows_dc\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
schedule = 0 */5 * ? * *
source=Powershell
sourcetype=MSAD:NT6:Health
disabled=0
index=msad

## Site, Site Link and Subnet Information NT6
[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:SiteInfo
interval=3600
disabled=1
index=msad
 
## Site, Site Link and Subnet Information 2012r2 and 2016
[powershell://Siteinfo]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows_dc\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
schedule = 0 15 * ? * *
source = Powershell
sourcetype=MSAD:NT6:SiteInfo
disabled=0
index=msad

##### Scripted Inputs for DNS #####
## DNS Zone Information Collection
[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:DNS-Zone-Information
interval=3600
disabled=0
index=msad
 
## DNS Health Information Collection
[script://.\bin\runpowershell.cmd dns-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:DNS-Health
interval=3600
disabled=0
index=msad
      • Active Directory (Performance):
        • The index=perfmon setting will need to be adjusted if you have specified a different index than perfmon.
        ###### Perfmon Inputs from TA-AD/TA-DNS ######
[perfmon://Processor]
object = Processor
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
instances = *
interval = 60
disabled = 0
mode = single
useEnglishOnly=true
index=perfmon
 
[perfmon://Network_Interface]
object = Network Interface
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size 
instances = *
interval = 60
disabled = 0
mode = single
useEnglishOnly=true
index=perfmon
 
[perfmon://DFS_Replicated_Folders]
object = DFS Replicated Folders
counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
instances = *
interval = 30
disabled = 0
mode = single
useEnglishOnly=true
index=perfmon
 
[perfmon://NTDS]
object = NTDS
counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run   
interval = 60
disabled = 0
mode = single
useEnglishOnly=true
index=perfmon

[perfmon://DNS]
object = DNS
counters = Total Query Received; Total Query Received/sec; UDP Query Received; UDP Query Received/sec; TCP Query Received; TCP Query Received/sec; Total Response Sent; Total Response Sent/sec; UDP Response Sent; UDP Response Sent/sec; TCP Response Sent; TCP Response Sent/sec; Recursive Queries; Recursive Queries/sec; Recursive Send TimeOuts; Recursive TimeOut/sec; Recursive Query Failure; Recursive Query Failure/sec; Notify Sent; Zone Transfer Request Received; Zone Transfer Success; Zone Transfer Failure; AXFR Request Received; AXFR Success Sent; IXFR Request Received; IXFR Success Sent; Notify Received; Zone Transfer SOA Request Sent; AXFR Request Sent; AXFR Response Received; AXFR Success Received; IXFR Request Sent; IXFR Response Received; IXFR Success Received; IXFR UDP Success Received; IXFR TCP Success Received; WINS Lookup Received; WINS Lookup Received/sec; WINS Response Sent; WINS Response Sent/sec; WINS Reverse Lookup Received; WINS Reverse Lookup Received/sec; WINS Reverse Response Sent; WINS Reverse Response Sent/sec; Dynamic Update Received; Dynamic Update Received/sec; Dynamic Update NoOperation; Dynamic Update NoOperation/sec; Dynamic Update Written to Database; Dynamic Update Written to Database/sec; Dynamic Update Rejected; Dynamic Update TimeOuts; Dynamic Update Queued; Secure Update Received; Secure Update Received/sec; Secure Update Failure; Database Node Memory; Record Flow Memory; Caching Memory; UDP Message Memory; TCP Message Memory; Nbstat Memory; Unmatched Responses Received 
interval = 60
disabled = 0
mode = single
useEnglishOnly=true
index=perfmon

    Pre-Defined Data Inputs - Splunk_TA_windows Pre-Defined Inputs

    Below are the inputs for the Pre-Defined base Windows OS inputs, \\Network Share\ms_ad_obj_ta_examples\Splunk_TA_windows_local_only\local\inputs.conf that were added to the Splunk_TA_windows.

    Example TA Inputs: Splunk_TA_windows

    • Windows Event Logs Inputs:
      • The [WinEventLog://Security] input is required for a majority of the MS Windows AD Objects application's dashboards and reports.
      • The index=wineventlog setting will need to be adjusted if you have specified a different index than wineventlog.
      ###### Base OS Logs ######
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index=wineventlog

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false
index=wineventlog

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index=wineventlog
    • Windows API and Scripted Inputs:
      • The index=windows setting will need to be adjusted if you have specified a different index than windows.
      ###### Windows Update Log ######
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index=windows

## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
## Below stanza will automatically generate WindowsUpdate.log daily
[powershell://generate_windows_update_logs]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows_dc\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 1
index=windows

## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows_dc\WindowsUpdate.log]
disabled = 1
sourcetype = WindowsUpdateLog
index=windows

###### Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:ListeningPorts
index=windows

[script://.\bin\win_installed_apps.bat]
disabled = 1
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
index=windows

[script://.\bin\win_timesync_status.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncStatus
index=windows

[script://.\bin\win_timesync_configuration.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncConfiguration
index=windows

[script://.\bin\netsh_address.bat]
disabled = 1
## Run once per day
interval = 86400
sourcetype = Script:NetworkConfiguration
index=windows

###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
type = Computer
index=windows

[WinHostMon://Process]
interval = 600
disabled = 0
type = Process
index=windows

[WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index=windows

[WinHostMon://NetworkAdapter]
interval = 600
disabled = 0
type = NetworkAdapter
index=windows

[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
index=windows

[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index=windows

[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index=windows

[WinHostMon://Driver]
interval = 600
disabled = 0
type = Driver
index=windows

[WinHostMon://Roles]
interval = 600
disabled = 0
type = Roles
index=windows
    • Windows Performance Counter Inputs:
      • The index=perfmon setting will need to be adjusted if you have specified a different index than perfmon.
      ## CPU
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 60
mode = single
object = Processor
useEnglishOnly=true
index=perfmon

## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 120
mode = single
object = LogicalDisk
useEnglishOnly=true
index=perfmon

## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 120
mode = single
object = PhysicalDisk
useEnglishOnly=true
index=perfmon

## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
interval = 60
mode = single
object = Memory
useEnglishOnly=true
index=perfmon

## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size  
disabled = 0
instances = *
interval = 60
mode = single
object = Network Interface
useEnglishOnly=true
index=perfmon

## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 60
mode = single
object = Process
useEnglishOnly=true
index=perfmon

## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 60
mode = single
object = Processor Information
useEnglishOnly=true
index=perfmon

## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 0
instances = *
interval = 60
mode = single
object = System
useEnglishOnly=true
index=perfmon

    Installing Deployment Server - Important Tips:

    • Deployment server capability is automatically enabled on Splunk Enterprise, so there is nothing you need to do in this step, beyond choosing the instance. This is the instance where you will place the downloadable content and define your server classes. The deployment server distributes content updates to its set of deployment clients.
    • For Proof of Concepts or Small Splunk Environments you can use the same system as your Splunk Heavy Forwarder
    • Since the Deployment server capability is automatically enabled on Splunk Enterprise, you can skip this step and proceed to the next Preparation item if you have already installed the Splunk Heavy Forwarder and you want to use it as your Deployment Server.
    • In most cases, the deployment server requires a dedicated Splunk Enterprise instance. See "Deployment server system requirements."
    • The deployment server cannot be a deployment client of itself. If it is, the following error will appear in splunkd.log: "This DC shares a Splunk instance with its DS: unsupported configuration".

    Here's a recap of the key definitions:

    Term Meaning
    deployment server A Splunk Enterprise instance that acts as a centralized configuration manager. It deploys configuration updates to other instances. Also refers to the overall configuration update facility comprising deployment server, clients, and apps.
    deployment client A remotely configured Splunk Enterprise instance. It receives updates from the deployment server.
    server class A deployment configuration category shared by a group of deployment clients. A deployment client can belong to multiple server classes.
    deployment app A unit of content deployed to the members of one or more server classes.

    Splunk Cloud - Deployment Server Example:

    - Brief Descriptions:

    Deployment Server architecture

    Key elements of the architecture

    A deployment server is a Splunk Enterprise instance that acts as a centralized configuration manager for any number of other instances, called "deployment clients". Any full Splunk Enterprise instance - even one indexing data locally - can act as a deployment server. A deployment server cannot be a client of itself.

    A deployment client is a Splunk instance remotely configured by a deployment server. Deployment clients can be universal forwarders, heavy forwarders, indexers, or search heads. Each deployment client belongs to one or more server classes.

    A deployment app is a set of content (including configuration files) maintained on the deployment server and deployed as a unit to clients of a server class. A deployment app might consist of just a single configuration file, or it can consist of many files. Over time, an app can be updated with new content and then redeployed to its designated clients. The deployment app can be an existing Splunk Enterprise app or one developed solely to group some content for deployment purposes.

    Note: The term "app" has a somewhat different meaning in the context of the deployment server from its meaning in the general Splunk Enterprise context. For more information on Splunk Enterprise apps in general, see "What are apps and add-ons?" in the Admin manual.

    A server class is a group of deployment clients that share one or more defined characteristics. For example, you can group all Windows clients into one server class and all Linux clients into another server class. You use server classes to map a group of deployment clients to one or more deployment apps. By creating a server class, you are telling the deployment server that a specific set of clients should receive configuration updates in the form of a specific set of apps.

    How it all fits together

    This diagram provides a conceptual overview of the relationship between a deployment server and its set of deployment clients and server classes:

    In this example, each deployment client is a Splunk Enterprise forwarder that belongs to two server classes, one for its OS and the other for its geographical location. The deployment server maintains the list of server classes and uses those server classes to determine what content to distribute to each client. For an example of how to implement this type of arrangement to govern the flow of content to clients, see "Deploy configurations to several forwarders".

    For more information on deployment apps, see "Create deployment apps". For more information on server classes, see "About server classes". For more information on deployment clients, see "Configure deployment clients".

    Summary of key terminology

    Here's a recap of the key definitions:

    Term Meaning
    deployment server A Splunk Enterprise instance that acts as a centralized configuration manager. It deploys configuration updates to other instances. Also refers to the overall configuration update facility comprising deployment server, clients, and apps.
    deployment client A remotely configured Splunk Enterprise instance. It receives updates from the deployment server.
    server class A deployment configuration category shared by a group of deployment clients. A deployment client can belong to multiple server classes.
    deployment app A unit of content deployed to the members of one or more server classes.
  • You use a deployment server to distribute content and configurations (collectively called deployment apps) to deployment clients, grouped into server classes. Deployment apps can be full-fledged apps, such as those available on Splunkbase, or they can be just simple groups of configurations.

    • Instructions - Download Splunk Cloud Credentials Application:

    Installation Wizard Screenshot

    Splunk Cloud™ Universal Forwarder Credentials Application
    1. Click Splunk Home Page
    2. Click on the Universal Forwarder link to open the application where you can download the Splunk Cloud Credentials application.
    3. Then click Download Universal Forwarder Credentials:

    Details - Downloading the Cloud Credentials App:

    Details - Splunk Enterprise New Index Example:

    Details - Splunk Cloud New Index Example:

    s

    Index Creation View

    Details - Splunk Enterprise Windows Installation:

    Installation Wizard Screenshot

    Details - Splunk Enterprise Windows Installation:

    Installation Wizard Screenshot

    Details - Splunk Enterprise Windows Installation:

    Installation Wizard Screenshot

    Details - Splunk Enterprise Windows Installation:

    Installation Wizard Screenshot

    Details - Splunk Enterprise Windows Installation:

    Installation Wizard Screenshot

    Details - Splunk Enterprise Windows Installation:

    Installation Wizard Screenshot

    Details - Splunk Enterprise Windows Installation:

    Installation Wizard Screenshot

    Details - Splunk Universal Forwarder Installation Example:

    Details - Splunk Universal Forwarder Installation Example:

    Details - Splunk Universal Forwarder Installation Example:

    Details - Splunk Universal Forwarder Installation Example:

    Details - Splunk Universal Forwarder Installation Example:

    Details - Splunk Universal Forwarder Installation Example:

    Details - Splunk Universal Forwarder Installation Example:

    Details - Splunk Universal Forwarder Installation Example:

    Details - Splunk Universal Forwarder Installation Example:

    Details - Splunk Universal Forwarder Installation Example:

    Details - Splunk Universal Forwarder Installation Example:

    Review - Review Auto Data Check Results:

    Validate the Preparation Step of Adjusting the Splunk Knowledge Objects

    Review the Autocheck Data Results with the defined Index Macro's that are leveraged for pointing to specific indexes.

    Macro to Index Definitions:

    Review - Validate Splunk Knowledge Object Adjustments:

    Validate the Preparation Step of Adjusting the Splunk Knowledge Objects

    Review the Autocheck Results and follow the below steps to update the appropriate Macro's that are now being leveraged for pointing to specific indexes. This replaces the previous version's use of eventtypes.

    Auto Check Information:
    • An autocheck search was executed to check if the defined indexes in the required macros are available (created).
    • Review the below Troubleshooting Steps:
      • If you created different index names for your Windows/Active Directory data, then follow the Adjusting the Macros used by the MS AD Windows Objects steps below.
      • Troubleshooting Steps if you created the recommended indexes (wineventlog,perfmon,msad,windows)

        Verify Role Index Permissions:

        1. Click Review Roles to open the Roles page
        2. Click on the Role(s) that is associated with your account
        3. Click on the 3. Indexes Link
        4. Verify that the Default box is selected for each of the created indexes (wineventlog,perfmon,msad,windows)
        5. Click Save and Click the Rerun Autocheck button below to rerun the autocheck and update the results
          • If it is still showing errors after running the above, and you are sure you created the default indexes, then you can proceed to the next Preparation item
      • Click Rerun Autocheck to rerun the autocheck if you completed the above troubleshooting, or the below preparation steps below.
    Macro to Index Definitions:

    Adjusting the Macros used by the MS AD Windows Objects

    1. Click Macro Settings to open the settings page for the macros or click on the individual macro names below, to adjust the macro definition.
    2. Use the below list to match up the custom indexes you created for your windows data with the appropriate macro:
      • Macro: ms__obj_win_events_index
        • All Windows Event Logs (ie. Security,Application,System,Directory Service,etc)
      • Macro: ms__obj_win_perfmon_index
        • All Windows Performance Count Data (ie. Perfmon:CPU,Perfmon:Memory,etc)
      • Macro: ms__obj_win_ad_index
        • All Active Directory Specific Data (ie. ActiveDirectory,DHCP,DNS,Powershell AD Scripts,etc)
      • Macro: ms__obj_win_api_index
        • All Windows OS Api and Scripts (ie. WinHostMon,WinNetMon,Update Logs,etc)
    3. Click on the individual macro links to update the definition with your aligned custom indexes (Using OR for mulitple indexes. Ex. index=winosevt OR index=winossecurityevt).
    4. Click Save after adjusting each of the above macros.
    5. Click Rerun Autocheck to rerun the autocheck search to validate your changes.
    6. After adjusting the macros and verifying the changes, proceed to the next Preparation item.

    Review - Recollecting the admon baseline data:

    • After performing the below steps, Wait about 15 - 30m, depending on the size and Domain count, before clicking the Rerun Autocheck button.

    The below steps walk through the quick process of recollecting the required: admon baseline data.

    • The admon baseline data is Only collected the first time the input is enabled.
    • Make sure you do not have the [admon:\\....] data input enabled in any of the other TA's, ie (\etc\apps\SplunkUniversalForwarder\).
    1. Login to the AD Domain Controller you deployed the Splunk_TA_windows_admon TA too.
    2. Stop the Splunk Forwarder Service
    3. Open File Explorer and navigate to ...\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_admon\local directory.
    4. Running Wordpad in "RunAs Administrator" mode, open the inputs.conf file.
    5. Verify that the [admon:\\default] input is enabled.
    6. If it wasn't enabled, then enable it (ie. disabled = 0) and save the changes.
    7. Navigate into the ...\SplunkUniversalForwarder\var\lib\splunk\persistentstorage\ADMon\ directory.
    8. Delete the default.ini file.
      • If you see more than one file then you must have admon input enabled in either ...\SplunkUniversalForwarder\etc\system\local or in one of the applications under ...\SplunkUniversalForwarder\etc\apps directory.
      • You can also run the command splunk cmd btool inputs list admon://default --debug from a command line, where you are executing from the ...\SplunkUniversalForwarder\bin directory.
      • Once you find where it is enabled, then delete the complete [admon:\\...] input stanza from that location.
    9. Start the Splunk Forwarder Service

    Review -
    Verify Creation of the indexes on your Splunk Core system
    Verify the Creation of the indexes on your Splunk Indexer(s)

    Review the below steps to verify the creation of the indexes that will store the Windows data sent from your Windows machines.

    • Important Note: If your Windows data is going to different indexes then what is listed below, then click the Macro Settings Check button to see the steps for validating the required macros have been updated.
    • In this step, you create the following indexes:
      • It's a best practice to create separate indexes for different types of data.
      • This can be useful if you want different storage settings for different types of data. For example, you may need to store wineventlogs for a specified time period for compliance purposes.
    1. Click Open Index Manager to open the indexes management view.
      • If the above button does not work for you then open a separate browser tab, connect to your Splunk Instance and Navigate to Settings > Indexes.
    2. In a separate browser tab Login to your Splunk Indexer's Web UI with a user that is part of the admin role.
    3. Navigate to Settings > Indexes
    4. Click New
    5. For the index name, enter $tok_macro_win_events_idxs$
      • If you have defined multiple indexes in the macro $tok_macro_win_events_name$ for storing EventLogs then there will be a comma seperated list here. Don't copy the comma, but just choose the first one; you will create the other(s) when you repeat these steps.
    6. For index data type, select Events
    7. Click below to review the details on Customizing the settings:
      • For other below settings you can use the defaults or if you want to customize then Click Configure index storage to review more detailed information on these index settings.
        • The path locations for index data storage:
          • Home path. Leave blank for default $SPLUNK_DB/<index_name>/db
          • Cold path. Leave blank for default $SPLUNK_DB/<index_name>/colddb
          • Thawed path. Leave blank for default $SPLUNK_DB/<index_name>/thaweddb
        • Enable/disable data integrity check.
        • The maximum size of the entire index. Defaults to 500000MB.
        • The maximum size of each index bucket. When setting the maximum size, use auto_high_volume for high volume indexes (such as the main index); otherwise, use auto.
        • The frozen archive path. Set this field if you want to archive frozen buckets. For information on bucket archiving, see Archive indexed data.
        • The app in which the index resides.
        • The tsidx retention policy. See Reduce tsidx usage.
    8. Click Save
    9. Screenshot

    10. Repeat these steps for all of the following indexes If there multiple indexes defined in macro will be comma separated.:
    11. Repeat the all of the above steps on each of the indexers that will receive windows data.
    12. After creating any indexes, Click the Rerun Autocheck button at the top to verify changes.

    Review - Verify the creation of the indexes in your Splunk Cloud™ environment

    Verify the creation of the indexes that will store the Windows data sent from your Windows machines.

    • Important Note: If your Windows data is going to different indexes then what is listed below, then click the View Steps for the Validate the Preparation Step of Adjusting the Splunk Knowledge Objects to see the steps for validating the required macros have been updated.
    • In this step, you create the following indexes:
      • It's a best practice to create separate indexes for different types of data.
      • This can be useful if you want different storage settings for different types of data. For example, you may need to store wineventlogs for a specified time period for compliance purposes.
    1. Click Open Index Manager to open the indexes management view.
      • If the above button does not work for you then open a separate browser tab, connect to your Splunk Instance and Navigate to Settings > Indexes.
    2. Click New Index.
    3. For the index name, enter $tok_macro_win_events_idxs$
      • If you have defined multiple indexes in the macro $tok_macro_win_events_name$ for storing EventLogs then there will be a comma seperated list here. Don't copy the comma, but just choose the first one; you will create the other(s) when you repeat these steps.
    4. For index data type, select Events.
    5. For searchable time (days), enter 90.
      • Optionally, you can extend your storage for longer if you have different requirements. By default Splunk Cloud provides 90 days of searchable storage.
    6. Click No Additional Storage, and click Save
      • You can also set up different types of storage for expired Splunk Cloud data (such as self-storage or archiving)
    7. Screenshot

    8. Repeat these steps for all of the following indexes If there multiple indexes defined in macro will be comma separated.:
    9. After completing this step, proceed to the next Preparation section Adjust or verify Splunk Knowledge Objects.

    Review - Verify the creation of the indexes in your Splunk environment

    Verify the creation of the below listed indexes in your Splunk Environment.

    • Important Note: If your Windows data is going to different indexes then what is listed below, then click the View Steps for the Validate the Preparation Step of Adjusting the Splunk Knowledge Objects to see the steps for validating the required macros have been updated.
    • Validate the creation of the following indexes:
      • It's a best practice to create separate indexes for different types of data.
      • This can be useful if you want different storage settings for different types of data. For example, you may need to store wineventlogs for a specified time period for compliance purposes.
    After creating any indexes, Click the Rerun Autocheck button at the top to verify changes.

    Review - Verify Health and Topology input is enabled

    Check the below troubleshooting Steps for resolving the issue of missing the required Domain Health data

    • Make Sure that atleast one (Depends on Windows OS Version) of the following inputs is enabled on the Active Directory Domain Controllers:
    • If you renamed the Splunk pre-configured TA that was provided by the MS Windows AD Objects application (Splunk_TA_windows_dc), or you are using a different TA to collect the sourcetype=MSAD:NT6:Health data, then make sure you have updated the [powershell://AD-Health] input with the updated TA name for the script setting.
    1. Login to one of your AD Domain Controllers
    2. Open File Explorer and navigate to ...\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows_dc\local directory.
    3. Running Wordpad in "RunAs Administrator" mode, open the inputs.conf file.
    4. Search for the [script://.\bin\runpowershell.cmd nt6-health.ps1] input stanza
      • The MSAD Health data inputs are dependent on the Windows Version. See the below input settings to determine which one needs to be enabled:
        • Health and Topology Information Windows (Version 2008):
          [script://.\bin\runpowershell.cmd nt6-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:Health
interval=300
disabled=0
index=msad
        • >Or Health and Topology Information Windows (Version 2012r2 and 2016 +):
          [powershell://AD-Health]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows_dc\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
schedule = 0 */5 * ? * *
source=Powershell
sourcetype=MSAD:NT6:Health
disabled=0
index=msad
    5. Make sure the disabled setting is set to disabled = 0 for input that matches your Windows Version
    6. Also, double check that the index setting matches the index that you created for your AD Data
    7. Last check, if you are using a different name then Splunk_TA_windows_dc then you will need to update the script setting, (script = & "$SplunkHome\etc\apps\Splunk_TA_windows_dc\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1" to the name you are using for the TA's folder.
    8. If you made any changes then Restart the Splunk Forwarder Service
    1. Login to one of your Splunk Deployment Server
    2. Using terminal or File Explorer and navigate to ...\Splunk\etc\deployment-apps\Splunk_TA_windows_dc\local directory.
    3. Open the inputs.conf file.
    4. Search for the [script://.\bin\runpowershell.cmd nt6-health.ps1] input stanza
      • The MSAD Health data inputs are dependent on the Windows Version. See the below input settings to determine which one needs to be enabled:
        • Health and Topology Information Windows (Version 2008):
          [script://.\bin\runpowershell.cmd nt6-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:Health
interval=300
disabled=0
index=msad
        • >Or Health and Topology Information Windows (Version 2012r2 and 2016 +):
          [powershell://AD-Health]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows_dc\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
schedule = 0 */5 * ? * *
source=Powershell
sourcetype=MSAD:NT6:Health
disabled=0
index=msad
    5. Make sure the disabled setting is set to disabled = 0 for input that matches your Windows Version
    6. Also, doublecheck that the index setting matches the index that you created for your AD Data
    7. Last check, if you are using a different name then Splunk_TA_windows_dc then you will need to update the script setting, (script = & "$SplunkHome\etc\apps\Splunk_TA_windows_dc\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1" to the name you are using for the TA's folder.
    8. If you made any changes then open a command line/terminal and navigate to ...\Splunk\bin\ directory and run the following command: 
      splunk reload deploy-server