new_file

deployment-apps/02-M-TIC_idx_indexes_base/default/indexes.conf

@@ -64,4 +64,24 @@ datatype = metric
 
 [idx_ldap]
 
-[idx_m-tic_synology]
+[idx_m-tic_synology]
+
+[msad]
+maxDataSize = 10000
+maxHotBuckets = 10
+
+[perfmon]
+maxDataSize = 10000
+maxHotBuckets = 10
+
+[winevents]
+maxDataSize = 10000
+maxHotBuckets = 10
+
+[windows]
+maxDataSize = 10000
+maxHotBuckets = 10
+
+[wineventlog]
+maxDataSize = 10000
+maxHotBuckets = 10

deployment-apps/Splunk_TA_microsoft_ad_FW/bin/Invoke-MonitoredScript.ps1

@@ -0,0 +1,89 @@
+<#
+    .SYNOPSIS
+        & .\Invoke-MonitoredScript.ps1 "MyScript.ps1"
+        
+    .DESCRIPTION
+        Outputs additional Splunk events related to the running and
+        errors in the script.
+#>
+[CmdletBinding()]
+param(
+    #Command to execute.
+    [Parameter(Position=0, Mandatory=$true)]
+    [ValidateNotNullOrEmpty()]
+    [string] $Command,
+	
+	# Splunk Sourcetype Prefix for generated events
+    [Parameter()]
+    [ValidateNotNull()]
+    [string] $SourceTypePrefix="Powershell:",
+	
+	# Maximum number of errors to convert into events
+    [Parameter()]
+    [ValidateRange(0, 100)]
+    [int] $MaxErrorCount
+)
+
+$WrappedScriptExecutionSummary= New-Object -TypeName PSObject -Property (
+    [ordered]@{
+        SplunkSourceType="$($SourceTypePrefix)ScriptExecutionSummary";
+        Identity=[guid]::NewGuid().ToString();
+        InvocationLine=$MyInvocation.Line;
+        TerminatingError=$false; ErrorCount=0; Elapsed=""
+    })
+$originalLocation = Get-Location
+
+try
+{
+    Set-Location (Split-Path -Parent $MyInvocation.MyCommand.Definition)
+    $ScriptStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
+    $Error.Clear()
+    Invoke-Expression $Command
+}
+catch
+{
+    $WrappedScriptExecutionSummary.TerminatingError = $true;
+}
+finally
+{
+    Set-Location $originalLocation
+    $WrappedScriptExecutionSummary.Elapsed = $ScriptStopWatch.Elapsed.ToString("hh\:mm\:ss\.fff")
+    $WrappedScriptExecutionSummary.ErrorCount = $Error.Count
+        
+    if ($Error.Count -gt 0) {
+        $ei = $Error.Count - 1
+        if ($PSBoundParameters.ContainsKey('MaxErrorCount')) {
+            if ($MaxErrorCount -lt $Error.Count) {
+                $ei = $MaxErrorCount - 1
+            }
+            # Always emit terminating errors
+            if ($ei -eq -1 -and $WrappedScriptExecutionSummary.TerminatingError) {
+                $ei = 1
+            }
+        }
+
+        for(; $ei -ge 0; $ei--) {
+            $errorRecord = New-Object -TypeName PSObject -Property (
+                [ordered]@{
+                    SplunkSourceType="$($SourceTypePrefix)ScriptExecutionErrorRecord";
+                    ParentIdentity=$WrappedScriptExecutionSummary.Identity;
+                    ErrorIndex=$ei;
+                    ErrorMessage=$Error[$ei].ToString();
+                    PositionMessage=$Error[$ei].InvocationInfo.PositionMessage;
+                    CategoryInfo=$Error[$ei].CategoryInfo.ToString();
+                    FullyQualifiedErrorId=$Error[$ei].FullyQualifiedErrorId
+                })
+
+            if ($Error[$ei].Exception -ne $null) {
+                Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name Exception -Value $Error[$ei].Exception.ToString()
+                if ($Error[$ei].Exception.InnerException -ne $null) {
+                    Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name InnerException -Value $Error[$ei].Exception.InnerException.ToString()
+                }
+            }
+
+            Write-Output $errorRecord
+        }
+    }
+
+    Write-Output $WrappedScriptExecutionSummary
+}

deployment-apps/Splunk_TA_microsoft_ad_FW/bin/powershell/2012r2-health.ps1

@@ -0,0 +1,58 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+
+$ServerName = $env:ComputerName
+
+$DomainController = Get-ADDomainController -Identity $ServerName	
+$Domain 		  = Get-ADDomain -Identity $DomainController.Domain
+$Forest			  = Get-ADForest -Identity $DomainController.Forest
+$ReplicationSite  = Get-ADReplicationSite -Identity $DomainController.Site
+$Computer		  = Get-ADComputer -Identity $ServerName -Properties *
+$RootDSE		  = Get-ADRootDSE -Server $ServerName
+$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
+
+$ISTG 		  = ($DomainController.NTDSSettingsObjectDN -eq $ReplicationSite.InterSiteTopologyGenerator)
+$SYSVOL 	  = (Get-SMBShare SYSVOL -ErrorAction SilentlyContinue)
+Try {
+    $DnsRegister  = [System.Net.Dns]::GetHostByName($DomainController.HostName)
+} Catch { 
+    # The Catch will set $DnsRegister = $null if the GetHostByName fails for some reason
+}
+$SchemaVersion= Get-ADObject -Filter * -SearchScope Base -Properties objectVersion `
+			-SearchBase $RootDSE.schemaNamingContext
+$DCWeight	  = (Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters").GetValue("LdapSrvWeight", $null)
+if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
+	$DCWeight = 100
+}
+$FSMORoles 	= ($DomainController | Select -Expand OperationMasterRoles | %{ $_.ToString().Replace("Master","") } )
+
+$SvcRunning	= @(Get-Service $RequiredServices | ? Status -eq "Running" | select -expand Name)
+$SvcStopped	= @(Get-Service $RequiredServices | ? Status -ne "Running" | select -expand Name)
+$ProcsOK	= (($SvcStopped.Count -eq 0) -or ($SvcStopped.Count -eq 1 -and ($SvcStopped[0] -eq "ntfrs" -or $SvcStopped[0] -eq "dfsr")))
+
+New-Object PSObject -Property @{
+	Server			= $DomainController.Name
+	DomainDNSName	= $DomainController.Domain
+	DomainNetBIOSName = $Domain.NetBIOSName
+	DomainLevel		= $Domain.DomainMode
+	Site			= $DomainController.Site
+	ForestName		= $DomainController.Forest
+	ForestLevel		= $Forest.ForestMode
+	Created			= $Computer.whenCreated
+	Changed			= $Computer.whenChanged
+	GlobalCatalog	= $DomainController.IsGlobalCatalog
+	RODC			= $DomainController.IsReadOnly
+	Enabled			= $DomainController.Enabled
+	HighestUSN		= $RootDSE.highestCommittedUSN
+	SchemaVersion	= $SchemaVersion.objectVersion
+	DCWeight		= $DCWeight
+	IsIntersiteTopologyGenerator = $ISTG
+	OperatingSystem	= $DomainController.OperatingSystem
+	ServicePack		= $DomainController.OperatingSystemServicePack
+	OSVersion		= $DomainController.OperatingSystemVersion
+	FSMORoles		= $FSMORoles -join " "
+	ServicesRunning	= $SvcRunning -join ","
+	ServicesNotRunning = $SvcStopped -join ","
+	ProcsOK			= $ProcsOK
+	SYSVOLShare		= ($SYSVOL -ne $null)
+	DNSRegister		= ($DnsRegister -ne $null)
+}

deployment-apps/Splunk_TA_microsoft_ad_FW/bin/powershell/2012r2-repl-stats.ps1

@@ -0,0 +1,17 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+
+Get-ADReplicationPartnerMetaData -Target $env:ComputerName -PartnerType Inbound -Partition * | %{
+	$src_host = Get-ADObject -Filter * -SearchBase $_.Partner.Replace("CN=NTDS Settings,","") `
+				-SearchScope Base -Properties dNSHostName
+
+	New-Object PSObject -Property @{
+		LastAttemptedSync	= $_.LastReplicationAttempt
+		LastSuccessfulSync	= $_.LastReplicationSuccess
+		type			= "ReplicationEvent"
+		usn			= $_.LastChangeUsn
+		src_host		= $src_host.dNSHostName
+		Result			= $_.LastReplicationResult
+		transport		= $_.IntersiteTransportType
+		naming_context		= $_.Partition
+	}	
+}

deployment-apps/Splunk_TA_microsoft_ad_FW/bin/powershell/2012r2-siteinfo.ps1

@@ -0,0 +1,74 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+#
+# Get the Information about this site
+#
+$ServerName = $env:ComputerName
+
+$DC 	= Get-ADDomainController -Identity $ServerName
+$Site	= Get-ADReplicationSite -Identity $DC.Site
+$Object = Get-ADObject -Filter * -SearchScope base -Properties * `
+		-SearchBase $Site.DistinguishedName
+
+$Location 	= if ($Object.location -eq $null) { "" } else { $Object.location }
+$ISTG	  	= Get-ADDomainController -Filter `
+			'NTDSSettingsObjectDN -eq $Site.IntersiteTopologyGenerator'
+$SiteLinks 	= Get-ADReplicationSiteLink -Filter 'SitesIncluded -eq $Site' -Properties *
+$AdjacentSites 	= ($SiteLinks | Select -Expand SitesIncluded | `
+			Where-Object { $_ -ne $Site.DistinguishedName } | `
+			Sort-Object | Get-Unique | `
+			Foreach-Object { Get-ADReplicationSite $_ } )
+$Subnets	= Get-ADReplicationSubnet -Filter 'Site -eq $Site'
+
+########################################################################
+#
+# SITE
+#
+$SiteInfo = @(
+	"Type=`"Site`""
+	"ForestName=`"$($DC.Forest)`""
+	"Site=`"$($Object.CN)`""
+	"Location=`"$Location`""
+	"IntersiteTopologyGenerator=`"$($ISTG.HostName)`""
+)
+$AdjacentSites | %{ $SiteLink += "AdjacentSite=`"$($_.Name)`"" }
+$SiteLinks     | %{ $SiteInfo += "SiteLink=`"$($_.Name)`"" }
+$Subnets       | %{ $SiteInfo += "Subnet=`"$($_.Name)`"" }
+Write-Output ($SiteInfo -join " ")
+#
+########################################################################
+#
+# SITELINK
+#
+$SiteLinks | %{
+	# These values are not stored in the object unless you change them
+	$cost 		= if ($_.Cost -eq $null) { 100 } else { $_.Cost }
+	$options 	= if ($_.options -eq $null) { 0 } else { $_.options }
+	$replInterval	= if ($_.replInterval -eq $null) { 180 * 60 } else { $_.replInterval * 60 }
+	$notifications	= if ($options -band 0x01) { "True" } else { "False" }
+	$reciprocal 	= if ($options -band 0x02) { "True" } else { "False" }
+	$compression	= if ($options -band 0x04) { "False" } else { "True" }
+
+	$SiteLink = @(
+		"Type=`"SiteLink`""
+		"ForestName=`"$($DC.Forest)`""
+		"Name=`"$($_.Name)`""
+		"Cost=`"$($_.Cost)`""
+		"DataCompressionEnabled=$compression"
+		"NotificationEnabled=$notifications"
+		"ReciprocalReplicationEnabled=$reciprocal"
+		"TransportType=$($_.InterSiteTransportProtocol)" 
+		"ReplicationIntervalSecs=$replInterval"
+	)
+	Write-Output ($SiteLink -join " ")
+}
+
+$Subnets | Foreach-Object {
+	$Subnet = @(
+		"Type=`"Subnet`""
+		"ForestName=`"$($DC.Forest)`""
+		"Name=`"$($_.Name)`""
+		"Site=`"$($Site.Name)`""
+		"Location=`"$($_.Location)`""
+	)
+	Write-Output ($Subnet -join " ")
+}

deployment-apps/Splunk_TA_microsoft_ad_FW/bin/powershell/nt6-health.ps1

@@ -0,0 +1,170 @@
+#
+# Determine the health and statistics of this Active Directory Controller
+#
+$Output = New-Object System.Collections.ArrayList
+$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+[void]$Output.Add($Date)			
+
+# Name of Server
+$ServerName = $env:ComputerName
+[void]$Output.Add("Server=""$ServerName""")
+$BSSN = "\\" + $ServerName
+
+# Domain Information
+
+$S_DS_AD_DOM = [System.DirectoryServices.ActiveDirectory.Domain]::getComputerDomain()
+$WMI_CS      = (Get-WmiObject Win32_ComputerSystem)
+$WMI_DOMAIN	 = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
+
+$DomainDNSName = $WMI_CS.Domain
+$DomainNetBIOSName = $WMI_DOMAIN.DomainName
+$DomainLevel   = $S_DS_AD_DOM.DomainMode
+[void]$Output.Add("DomainDNSName=`"$DomainDNSName`"");
+[void]$Output.Add("DomainNetBIOSName=`"$DomainNetBIOSName`"");
+[void]$Output.Add("DomainLevel=`"$DomainLevel`"");
+
+# Site Information
+$SiteName = $WMI_DOMAIN.ClientSiteName
+[void]$Output.Add("Site=`"$SiteName`"");
+
+# Forest Information
+$ForestName = $S_DS_AD_DOM.Forest.Name
+$ForestLevel = $S_DS_AD_DOM.Forest.ForestMode
+[void]$Output.Add("ForestName=`"$ForestName`"");
+[void]$Output.Add("ForestLevel=`"$ForestLevel`"");
+
+# Domain Controller Flags
+$IsRO = "False"
+$IsEnabled = "False"
+$IsGC = "False"
+$USN = "Unknown"
+$MyName = ($env:ComputerName + "." + $DomainDNSName).ToLower()
+if ($WMI_DOMAIN.Status -eq "OK") {
+	$MyDC = $S_DS_AD_DOM.DomainControllers | Where-Object { $_.Name.ToLower() -eq $MyName.ToLower() }
+	if ($MyDC) {
+		if ($MyDC.IsGlobalCatalog()) {
+			$IsGC = "True"
+		}
+		$USN = $MyDC.HighestCommittedUsn
+		$IsEnabled = "True"
+		
+		$entry = $MyDC.getDirectoryEntry()
+		[void]$Output.Add("Created=`"$($entry.whenCreated)`"")
+		[void]$Output.Add("Changed=`"$($entry.whenChanged)`"")
+		
+		$DN = $entry.Path
+		$ServerEntry = [ADSI]"$DN"
+		$ServerEntry.GetInfoEx(@("msDS-IsRODC"),0)
+		$IsRO = $ServerEntry."msDS-IsRODC"
+	}
+}
+[void]$Output.Add("GlobalCatalog=`"$IsGC`"")
+[void]$Output.Add("RODC=`"$IsRO`"")
+[void]$Output.Add("Enabled=`"$IsEnabled`"")
+[void]$Output.Add("HighestUSN=`"$USN`"")
+
+$SchemaInfo = Get-Item "HKLM:System\CurrentControlSet\Services\NTDS\Parameters"
+$SchemaVersion = $SchemaInfo.GetValue("Schema Version")
+[void]$Output.Add("SchemaVersion=$SchemaVersion")
+
+$NetLogonParams = Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters"
+$DCWeight = $NetLogonParams.GetValue("LdapSrvWeight", $null)
+if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
+	$DCWeight = 100	# This is the default value
+}
+[void]$Output.Add("DCWeight=$DCWeight")
+
+$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
+
+# Is this host a BridgeHead Server?
+# Field BridgeheadServer (Collection of DirectoryServer objects - check to see if we are listed and set IsBridgeHeadServer=True/False accordingly)
+
+# Is this host a Intersite Topology Generator
+if ($SiteInfoObj.IntersiteTopologyGenerator.Name -and ($SiteInfoObj.IntersiteTopologyGenerator.Name -eq $ServerName -or $SiteInfoObj.IntersiteTopologyGenerator.Name.ToLower() -eq $MyName)) {
+	[void]$Output.Add("IsIntersiteTopologyGenerator=`"True`"")
+} else {
+	[void]$Output.Add("IsIntersiteTopologyGenerator=`"False`"")
+}
+
+
+#
+# Windows Version and Build #
+#
+$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion"
+$OS = $WindowsInfo.GetValue("ProductName")
+$OSSP = $WindowsInfo.GetValue("CSDVersion")
+$WinVer = $WindowsInfo.GetValue("CurrentVersion")
+$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber")
+$OSVER = "$WinVer ($WinBuild)"
+
+[void]$Output.Add("OperatingSystem=""$OS""")
+[void]$Output.Add("ServicePack=""$OSSP""")
+[void]$Output.Add("OSVersion=""$OSVER""")
+
+#
+# FSMO Roles (Schema, DomainNaming, Infrastructure, RIDMaster, PDC)
+#
+$aFSMO = @()
+if ($MyDC -and $MyDC.Roles) {
+	foreach ($role in $MyDC.Roles) {
+		switch ($role) {
+			"SchemaRole"			{ $aFSMO += "Schema" }
+			"NamingRole"			{ $aFSMO += "DomainNaming" }
+			"InfrastructureRole"	{ $aFSMO += "Infrastructure" }
+			"PdcRole"				{ $aFSMO += "PDCEmulator" }
+			"RidRole"				{ $aFSMO += "RIDMaster" }
+		}
+	}
+}
+$FSMORoles = [string]::join(' ', $aFSMO)
+[void]$Output.Add("FSMORoles=""$FSMORoles""")
+
+#
+# Required Processes Running
+#		FRS, DFS-R, Net Logon, KDC, W32Time, ISMSERV
+#
+$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
+$srvr = @()
+$srvnr = @()
+foreach ($srv in $RequiredServices) {
+	$status = (Get-Service $srv).Status
+	if ($status -eq "Running") {
+		$srvr += $srv
+	} else {
+		$srvnr += $srv
+	}
+}
+# Note that the only case that ProcsOK == True is when there is ONE service
+# that isn't running - You need one replication services (ntfrs or dfsr) but
+# not both
+$ProcsOK = "False"
+if (($srvnr.Count -eq 0) -or ($srvnr.Count -eq 1 -and ($srvnr[0] -eq "ntfrs" -or $srvnr[0] -eq "dfsr"))) {
+	$ProcsOK = "True"
+}
+$ServicesRunning = [string]::join(',', $srvr)
+$ServicesNotRunning = [string]::join(',', $srvnr)
+[void]$Output.Add("ServicesRunning=""$ServicesRunning""")
+[void]$Output.Add("ServicesNotRunning=""$ServicesNotRunning""")
+[void]$Output.Add("ProcsOK=""$ProcsOK""")
+
+# 
+# Look for Common Problems
+#		SYSVOL is shared out
+#		DC is registered in DNS
+#
+$SysvolShare = (Get-WmiObject Win32_Share|Where-Object { $_.Name -eq "SYSVOL" })
+if ($SysvolShare) {
+	[void]$Output.Add("SYSVOLShare=""True""")
+} else {
+	[void]$Output.Add("SYSVOLShare=""False""")
+}
+
+$DNSEntry = ([System.Net.DNS]::GetHostEntry($ServerName))
+if ($DNSEntry) {
+	[void]$Output.Add("DNSRegister=""True""")
+} else {
+	[void]$Output.Add("DNSRegister=""False""")
+}
+
+# Output the final string
+Write-Host ($output -join " ") 

deployment-apps/Splunk_TA_microsoft_ad_FW/bin/powershell/nt6-siteinfo.ps1

@@ -0,0 +1,41 @@
+#
+# Determine and output information about the Site the server is a member of
+#
+
+$ServerName = $env:ComputerName
+$BSSN = "\\" + $ServerName
+$WMI_DOMAIN	 = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
+$SiteName = $WMI_DOMAIN.ClientSiteName
+$ForestName = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Name
+
+$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
+$ISTG = $SiteInfoObj.IntersiteTopologyGenerator.Name
+
+
+write-host  $Date Type=`"Site`" ForestName=`"$ForestName`" Site=`"$SiteName`" Location=`"$($SiteInfoObj.Location)`" -NoNewline
+$SiteInfoObj.AdjacentSites | Foreach-Object { write-host AdjacentSite=`"$($_.Name)`" -NoNewline }
+write-host IntersiteTopologyGenerator=`"$ISTG`" -NoNewline
+$SiteInfoObj.SiteLinks | Foreach-Object { write-host "" SiteLink=`"$($_.Name)`" -NoNewline }
+$SiteInfoObj.Subnets | Foreach-Object { write-host "" Subnet=`"$($_.Name)`" -nonewline }
+
+write-host #Needed to print a newline for next object
+
+#
+# Output Information about Site Links in this site
+#
+$SiteInfoObj.SiteLinks | Foreach-Object {
+    write-host $Date Type=`"SiteLink`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Cost=$($_.Cost) DataCompressionEnabled=$($_.DataCompressionEnabled) NotificationEnabled=$($_.NotificationEnabled) ReciprocalReplicationEnabled=$($_.ReciprocalReplicationEnabled) TransportType=$($_.TransportType) ReplicationIntervalSecs=$($_.ReplicationInterval.TotalSeconds) -NoNewLine
+	foreach ($site in $_.Sites) {
+		write-host ""Site=`"$($site.Name)`" -NoNewLine
+	}
+}
+Write-Host  #similar to above
+
+#
+# Output Information about Subnets in this site
+#
+
+$SiteInfoObj.Subnets | Foreach-Object {
+    write-Host $Date Type=`"Subnet`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Site=`"$SiteName`" Location=`"$($_.Location)`"
+}	

deployment-apps/Splunk_TA_microsoft_ad_FW/bin/runpowershell.cmd

@@ -0,0 +1,14 @@
+@ECHO OFF
+
+:: ######################################################
+:: #
+:: # Splunk for Microsoft Active Directory
+:: # 
+:: # Copyright (C) 2016 Splunk, Inc.
+:: # All Rights Reserved
+:: #
+:: ######################################################
+
+set SplunkApp=Splunk_TA_microsoft_ad
+
+%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionPolicy RemoteSigned -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%1'"

deployment-apps/Splunk_TA_microsoft_ad_FW/default/admon.conf

@@ -0,0 +1,3 @@
+[NearestDC]
+disabled = 0
+monitorSubtree = 1

deployment-apps/Splunk_TA_microsoft_ad_FW/default/app.conf

@@ -0,0 +1,16 @@
+[install]
+state = enabled
+is_configured = false
+build = 30
+
+[ui]
+is_visible = false
+label = Splunk Add-on for Microsoft Active Directory
+
+[launcher]
+author = Splunk
+description = {"name":"Splunk Add-on for Microsoft Active Directory"}
+version = 1.0.0
+
+[package]
+id = Splunk_TA_microsoft_ad

deployment-apps/Splunk_TA_microsoft_ad_FW/default/eventgen.conf

@@ -0,0 +1,156 @@
+#### Default replacement for all csv logs
+[perfmon-.*\.csv]
+index=perfmon
+sampletype = csv
+timeMultiple = 2
+## replace timestamp 09/09/2010 23:36:32.0128
+token.0.token = ^(\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
+token.0.replacementType = timestamp
+token.0.replacement = %m/%d/%Y %H:%M:%S
+
+# Perfmon Collection
+[perfmon-Processor.csv]
+backfill = -15m
+backfillSearch = index=perfmon sourcetype=Perfmon:Processor
+source = Perfmon:Processor
+sourcetype = Perfmon:Processor
+
+[perfmon-Memory.csv]
+backfill = -15m
+backfillSearch = index=perfmon sourcetype=Perfmon:Memory
+source = Perfmon:Memory
+sourcetype = Perfmon:Memory
+
+[perfmon-Network_Interface.csv]
+backfill = -15m
+backfillSearch = index=perfmon sourcetype=Perfmon:Network_Interface
+source = Perfmon:Network_Interface
+sourcetype = Perfmon:Network_Interface
+
+## TODO
+#[perfmon://DFS_Replicated_Folders]
+#object = DFS Replicated Folders
+#counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
+#index=perfmon
+
+[perfmon-NTDS.csv]
+backfill = -15m
+backfillSearch = index=perfmon sourcetype=Perfmon:NTDS
+source = Perfmon:NTDS
+sourcetype = Perfmon:NTDS
+
+# TODO
+#[admon://NearestDC]
+#[sourcetype-ActiveDirectory.csv]
+#sampletype = csv
+#timeMultiple = 2
+#backfill = -15m
+#backfillSearch = index=msad sourcetype=ActiveDirectory
+#index = msad
+#source = ActiveDirectory
+#sourcetype = ActiveDirectory
+## replace timestamp 09/09/2010 23:36:32.0128
+#token.0.token = ^(\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
+#token.0.replacementType = timestamp
+#token.0.replacement = %m/%d/%Y %H:%M:%S
+
+## TODO
+#[monitor://C:\Windows\debug\netlogon.log]
+#sourcetype=MSAD:NT6:Netlogon
+#index=msad
+
+## Windows 2012 R2
+[WinEventLog-DFS-Replication.csv]
+sampletype = csv
+timeMultiple = 2
+backfill = -15m
+backfillSearch = index=wineventlog sourcetype=WinEventLog:DFS-Replication
+index=wineventlog
+source = WinEventLog:DFS Replication
+sourcetype = WinEventLog:DFS-Replication
+## replace timestamp 03/11/10 01:12:01 PM
+token.0.token = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
+token.0.replacementType = timestamp
+token.0.replacement = %m/%d/%Y %I:%M:%S %p
+
+[WinEventLog-Directory-Service.csv]
+sampletype = csv
+timeMultiple = 2
+backfill = -15m
+backfillSearch = index=wineventlog sourcetype=Directory-Service
+index=wineventlog
+source = WinEventLog:Directory Service
+sourcetype = WinEventLog:Directory-Service
+## replace timestamp 03/11/10 01:12:01 PM
+token.0.token = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
+token.0.replacementType = timestamp
+token.0.replacement = %m/%d/%Y %I:%M:%S %p
+
+## TODO for Win2k3
+#[WinEventLog-File-Replication-Service.csv]
+#sampletype = csv
+#timeMultiple = 2
+#backfill = -15m
+#backfillSearch = index=wineventlog sourcetype=WinEventLog:File-Replication-Service
+#index=wineventlog
+#source = WinEventLog:File Replication Service
+#sourcetype = WinEventLog:File-Replication-Service
+#token.1.token = \d{2}.\d{2}.\d{4} \d{2}.\d{2}.\d{2}.\d{3}
+#token.1.replacementType = timestamp
+#token.1.replacement = %Y-%m-%d %H:%M:%S
+
+## TODO generate events to capture
+#[WinEventLog-Key-Management-Service.csv]
+#sampletype = csv
+#timeMultiple = 2
+#backfill = -15m
+#backfillSearch = index=wineventlog sourcetype=WinEventLog:Key-Management-Service
+#index=wineventlog
+#source = WinEventLog:Key Management Service
+#sourcetype = WinEventLog:Key-Management-Service
+#token.1.token = \d{2}.\d{2}.\d{4} \d{2}.\d{2}.\d{2}.\d{3}
+#token.1.replacementType = timestamp
+#token.1.replacement = %Y-%m-%d %H:%M:%S
+
+## TODO 
+#[MSAD-NT6-ad-repl-stat.sample]
+#timeMultiple = 1
+#backfill = -15m
+#backfillSearch = index=msad sourcetype=MSAD:NT6:Replication
+#index = msad
+#source = Powershell
+#sourcetype = MSAD:NT6:Replication
+#token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
+#token.0.replacementType = timestamp
+#token.0.replacement = %Y-%m-%d %H:%M:%S,%f
+#token.1.token = \d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}.\d{3}
+#token.1.replacementType = timestamp
+#token.1.replacement = %m-%d-%Y %H:%M:%S.%f
+#token.2.token = \d{2}/\w{3}/\d{4}:\d{2}:\d{2}\:\d{2}.\d{3}
+#token.2.replacementType = timestamp
+#token.2.replacement = %d/%b/%Y:%H:%M:%S.%f
+#token.3.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
+#token.3.replacementType = timestamp
+#token.3.replacement = %Y-%m-%d %H:%M:%S
+
+#### Default replacement for all sample logs
+[.*\.sample]
+index = msad
+source = Powershell
+token.0.token =  \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}-\d{2}:\d{2}
+token.0.replacementType = timestamp
+token.0.replacement = %Y-%m-%d %H:%M:%S
+
+#[script://.\bin\runpowershell.cmd ad-health.ps1]
+[MSAD-NT6-Health.sample]
+timeMultiple = 1
+backfill = -15m
+backfillSearch = index=msad sourcetype=MSAD:NT6:Health
+sourcetype = MSAD:NT6:Health
+
+#[script://.\bin\runpowershell.cmd siteinfo.ps1]
+[MSAD-NT6-SiteInfo.sample]
+timeMultiple = 1
+backfill = -15m
+backfillSearch = index=msad sourcetype=MSAD:NT6:SiteInfo
+sourcetype = MSAD:NT6:SiteInfo

deployment-apps/Splunk_TA_microsoft_ad_FW/default/eventtypes.conf

@@ -0,0 +1,53 @@
+### AD Eventtypes ####
+
+[admon]
+search = source=ActiveDirectory
+
+[wineventlog-ds]
+search = source="WinEventLog:Directory Service"
+
+[perfmon]
+search = source="Perfmon:*"
+
+[powershell]
+search = source=Powershell
+
+[ad-files]
+search = index=msad 
+
+[perfmon-ntds]
+search = eventtype=perfmon sourcetype="Perfmon:NTDS"
+
+[msad-dc-health]
+search = eventtype=powershell sourcetype="MSAD:*:Health"
+
+[msad-rep-health]
+search = eventtype=powershell sourcetype="MSAD:*:Replication"
+
+[msad-site]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo"
+
+[msad-subnetinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Subnet"
+
+[msad-sitelinkinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="SiteLink"
+
+[msad-siteinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Site"
+
+[msad-subnet-affinity]
+search = sourcetype="MSAD:*:Netlogon" msad_affinity=NO_CLIENT_SITE
+
+[admon-gpo]
+search = eventtype=admon objectCategory="*CN=Group-Policy-Container*"
+
+[admon-group]
+search = eventtype=admon objectCategory="*CN=Group*"
+
+[admon-computer]
+search = eventtype=admon objectCategory="*CN=Computer*"
+
+[admon-user]
+search = eventtype=admon objectCategory="*CN=Person*"
+

deployment-apps/Splunk_TA_microsoft_ad_FW/default/inputs.conf

@@ -0,0 +1,167 @@
+###
+### Windows Event Logs
+###
+###		Application, System and Security logs are handled
+###		by Splunk_TA_windows and should be compatible with
+###		what we need
+###
+
+#
+# Application and Services Logs - DFS Replication
+#
+[WinEventLog://DFS Replication]
+disabled=0
+sourcetype=WinEventLog:DFS-Replication
+index=wineventlog
+queue=parsingQueue
+
+#
+# Application and Services Logs - Directory Service
+#
+[WinEventLog://Directory Service]
+disabled=0
+sourcetype=WinEventLog:Directory-Service
+index=wineventlog
+queue=parsingQueue
+
+#
+# Application and Services Logs - File Replication Service
+#
+[WinEventLog://File Replication Service]
+disabled=0
+sourcetype=WinEventLog:File-Replication-Service
+index=wineventlog
+queue=parsingQueue
+
+#
+# Application and Services Logs - Key Management Service
+#
+[WinEventLog://Key Management Service]
+disabled=0
+sourcetype=WinEventLog:Key-Management-Service
+index=wineventlog
+queue=parsingQueue
+
+#
+# Collect Replication Information NT6
+#
+[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:Replication
+interval=300
+index=msad
+disabled=false
+
+#
+# Collect Replication Information 2012r2
+#
+[powershell://Replication-Stats]
+script = & "$SplunkHome\etc\apps\Splunk_TA_microsoft_ad\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
+schedule = 0 */5 * ? * *
+index = msad
+source = Powershell
+sourcetype=MSAD:NT6:Replication
+disabled=false
+
+#
+# Collect Health and Topology Information NT6
+#
+[script://.\bin\runpowershell.cmd nt6-health.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:Health
+interval=300
+index=msad
+disabled=false
+
+#
+# Collect Health and Topology Information 2012r2
+#
+[powershell://AD-Health]
+script = & "$SplunkHome\etc\apps\Splunk_TA_microsoft_ad\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
+schedule = 0 */5 * ? * *
+index = msad
+source=Powershell
+sourcetype=MSAD:NT6:Health
+disabled=false
+
+
+#
+# Collect Site, Site Link and Subnet Information NT6
+#
+[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:SiteInfo
+interval=3600
+index=msad
+disabled=false
+
+#
+# Collect Site, Site Link and Subnet Information 2012r2
+#
+[powershell://Siteinfo]
+script = & "$SplunkHome\etc\apps\Splunk_TA_microsoft_ad\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
+schedule = 0 15 * ? * *
+index = msad
+source = Powershell
+sourcetype=MSAD:NT6:SiteInfo
+disabled=false
+
+#
+# Perfmon Collection
+#
+[perfmon://Processor]
+object = Processor
+counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
+instances = *
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[perfmon://Memory]
+object = Memory
+counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[perfmon://Network_Interface]
+object = Network Interface
+counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size  
+instances = *
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[perfmon://DFS_Replicated_Folders]
+object = DFS Replicated Folders
+counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
+instances = *
+interval = 30
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[perfmon://NTDS]
+object = NTDS
+counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run    
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[admon://NearestDC]
+monitorSubtree = 1
+interval=3600
+disabled=false
+index=msad
+
+#
+# Subnet Affinity Log
+#
+[monitor://C:\Windows\debug\netlogon.log]
+sourcetype=MSAD:NT6:Netlogon
+disabled=false
+index=msad

deployment-apps/Splunk_TA_microsoft_ad_FW/default/perfmon.conf

@@ -0,0 +1,42 @@
+[PERFMON:Processor]
+object = Processor
+counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
+instances = *
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[PERFMON:Memory]
+object = Memory
+counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[PERFMON:Network_Interface]
+object = Network Interface
+counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size  
+instances = *
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[PERFMON:DFS_Replicated_Folders]
+object = DFS Replicated Folders
+counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
+instances = *
+interval = 30
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[PERFMON:NTDS]
+object = NTDS
+counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run    
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true

deployment-apps/Splunk_TA_microsoft_ad_FW/default/props.conf

@@ -0,0 +1,21 @@
+[MSAD:NT6:Health]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+
+[MSAD:NT6:SiteInfo]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+REPORT-extractions = MSAD-SiteInfo-AdjacentSites, MSAD-SiteInfo-Sites, MSAD-SiteInfo-SiteLinks, MSAD-SiteInfo-Subnets
+
+[MSAD:NT6:Replication]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+
+[MSAD:NT6:Netlogon]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+LINE_BREAKER = ([\r\n]+(?=\d{2}\/\d{2} \d{2}:\d{2}:\d{2} \[))
+EXTRACT-subnetaffinity = \s(?<src_domain>[^:]+): (?<msad_affinity>NO_CLIENT_SITE): (?<src_host>[^\s]+) (?<src_ip>[0-9A-Fa-f:\.]+)
+
+[MSAD:SubnetAffinity]
+EXTRACT-subnetaffinity = (?<src_nt_domain>\w+): NO_CLIENT_SITE: (?<src_host>\w+) (?<src_ip>[0-9\.]+)

deployment-apps/Splunk_TA_microsoft_ad_FW/default/transforms.conf

@@ -0,0 +1,24 @@
+[MSAD-Netlogon-Subnetaffinity]
+DEST_KEY=MetaData:Sourcetype
+REGEX=.*NO_CLIENT_SITE:.*
+FORMAT=sourcetype::MSAD:SubnetAffinity
+
+[MSAD-SiteInfo-AdjacentSites]
+REGEX=AdjacentSite="([^"]+)
+FORMAT=AdjacentSite::$1
+MV_ADD=True
+
+[MSAD-SiteInfo-SiteLinks]
+REGEX=SiteLink="([^"]+)
+FORMAT=SiteLink::$1
+MV_ADD=True
+
+[MSAD-SiteInfo-Sites]
+REGEX=Site="([^"]+)
+FORMAT=Site::$1
+MV_ADD=True
+
+[MSAD-SiteInfo-Subnets]
+REGEX=Subnet="([^"]+)
+FORMAT=Subnet::$1
+MV_ADD=True

deployment-apps/Splunk_TA_microsoft_ad_FW/license-eula.rtf

@@ -0,0 +1,57 @@
+{\rtf1\ansi\ansicpg1252\deff0{\fonttbl{\f0\fswiss\fcharset0 Helvetica;}}
+{\*\generator Msftedit 5.41.21.2508;}
+{\info
+{\title Splunk Software License Agreement}
+{\*\company Splunk Inc.}}\viewkind4\uc1\pard\qc\lang1033\b\f0\fs22 SPLUNK SOFTWARE LICENSE AGREEMENT\par
+\pard\b0\fs18\par
+THIS SPLUNK SOFTWARE LICENSE AGREEMENT (THE "AGREEMENT") GOVERNS ALL SOFTWARE PROVIDED BY SPLUNK INC. ("SPLUNK") INCLUDING FREE SPLUNK SOFTWARE ("FREE SOFTWARE") AND SOFTWARE PURCHASED THROUGH SPLUNK'S ONLINE STORE OR OTHER CHANNELS ("PURCHASED SOFTWARE"), COLLECTIVELY THE SPLUNK SOFTWARE ("SOFTWARE") AND ANY AND ALL UPDATES, UPGRADES, AND MODIFICATIONS THERETO. CONFIRMATION OF YOUR ORDERS ("ORDER CONFIRMATION") WILL BE DEEMED INCORPORATED INTO AND MADE PART OF THIS AGREEMENT.\par
+\par
+YOU WILL BE REQUIRED TO INDICATE YOUR AGREEMENT TO THESE TERMS AND CONDITIONS IN ORDER TO DOWNLOAD THE SOFTWARE AND REGISTER WITH SPLUNK IN ORDER TO OBTAIN LICENSE KEYS NECESSARY TO COMPLETE THE INSTALLATION PROCESS FOR PURCHASED SOFTWARE.  BY CLICKING ON THE "YES" BUTTON, DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING ANY MEDIA THAT CONTAINS THE SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT.\par
+\par
+IF YOU AGREE TO THESE TERMS ON BEHALF OF A BUSINESS, YOU REPRESENT AND WARRANT THAT YOU HAVE AUTHORITY TO BIND THAT BUSINESS TO THIS AGREEMENT, AND YOUR AGREEMENT TO THESE TERMS WILL BE TREATED AS THE AGREEMENT OF THE BUSINESS. IN THAT EVENT, "YOU" AND "YOUR" REFER HEREIN TO THAT BUSINESS.\par
+\par
+"Splunk Developer API" means the documentation and functionality enabling  the creation of extensions to the Software. "Example Modules" means the  source code and binary form of examples that use the Splunk Developer  API.  \par
+\par
+PURCHASED SOFTWARE TERM. Unless earlier terminated, this Agreement will be  in effect perpetually for any Purchased Software. "Term" means the period in  which the Agreement is in effect.\par
+\par
+PURCHASED SOFTWARE FREE TRIAL. Notwithstanding the foregoing, if the  applicable Order Confirmation is limited to a free trial license, then  the Term will be limited to the free trial period specified in the Order  Confirmation, this Agreement and any license rights granted hereunder will  automatically terminate at the end of the free trial period, and there  will be no Renewal Term. Any license keys provided for a free trial will automatically expire and may cause the Software to become non-operational at the end of the free trial period. Provisions in this Agreement regarding License Fees, Maintenance and Support, and Warranty will not apply to free trials.\par
+\par
+PURCHASED SOFTWARE LICENSE. Subject to your compliance with the terms and conditions of this Agreement, including your payment of the license fees set forth in each Order Confirmation (the "License Fees"), Splunk grants you a nonexclusive, nontransferable, revocable, limited license during the Term to use the Software for which you have paid the applicable License Fees as set forth in your Order Confirmation(s), only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you) and only subject to the following conditions: you may use each Splunk Server with an Enterprise license to index no more than the peak daily volume of uncompressed data for which you have paid the applicable License Fees as set forth in your Order Confirmation (the "Maximum Peak Daily Volume"). The Software will be configured to display warnings and/or cease indexing data when the Maximum Peak Daily Volume is reached.\par
+\par
+FREE SOFTWARE LICENSE. Subject to the terms and conditions of this Agreement, Splunk grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Free Splunk Software in binary form only and only subject to the following conditions: (i) to index no more than 500MB of peak daily volume of uncompressed data (the 'Maximum Peak Daily Volume') and only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you). The Software will be configured to display warnings, reduce available functionality, and/or cease indexing data when the Maximum Peak Daily Volume is reached.\par
+\par
+EXTENSION LICENSE. Splunk further grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Splunk Developer API and Example Modules included with the Software solely for the purpose of developing extensions to access the Splunk API or Example Modules for Your use in conjunction with the Software (collectively, "Your Extensions"). You agree to assume full responsibility for the performance of Your Extensions, and shall indemnify, hold harmless, and defend Splunk (including all of its officers, employees, directors, subsidiaries, representatives, affiliates and agents) and Splunk's suppliers from and against any claims or lawsuits, including attorney's fees and expenses, that arise or result from Your Extensions pursuant to this Agreement. You retain title to and copyright for Your Extensions, subject to Splunk's title to and copyright for the Software, the Splunk Developer API, and the Example Modules as specified in Ownership and Copyrights, below. This Agreement does not grant you any distribution rights. If you want to distribute or provide to any third parties Your Extensions, you must first register as a Splunk application developer and agree to the Splunk Developer Agreement at http://www.splunk.com/goto/devagreement. You will not remove or change any Splunk copyright notices or branding included in the Splunk Software or required by Splunk's Identity Guidelines as set forth at http://www.splunk.com/goto/splunkpowered, Splunk Developer APIs, or Example Modules, and will include such notices and branding in each copy of Your Extensions, the Splunk Software, the Splunk Developer APIs, and the Examples Modules that you make or distribute.\par
+\par
+PURCHASED SOFTWARE RESTRICTIONS. You agree not to (i) use the Software except as expressly authorized in this Agreement and your Order Confirmation; (ii) copy the Software (except as required to run the Software and for reasonable backup purposes); (iii) modify, adapt, or create derivative works of the Software; (iv) rent, lease, loan, resell, transfer, sublicense (including but not limited to offering any of the functionality of the Software on a service provider, hosted or time sharing basis) or distribute the Software to any third party; (v) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (vi) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vii) authorize any third parties to do any of the above.\par
+\par
+FREE SOFTWARE RESTRICTIONS. You shall not (i) decompile, disassemble or reverse engineer the Free Software without the express written authorization of Splunk; (ii) modify, adapt, or create derivative works of the Free Software; (iii) rent, lease, loan, or resell the Free Software, the Splunk Developer API, Example Modules, or Your Extensions (including but not limited to offering the functionality of the Free Software on an applications service provider or time sharing basis), except as expressly permitted in the Splunkbase Application Developer Agreement; (iv) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (v) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vi) authorize any third parties to do any of the above.\par
+\par
+OWNERSHIP. Splunk and/or its licensors own all worldwide right, title and interest in and to the Software, including all worldwide intellectual property rights therein. You will not delete or in any manner alter the copyright, trademark, and other proprietary rights notices appearing in or on the Software as provided. All right, title, and interest in and to all copies the Splunk Developer API, and the Example Modules remains with Splunk and/or its licensors. The Software, Splunk Developer API, and Example Modules are copyrighted and protected by the laws of the United States and other countries, and international treaty provisions. You may not remove any copyright notices from the Software, the Splunk Developer API, or the Example Modules.\par
+\par
+PURCHASED SOFTWARE LICENSE AND FEES. In order to access and use the Software, you are required to pay to Splunk the License Fees in accordance with your Order Confirmation. The License Fees will be due and payable in accordance with the terms set forth in your Order Confirmation. Any failure to pay the License Fees in accordance with an Order Confirmation will result in automatic revocation and termination of this Agreement and all rights and licenses granted hereunder. All License Fees are non-refundable once paid.\par
+\par
+MAINTENANCE AND SUPPORT. Subject to your payment of the applicable annual maintenance and support fees set forth in your Order Confirmation (the "Support Fees"), Splunk will provide the level of support for the Purchased Software identified in your Order Confirmation in accordance with the support descriptions set forth on Splunk's website at www.splunk.com. Splunk is not obligated to support, update or upgrade the Free Software.\par
+\par
+PURCHASED SOFTWARE VERIFICATION AND AUDIT. At Splunk's written request, you will furnish Splunk with a certification signed by an officer of your company verifying that the Software is being used in accordance with the terms and conditions of this Agreement and the applicable Order Confirmations. Upon at least ten (10) days prior written notice, Splunk may audit your use of the Software to ensure that you are in compliance with the terms of this Agreement and the applicable Orders. Any such audit will be conducted during regular business hours at your facilities, will not unreasonably interfere with your business activities and will be in compliance with your reasonable security procedures. You will provide Splunk with access to the relevant records and facilities. If an audit reveals that you have exceeded the daily peak volume during the period audited, then Splunk will invoice you, and you will promptly pay Splunk any underpaid fees based on Splunk's price list in effect at the time the audit is completed. If the daily peak volume usage exceeds ten percent (10%) of the licensed usage, then you will also pay Splunk's reasonable costs of conducting the audit.\par
+\par
+PURCHASED SOFTWARE WARRANTY. Splunk warrants that for a period of thirty (30) days after your registration of the Software with Splunk, the Software will substantially achieve any material function described in documentation for the Software published by Splunk. As Splunk's sole liability and your sole remedy for any failure of the Software to conform to this warranty, Splunk will repair or replace (at Splunk's option) your copy of the Software.\par
+\par
+WARRANTY DISCLAIMER. EXCEPT AS SET FORTH ABOVE, SPLUNK DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, QUIET ENJOYMENT AND WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. Splunk does not warrant (i) that the Software, developer's API'S or example modules will meet your requirements, (ii) that the Software will operate in the combinations that you may select, (iii) that the Software will serve the purposes intended by you, or (iv) that the operation of the Software will be error free or uninterrupted or that any Software errors will be corrected.\par
+\par
+LIMITATION OF LIABILITY. SPLUNK'S TOTAL CUMULATIVE LIABILITY TO YOU, FROM ALL CAUSES OF ACTION AND ALL THEORIES OF LIABILITY, WILL BE LIMITED TO AND WILL NOT EXCEED THE AMOUNTS PAID BY YOU TO SPLUNK IN THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO SUCH LIABILITY. IN NO EVENT WILL SPLUNK BE LIABLE TO YOU FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING LOSS OF USE, DATA, OR PROFITS, BUSINESS INTERRUPTION, OR COSTS OF PROCURING SUBSTITUTE SOFTWARE) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE USE OR PERFORMANCE OF THE SOFTWARE, WHETHER SUCH LIABILITY ARISES FROM CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SPLUNK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. THE PARTIES HAVE AGREED THAT THESE LIMITATIONS WILL SURVIVE AND APPLY EVEN IF ANY REMEDY IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. WITHOUT LIMITING THE FOREGOING, SPLUNK WILL HAVE NO LIABILITY OR RESPONSIBILITY FOR ANY BUSINESS INTERRUPTION OR LOSS OF DATA ARISING FROM THE AUTOMATIC TERMINATION OF THE LICENSE RIGHTS GRANTED HEREIN AND ANY ASSOCIATED CESSATION OF THE SOFTWARE FUNCTIONS. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.\par
+\par
+PURCHASED SOFTWARE INDEMNITY. Splunk will defend, indemnify and hold you harmless from and against any loss, damage, liability or cost (including reasonable attorneys' fees) resulting from any third party claim that the Purchased Software infringes or violates any third party's patent, copyright or trademark rights; provided that you promptly notify Splunk in writing of any and all such claims. In the event of any loss, damage, liability or cost for which Splunk is obligated to indemnify you hereunder, Splunk shall have sole control of the defense and all related settlement negotiations, and you shall reasonably cooperate with Splunk in the defense and/or settlement thereof at Splunk's expense; provided that you may participate in such defense using your own counsel, at your own expense.\par
+\par
+TERMINATION. You may terminate this Agreement at any time by destroying or returning to Splunk all copies of the Software, including any documentation, in your possession and control, and providing to Splunk a written statement signed by an authorized representative of your company notifying Splunk that you are terminating the Agreement and certifying such destruction or return. Upon thirty days notice, Splunk may terminate this Agreement (and your license rights) upon notice in the event that you breach any provision of this Agreement and have not cured the breach during such notice period. Upon any expiration or termination of this Agreement, the rights and licenses granted hereunder will automatically terminate, and you agree to immediately cease using the Software and to return or destroy all copies of the Software in your possession or control. In the event of termination of this Agreement, Splunk will have no obligation to refund any License Fees, Support Fees, or other fees received from you during the Term. All provisions of this Agreement related to disclaimers of warranties, limitation of liability, remedies, damages, or Splunk's proprietary rights shall survive termination.\par
+\par
+SEVERABILITY. All rights and remedies, whether conferred hereunder or by any other instrument or law, will be cumulative and may be exercised singularly or concurrently. Failure by either Splunk or You to enforce any term will not be deemed a waiver of future enforcement of that or any other term. The terms and conditions stated herein are declared to be severable. Should any term(s) or condition(s) of this Agreement be held to be invalid or unenforceable the validity, construction and enforceability of the remaining terms and conditions of this Agreement shall not be affected.\par
+\par
+EXPORT. You agree to comply fully with all relevant export laws and regulations of the United States ("Export Laws") to ensure that the Software is not (i) exported or re-exported directly or indirectly in violation of Export Laws; or (ii) intended to be used for any purposes prohibited by the Export Laws, including but not limited to nuclear, chemical, or biological weapons proliferation.\par
+\par
+GOVERNMENT RESTRICTED RIGHTS. The Software shall be classified as "commercial computer software" as defined in the applicable provisions of the Federal Acquisition Regulation (the "FAR") and supplements thereto, including the Department of Defense (DoD) FAR Supplement (the "DFARS"). The parties acknowledge that the Software was developed entirely at private expense and that no part of the Software was first produced in the performance of a Government contract. If the Software is supplied for use by DoD, the Software is delivered subject to the terms of this Agreement and in accordance with DFARS 227.7202-1(a) and 227.7202-3(a) (1995), with restricted rights in accordance with DFARS 252.227-7013(c)(1)(ii) (OCT 1988), as applicable. If the Software is supplied for use by a Federal agency other than DoD, the Software is restricted computer software delivered subject to the terms of this Agreement and FAR 12.212(a) (1995); (ii) FAR 52.227-19; or FAR 52.227-14(ALT III), as applicable.\par
+\par
+PUBLICITY.  You agree that Splunk may identify you as a Splunk customer on Splunk websites, client lists, press releases, and/or other marketing.  You also agree that Splunk may publish a brief description highlighting your deployment of the Software.\par
+\par
+GENERAL. This Agreement shall be governed by and construed in accordance with the laws of the State of California, as if performed wholly within the state and without giving effect to the principles of conflict of law. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in the Northern District of California and the parties hereby consent to personal jurisdiction and venue therein. If any portion hereof is found to be void or unenforceable, the remaining provisions of this Agreement shall remain in full force and effect. Neither party may assign this Agreement, in whole or in part, except in connection with an internal reorganization or a sale of the business with which this Agreement is associated without Splunk's prior written consent, and any attempt to assign this Agreement other than as permitted above will be null and void. This Agreement is intended for the sole and exclusive benefit of the parties and is not intended to benefit any third party. Only the parties to this Agreement may enforce it. This Agreement and any Order Confirmations constitute the complete and exclusive understanding and agreement between the parties regarding their subject matter and supersede all prior or contemporaneous agreements or understandings, written or oral, relating to their subject matter. Any waiver, modification or amendment of any provision of this Agreement will be effective only if in writing and signed by duly authorized representatives of both parties.\par
+}
+

deployment-apps/Splunk_TA_microsoft_ad_FW/metadata/default.meta

@@ -0,0 +1,35 @@
+# shared Application-level permissions
+[]
+access = read : [ * ], write : [ admin ]
+export = system
+
+######################################################
+#
+# Splunk for Windows Infrastructure
+# Windows Domain Controller Data Definition
+# 
+# Copyright (C) 2016 Splunk, Inc.
+# All Rights Reserved
+#
+######################################################
+[]
+access = read : [ * ], write : [ admin, power ]
+
+[eventtypes]
+export = system
+
+[props]
+export = system
+
+[transforms]
+export = system
+
+[lookups]
+export = system
+
+[tags]
+export = system
+
+[viewstates]
+access = read : [ * ], write : [ * ]
+export = system

deployment-apps/Splunk_TA_microsoft_ad_FW/samples/MSAD-NT6-Health.sample

@@ -0,0 +1 @@
+2015-01-06T10:37:54-08:00 Server="WIN-6LR3JNJ6LVD" DomainDNSName="spl.com" DomainNetBIOSName="SPL" DomainLevel="Windows2012R2Domain" Site="Default-First-Site-Name" ForestName="spl.com" ForestLevel="Windows2012R2Forest" Created="12/29/2014 23:52:50" Changed="12/29/2014 23:53:54" GlobalCatalog="True" RODC="False" Enabled="True" HighestUSN="13547" SchemaVersion=69 DCWeight=100 IsIntersiteTopologyGenerator="True" OperatingSystem="Windows Server 2012 R2 Datacenter Evaluation" ServicePack="" OSVersion="6.3 (9600)" FSMORoles="Schema DomainNaming PDCEmulator RIDMaster Infrastructure" ServicesRunning="dfsr,netlogon,kdc,w32time,ismserv" ServicesNotRunning="ntfrs" ProcsOK="True" SYSVOLShare="True" DNSRegister="True"

deployment-apps/Splunk_TA_microsoft_ad_FW/samples/MSAD-NT6-SiteInfo.sample

@@ -0,0 +1,2 @@
+2015-01-06T10:52:12-08:00 Type="Site" ForestName="spl.com" Site="Default-First-Site-Name" Location=""IntersiteTopologyGenerator="WIN-6LR3JNJ6LVD.spl.com" SiteLink="DEFAULTIPSITELINK"
+2015-01-06T10:52:12-08:00 Type="SiteLink" ForestName="spl.com" Name="DEFAULTIPSITELINK" Cost=100 DataCompressionEnabled=True NotificationEnabled=False ReciprocalReplicationEnabled=False TransportType=Rpc ReplicationIntervalSecs=10800 Site="Default-First-Site-Name"

deployment-apps/Splunk_TA_microsoft_ad_FW/samples/WinEventLog-DFS-Replication.csv

@@ -0,0 +1,239 @@
+index,host,source,sourcetype,"_raw","_time"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:50:21 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1002
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=1
+Keywords=Classic
+Message=The DFS Replication service is starting.","2014-12-29T15:50:21.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:50:21 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1004
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=2
+Keywords=Classic
+Message=The DFS Replication service has started.","2014-12-29T15:50:21.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:50:22 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1314
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=3
+Keywords=Classic
+Message=The DFS Replication service successfully configured the debug log files. 
+ 
+Additional Information: 
+Debug Log File Path: C:\Windows\debug","2014-12-29T15:50:22.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:50:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=6102
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=4
+Keywords=Classic
+Message=The DFS Replication service has successfully registered the WMI provider.","2014-12-29T15:50:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:50:25 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1202
+EventType=2
+Type=Error
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=5
+Keywords=Classic
+Message=The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues. 
+ 
+Additional Information: 
+Error: 1355 (The specified domain either does not exist or could not be contacted.)","2014-12-29T15:50:25.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:52:51 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1006
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=6
+Keywords=Classic
+Message=The DFS Replication service is stopping.","2014-12-29T15:52:51.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:52:51 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1008
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=7
+Keywords=Classic
+Message=The DFS Replication service has stopped.","2014-12-29T15:52:51.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:53:56 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1002
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=8
+Keywords=Classic
+Message=The DFS Replication service is starting.","2014-12-29T15:53:56.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:53:56 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1004
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=9
+Keywords=Classic
+Message=The DFS Replication service has started.","2014-12-29T15:53:56.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:53:57 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1314
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=10
+Keywords=Classic
+Message=The DFS Replication service successfully configured the debug log files. 
+ 
+Additional Information: 
+Debug Log File Path: C:\Windows\debug","2014-12-29T15:53:57.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:22 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=6102
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=11
+Keywords=Classic
+Message=The DFS Replication service has successfully registered the WMI provider.","2014-12-29T15:54:22.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1206
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=12
+Keywords=Classic
+Message=The DFS Replication service successfully contacted domain controller WIN-6LR3JNJ6LVD.spl.com to access configuration information.","2014-12-29T15:54:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=8000
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=13
+Keywords=Classic
+Message=The DFSR global settings required for SYSVOL migration have been successfully created on the Primary Domain Controller WIN-6LR3JNJ6LVD. Migration will not be triggered until the DFSR global settings are replicated to all the Domain Controllers. 
+ 
+Additional Information: 
+Primary Domain Controller: WIN-6LR3JNJ6LVD","2014-12-29T15:54:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=6016
+EventType=3
+Type=Warning
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=14
+Keywords=Classic
+Message=The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically. 
+ 
+Additional Information: 
+Object Category: msDFSR-LocalSettings 
+Object DN: CN=DFSR-LocalSettings,CN=WIN-6LR3JNJ6LVD,OU=Domain Controllers,DC=spl,DC=com 
+Error: 1355 (The specified domain either does not exist or could not be contacted.) 
+Domain Controller:  
+Polling Cycle: 60","2014-12-29T15:54:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1210
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=15
+Keywords=Classic
+Message=The DFS Replication service successfully set up an RPC listener for incoming replication requests. 
+ 
+Additional Information: 
+Port: 0","2014-12-29T15:54:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=4602
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=16
+Keywords=Classic
+Message=The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member is the designated primary member for this replicated folder. No user action is required. To check for the presence of the SYSVOL share, open a command prompt window and then type ""net share"". 
+ 
+Additional Information: 
+Replicated Folder Name: SYSVOL Share 
+Replicated Folder ID: A79DA0C9-AA74-4327-8F80-912BAE1B5BA5 
+Replication Group Name: Domain System Volume 
+Replication Group ID: 064E4F9C-D856-4C96-BCA0-FCE04B28E229 
+Member ID: 5CDB09D2-F4E2-4974-A9EA-C745E52B961D 
+Read-Only: 0","2014-12-29T15:54:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:59:26 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=6018
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=17
+Keywords=Classic
+Message=The DFS Replication service successfully updated configuration in Active Directory Domain Services. 
+ 
+Additional Information: 
+Domain Controller: WIN-6LR3JNJ6LVD.spl.com 
+Polling Cycle: 60 minutes","2014-12-29T15:59:26.000-0800"

deployment-apps/Splunk_TA_microsoft_ad_FW/samples/perfmon-Memory.csv

@@ -0,0 +1,691 @@
+index,host,source,sourcetype,"_raw","_time"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 07:21:33.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T07:21:33.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 07:21:33.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T07:21:33.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107072144.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:21:44.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 07:23:19.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:23:19.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 07:23:52.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 07:23:52.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:23:52.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 07:24:43.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T07:24:43.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 07:24:50.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 07:24:50.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:24:50.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 07:24:59.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:24:59.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 07:25:03.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 07:25:03.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:25:03.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 07:25:43.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:25:43.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107072600.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:26:00.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107072821.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:28:21.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107072834.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:28:34.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073052.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:30:52.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073138.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:31:38.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073308.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:33:08.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073346.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:33:46.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073828.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:38:28.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073925.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:39:25.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074014.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:40:14.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074134.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:41:34.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074333.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:43:33.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074623.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:46:23.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074702.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:47:02.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074932.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:49:32.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107075020.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:50:20.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107075312.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:53:12.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107075507.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:55:07.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107075509.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:55:09.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107075929.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:59:29.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080005.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:00:05.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080137.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:01:37.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080252.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:02:52.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080353.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:03:53.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080522.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:05:22.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080726.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:07:26.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081106.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:11:06.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081145.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:11:45.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081157.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:11:57.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081434.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:14:34.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081625.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:16:25.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081909.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:19:09.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107082051.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:20:51.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107082113.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:21:13.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 08:22:08.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T08:22:08.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 08:22:58.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 08:22:58.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:22:58.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107082310.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:23:10.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 08:23:13.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:23:13.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 08:23:15.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:23:15.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 08:24:52.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T08:24:52.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107082512.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:25:12.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 08:25:21.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:25:21.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107082541.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:25:41.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 08:25:46.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T08:25:46.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 08:26:34.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:26:34.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 08:26:34.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 08:26:34.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:26:34.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 08:26:54.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 08:26:54.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:26:54.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083207.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:32:07.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083208.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:32:08.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083210.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:32:10.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083306.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:33:06.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083444.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:34:44.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083507.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:35:07.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083840.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:38:40.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084026.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:40:26.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084159.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:41:59.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084335.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:43:35.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084540.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:45:40.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084652.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:46:52.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084750.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:47:50.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084801.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:48:01.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107085132.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:51:32.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107085245.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:52:45.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107085324.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:53:24.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107085328.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:53:28.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107085939.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:59:39.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090038.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T09:00:38.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090229.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T09:02:29.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090255.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T09:02:55.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090325.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T09:03:25.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090529.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T09:05:29.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090756.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T09:07:56.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091022.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T09:10:22.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091221.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T09:12:21.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091358.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T09:13:58.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091548.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T09:15:48.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091655.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T09:16:55.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091951.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T09:19:51.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107092121.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T09:21:21.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107092216.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T09:22:16.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 09:22:53.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T09:22:53.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 09:23:22.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T09:23:22.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 09:24:16.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T09:24:16.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 09:24:59.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:24:59.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 09:25:17.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:25:17.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 09:25:29.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 09:25:29.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:25:29.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 09:26:18.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:26:18.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 09:26:29.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:26:29.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 09:26:40.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 09:26:40.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:26:40.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 09:27:13.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 09:27:13.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:27:13.498-0800"

deployment-apps/Splunk_TA_microsoft_ad_FW/samples/perfmon-NTDS.csv

@@ -0,0 +1,325 @@
+index,host,source,sourcetype,"_raw","_time"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/06/2015 08:43:05.895 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM Enumerations/sec""
+instance=0
+Value=0.29967345482647922","2015-01-06T08:43:05.895-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/07/2015 16:42:35.898 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Writes/sec""
+instance=0
+Value=0.099989717057497818","2015-01-07T16:42:35.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 04:42:55.902 -0800
+collection=NTDS
+object=NTDS
+counter=""Tombstones Visited/sec""
+instance=0
+Value=0.19993737361646211","2015-01-08T04:42:55.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 04:57:55.911 -0800
+collection=NTDS
+object=NTDS
+counter=""Link Values Cleaned/sec""
+instance=0
+Value=0.099840647338003227","2015-01-08T04:57:55.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 06:06:35.911 -0800
+collection=NTDS
+object=NTDS
+counter=""ATQ Request Latency""
+instance=0
+Value=1","2015-01-08T06:06:35.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 07:54:25.909 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM Universal Group Membership Evaluations/sec""
+instance=0
+Value=0.79868269270079395","2015-01-08T07:54:25.909-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 07:54:25.909 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM Global Group Membership Evaluations/sec""
+instance=0
+Value=0.39934134635039698","2015-01-08T07:54:25.909-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 10:17:45.896 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Server Name Translations/sec""
+instance=0
+Value=0.10001909164421305","2015-01-08T10:17:45.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 11:35:05.904 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Threads in Use""
+instance=0
+Value=1","2015-01-08T11:35:05.904-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 11:35:05.904 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Active Threads""
+instance=0
+Value=1","2015-01-08T11:35:05.904-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 11:35:05.904 -0800
+collection=NTDS
+object=NTDS
+counter=""ATQ Threads LDAP""
+instance=0
+Value=1","2015-01-08T11:35:05.904-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 11:43:05.897 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Bind Time""
+instance=0
+Value=16","2015-01-08T11:43:05.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 12:42:55.900 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Security Descriptor sub-operations/sec""
+instance=0
+Value=0.099958433285102732","2015-01-08T12:42:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 12:42:55.900 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Directory Writes/sec""
+instance=0
+Value=0.099958433285102732","2015-01-08T12:42:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 12:42:55.900 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM GC Evaluations/sec""
+instance=0
+Value=0.099958433285102732","2015-01-08T12:42:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 12:42:55.900 -0800
+collection=NTDS
+object=NTDS
+counter=""Database modifys/sec""
+instance=0
+Value=0.099958433285102732","2015-01-08T12:42:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM Transitive Membership Evaluations/sec""
+instance=0
+Value=0.19990305901056343","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM Domain Local Group Membership Evaluations/sec""
+instance=0
+Value=0.19990305901056343","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Client Binds/sec""
+instance=0
+Value=0.29985458851584512","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Client Name Translations/sec""
+instance=0
+Value=0.19990305901056343","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""Subtree searches/sec""
+instance=0
+Value=0.49975764752640855","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""Onelevel searches/sec""
+instance=0
+Value=0.49975764752640855","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Client Sessions""
+instance=0
+Value=6","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Searches/sec""
+instance=0
+Value=0.19980189043158039","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Monitor List Size""
+instance=0
+Value=23","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Search sub-operations/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Name Cache hit rate""
+instance=0
+Value=100","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DRA Highest USN Issued (Low part)""
+instance=0
+Value=13754","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DRA Highest USN Committed (Low part)""
+instance=0
+Value=13754","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes from SAM""
+instance=0
+Value=31.824234354194409","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes from LDAP""
+instance=0
+Value=31.824234354194409","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes from LSA""
+instance=0
+Value=1.5978695073235687","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes from KCC""
+instance=0
+Value=0.26631158455392812","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes Other""
+instance=0
+Value=33.954727030625833","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches from SAM""
+instance=0
+Value=0.36251921748771537","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches from LDAP""
+instance=0
+Value=85.941663513366905","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches from LSA""
+instance=0
+Value=0.82426814779141133","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches from KCC""
+instance=0
+Value=1.7615258619092855","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches Other""
+instance=0
+Value=0.9213809600673174","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Directory Searches/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Reads from SAM""
+instance=0
+Value=8.2577697791929126","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Reads from LSA""
+instance=0
+Value=11.123416626289195","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Reads from KCC""
+instance=0
+Value=65.795666920467923","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Reads Other""
+instance=0
+Value=14.823146674049974","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Directory Reads/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Successful Binds/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""ATQ Threads Total""
+instance=0
+Value=4","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP New Connections/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Closed Connections/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes from NTDSAPI""
+instance=0
+Value=0.53262316910785623","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches from NTDSAPI""
+instance=0
+Value=10.188642299377367","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""Negotiated Binds/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""Base searches/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""Approximate highest DNT""
+instance=0
+Value=4106","2015-01-08T13:23:15.910-0800"

deployment-apps/Splunk_TA_microsoft_ad_FW/samples/perfmon-Network_Interface.csv

@@ -0,0 +1,601 @@
+index,host,source,sourcetype,"_raw","_time"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:35.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:57:35.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:35.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:57:35.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1529.8530970086738","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=5.0991770438168977","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=5.0991770438168977","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1529.8530970086738","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=5.0991770438168977","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=2872.6871895740651","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6996190959581003","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6996190959581003","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=2872.6871895740651","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6996190959581003","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1638.2918550198196","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=7.3990599494334246","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=7.3990599494334246","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1638.2918550198196","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=7.3990599494334246","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=595.90854474142463","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.3006012045094013","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.3006012045094013","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=595.90854474142463","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.3006012045094013","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=704.46304386871861","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.1997796795580102","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.1997796795580102","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=704.46304386871861","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.1997796795580102","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1192.2075493465447","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=6.689381610101206","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=5.591124927845784","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Sent/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1.0982566822554218","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1105.5451129649352","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=5.591124927845784","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Sent/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=86.662436381609652","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Sent Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1.0982566822554218","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1800.8628638823084","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6142161568625077","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6142161568625077","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1800.8628638823084","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6142161568625077","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1689.493548428871","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=8.39350946699936","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=8.39350946699936","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1689.493548428871","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=8.39350946699936","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3277.0170112259821","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=14.010761385605054","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10.307917305123718","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Sent/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.7028440804813356","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=2692.3679539780915","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.5026903464012635","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=6.8052269587224554","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Sent/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=584.64905724789094","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Sent Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.6027672134412998","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Sent Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=0.1000768670400361","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=945.11287219552071","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.7960056946172953","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.7960056946172953","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=945.11287219552071","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.7960056946172953","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:59:15.899-0800"

deployment-apps/Splunk_TA_microsoft_ad_FW/samples/perfmon-Processor.csv

@@ -0,0 +1,601 @@
+index,host,source,sourcetype,"_raw","_time"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=0
+Value=67.621733062522324","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=0
+Value=13.80635534591949","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=0
+Value=53.815377716602839","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=0
+Value=52.971034378980889","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=0
+Value=222.87812578325921","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=1
+Value=29.278552056381123","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=1
+Value=28.413473566751957","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=1
+Value=0.93670791978303147","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=1
+Value=421.76936807414972","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=1
+Value=2.3986883492368705","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=1
+Value=68.450316412441637","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=1
+Value=10.044048752374991","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=1
+Value=58.406267660066646","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=1
+Value=34.980871759704364","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=1
+Value=178.70228201814686","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=2
+Value=53.00848602421793","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=2
+Value=52.143407534588746","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=2
+Value=0.93670791978303147","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=2
+Value=323.32320040755314","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=2
+Value=5.2971034378980892","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=2
+Value=45.186218533607978","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=2
+Value=19.985201513600099","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=2
+Value=25.201017020007882","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=2
+Value=87.452179399260899","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=2
+Value=79.756387612125948","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=3
+Value=53.476839984109439","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=3
+Value=50.738345654914205","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=3
+Value=2.8101237593490946","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=3
+Value=305.03320174462203","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=3
+Value=7.1960650477106114","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=3
+Value=43.503773209374152","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=3
+Value=23.701992595061615","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=3
+Value=19.801780614312538","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=3
+Value=83.054584092326635","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=3
+Value=72.56032256441533","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=_Total
+Value=41.299637026930029","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=_Total
+Value=39.88814558409409","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=_Total
+Value=1.4831208729897998","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=_Total
+Value=1626.7104821741377","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=_Total
+Value=85.85305383310299","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""DPC Rate""
+instance=_Total
+Value=1","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=_Total
+Value=56.19051030448653","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=_Total
+Value=16.884399551739047","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=_Total
+Value=39.306110752747472","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=_Total
+Value=258.45866963027277","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=_Total
+Value=553.89711797794735","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=0
+Value=34.914622303244947","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=0
+Value=33.168509787769402","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=0
+Value=1.7210075833276575","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=0
+Value=823.56220066152093","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% DPC Time""
+instance=0
+Value=0.31291046969593778","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=0
+Value=143.26738501661032","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPC Rate""
+instance=0
+Value=3","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=0
+Value=60.557508128012159","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=0
+Value=17.873095569305907","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=0
+Value=42.684412558706256","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=0
+Value=112.03089017022148","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=0
+Value=282.22974029477604","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=1
+Value=31.159696666893698","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=1
+Value=29.570039386266117","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=1
+Value=1.5645523484796888","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=1
+Value=620.82533507197809","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=1
+Value=4.204912767783112","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=1
+Value=61.47471430072541","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=1
+Value=12.921011524497604","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=1
+Value=48.553702776227802","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=1
+Value=94.910888187104533","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=1
+Value=233.87324346527024","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=2
+Value=50.873056257737773","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=2
+Value=48.814033272566284","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=2
+Value=2.0339180530235956","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=2
+Value=489.37175259342501","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=2
+Value=6.9080709756436844","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=2
+Value=46.665294600150588","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=2
+Value=18.364897705512139","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=2
+Value=28.300396894638446","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=2
+Value=118.63861023388066","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=2
+Value=149.57475416828498","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=3
+Value=61.981377931943562","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=3
+Value=58.514257833140363","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=3
+Value=3.4420151666553149","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=3
+Value=402.77057297122525","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=3
+Value=11.813802538057315","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=3
+Value=35.490470689641256","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=3
+Value=21.128300682268986","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=3
+Value=14.362170007372271","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=3
+Value=115.23463323138957","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=3
+Value=82.095915942432185","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=_Total
+Value=44.732187789298251","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=_Total
+Value=42.516710570592295","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=_Total
+Value=2.190373287871564","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=_Total
+Value=2336.5298612981492","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% DPC Time""
+instance=_Total
+Value=0.078227617423984444","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=_Total
+Value=166.19417129809443","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPC Rate""
+instance=_Total
+Value=3","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=_Total
+Value=51.046996428975596","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=_Total
+Value=17.571826370396156","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=_Total
+Value=33.475170058579444","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=_Total
+Value=440.81502182259624","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=_Total
+Value=747.77365387076338","2015-01-06T16:07:55.898-0800"

deployment-apps/Splunk_TA_microsoft_ad_FW/samples/sourcetype-ActiveDirectory.csv

@@ -0,0 +1,793 @@
+index,host,source,sourcetype,_raw,_time
+msad,WIN-6LR3JNJ6LVD,ActiveDirectory,ActiveDirectory,"12/29/2014 16:55:55.145
+dcName=LDAP://WIN-6LR3JNJ6LVD.spl.com/
+admonEventType=schema
+className=pKIEnrollmentService
+classCN=PKI-Enrollment-Service
+instanceType=MandatoryProperties
+nTSecurityDescriptor=MandatoryProperties
+objectCategory=MandatoryProperties
+objectClass=MandatoryProperties
+instanceType=OptionalProperties
+nTSecurityDescriptor=OptionalProperties
+objectCategory=OptionalProperties
+objectClass=OptionalProperties
+adminDescription=OptionalProperties
+adminDisplayName=OptionalProperties
+allowedAttributes=OptionalProperties
+allowedAttributesEffective=OptionalProperties
+allowedChildClasses=OptionalProperties
+allowedChildClassesEffective=OptionalProperties
+bridgeheadServerListBL=OptionalProperties
+cACertificate=OptionalProperties
+cACertificateDN=OptionalProperties
+canonicalName=OptionalProperties
+certificateTemplates=OptionalProperties
+cn=OptionalProperties
+createTimeStamp=OptionalProperties
+description=OptionalProperties
+directReports=OptionalProperties
+displayName=OptionalProperties
+displayNamePrintable=OptionalProperties
+distinguishedName=OptionalProperties
+dNSHostName=OptionalProperties
+dSASignature=OptionalProperties
+dSCorePropagationData=OptionalProperties
+enrollmentProviders=OptionalProperties
+extensionName=OptionalProperties
+flags=OptionalProperties
+fromEntry=OptionalProperties
+frsComputerReferenceBL=OptionalProperties
+fRSMemberReferenceBL=OptionalProperties
+fSMORoleOwner=OptionalProperties
+isCriticalSystemObject=OptionalProperties
+isDeleted=OptionalProperties
+isPrivilegeHolder=OptionalProperties
+isRecycled=OptionalProperties
+lastKnownParent=OptionalProperties
+managedObjects=OptionalProperties
+masteredBy=OptionalProperties
+memberOf=OptionalProperties
+modifyTimeStamp=OptionalProperties
+mS-DS-ConsistencyChildCount=OptionalProperties
+mS-DS-ConsistencyGuid=OptionalProperties
+msCOM-PartitionSetLink=OptionalProperties
+msCOM-UserLink=OptionalProperties
+msDFSR-ComputerReferenceBL=OptionalProperties
+msDFSR-MemberReferenceBL=OptionalProperties
+msDS-Approx-Immed-Subordinates=OptionalProperties
+msDS-AuthenticatedToAccountlist=OptionalProperties
+msDS-ClaimSharesPossibleValuesWithBL=OptionalProperties
+msDS-EnabledFeatureBL=OptionalProperties
+msDS-HostServiceAccountBL=OptionalProperties
+msDS-IsDomainFor=OptionalProperties
+msDS-IsFullReplicaFor=OptionalProperties
+msDS-IsPartialReplicaFor=OptionalProperties
+msDS-IsPrimaryComputerFor=OptionalProperties
+msDS-KrbTgtLinkBl=OptionalProperties
+msDS-LastKnownRDN=OptionalProperties
+msDS-LocalEffectiveDeletionTime=OptionalProperties
+msDS-LocalEffectiveRecycleTime=OptionalProperties
+msDs-masteredBy=OptionalProperties
+msds-memberOfTransitive=OptionalProperties
+msDS-MembersForAzRoleBL=OptionalProperties
+msDS-MembersOfResourcePropertyListBL=OptionalProperties
+msds-memberTransitive=OptionalProperties
+msDS-NC-RO-Replica-Locations-BL=OptionalProperties
+msDS-NCReplCursors=OptionalProperties
+msDS-NCReplInboundNeighbors=OptionalProperties
+msDS-NCReplOutboundNeighbors=OptionalProperties
+msDS-NcType=OptionalProperties
+msDS-NonMembersBL=OptionalProperties
+msDS-ObjectReferenceBL=OptionalProperties
+msDS-OIDToGroupLinkBl=OptionalProperties
+msDS-OperationsForAzRoleBL=OptionalProperties
+msDS-OperationsForAzTaskBL=OptionalProperties
+msDS-parentdistname=OptionalProperties
+msDS-PrincipalName=OptionalProperties
+msDS-PSOApplied=OptionalProperties
+msDS-ReplAttributeMetaData=OptionalProperties
+msDS-ReplValueMetaData=OptionalProperties
+msDS-ReplValueMetaDataExt=OptionalProperties
+msDS-RevealedDSAs=OptionalProperties
+msDS-RevealedListBL=OptionalProperties
+msDS-TasksForAzRoleBL=OptionalProperties
+msDS-TasksForAzTaskBL=OptionalProperties
+msDS-TDOEgressBL=OptionalProperties
+msDS-TDOIngressBL=OptionalProperties
+msDS-ValueTypeReferenceBL=OptionalProperties
+msPKI-Enrollment-Servers=OptionalProperties
+msPKI-Site-Name=OptionalProperties
+msSFU30PosixMemberOf=OptionalProperties
+name=OptionalProperties
+netbootSCPBL=OptionalProperties
+nonSecurityMemberBL=OptionalProperties
+objectGUID=OptionalProperties
+objectVersion=OptionalProperties
+otherWellKnownObjects=OptionalProperties
+ownerBL=OptionalProperties
+partialAttributeDeletionList=OptionalProperties
+partialAttributeSet=OptionalProperties
+possibleInferiors=OptionalProperties
+proxiedObjectName=OptionalProperties
+proxyAddresses=OptionalProperties
+queryPolicyBL=OptionalProperties
+replPropertyMetaData=OptionalProperties
+replUpToDateVector=OptionalProperties
+repsFrom=OptionalProperties
+repsTo=OptionalProperties
+revision=OptionalProperties
+sDRightsEffective=OptionalProperties
+serverReferenceBL=OptionalProperties
+showInAdvancedViewOnly=OptionalProperties
+signatureAlgorithms=OptionalProperties
+siteObjectBL=OptionalProperties
+structuralObjectClass=OptionalProperties
+subRefs=OptionalProperties
+subSchemaSubEntry=OptionalProperties
+systemFlags=OptionalProperties
+url=OptionalProperties
+uSNChanged=OptionalProperties
+uSNCreated=OptionalProperties
+uSNDSALastObjRemoved=OptionalProperties
+USNIntersite=OptionalProperties
+uSNLastObjRem=OptionalProperties
+uSNSource=OptionalProperties
+wbemPath=OptionalProperties
+wellKnownObjects=OptionalProperties
+whenChanged=OptionalProperties
+whenCreated=OptionalProperties
+wWWHomePage=OptionalProperties",2014-12-29T16:55:55.145-0800
+msad,WIN-6LR3JNJ6LVD,ActiveDirectory,ActiveDirectory,"12/29/2014 16:55:55.145
+dcName=LDAP://WIN-6LR3JNJ6LVD.spl.com/
+admonEventType=schema
+className=msPKI-PrivateKeyRecoveryAgent
+classCN=ms-PKI-Private-Key-Recovery-Agent
+instanceType=MandatoryProperties
+nTSecurityDescriptor=MandatoryProperties
+objectCategory=MandatoryProperties
+objectClass=MandatoryProperties
+userCertificate=MandatoryProperties
+instanceType=OptionalProperties
+nTSecurityDescriptor=OptionalProperties
+objectCategory=OptionalProperties
+objectClass=OptionalProperties
+userCertificate=OptionalProperties
+adminDescription=OptionalProperties
+adminDisplayName=OptionalProperties
+allowedAttributes=OptionalProperties
+allowedAttributesEffective=OptionalProperties
+allowedChildClasses=OptionalProperties
+allowedChildClassesEffective=OptionalProperties
+bridgeheadServerListBL=OptionalProperties
+canonicalName=OptionalProperties
+cn=OptionalProperties
+createTimeStamp=OptionalProperties
+description=OptionalProperties
+directReports=OptionalProperties
+displayName=OptionalProperties
+displayNamePrintable=OptionalProperties
+distinguishedName=OptionalProperties
+dSASignature=OptionalProperties
+dSCorePropagationData=OptionalProperties
+extensionName=OptionalProperties
+flags=OptionalProperties
+fromEntry=OptionalProperties
+frsComputerReferenceBL=OptionalProperties
+fRSMemberReferenceBL=OptionalProperties
+fSMORoleOwner=OptionalProperties
+isCriticalSystemObject=OptionalProperties
+isDeleted=OptionalProperties
+isPrivilegeHolder=OptionalProperties
+isRecycled=OptionalProperties
+lastKnownParent=OptionalProperties
+managedObjects=OptionalProperties
+masteredBy=OptionalProperties
+memberOf=OptionalProperties
+modifyTimeStamp=OptionalProperties
+mS-DS-ConsistencyChildCount=OptionalProperties
+mS-DS-ConsistencyGuid=OptionalProperties
+msCOM-PartitionSetLink=OptionalProperties
+msCOM-UserLink=OptionalProperties
+msDFSR-ComputerReferenceBL=OptionalProperties
+msDFSR-MemberReferenceBL=OptionalProperties
+msDS-Approx-Immed-Subordinates=OptionalProperties
+msDS-AuthenticatedToAccountlist=OptionalProperties
+msDS-ClaimSharesPossibleValuesWithBL=OptionalProperties
+msDS-EnabledFeatureBL=OptionalProperties
+msDS-HostServiceAccountBL=OptionalProperties
+msDS-IsDomainFor=OptionalProperties
+msDS-IsFullReplicaFor=OptionalProperties
+msDS-IsPartialReplicaFor=OptionalProperties
+msDS-IsPrimaryComputerFor=OptionalProperties
+msDS-KrbTgtLinkBl=OptionalProperties
+msDS-LastKnownRDN=OptionalProperties
+msDS-LocalEffectiveDeletionTime=OptionalProperties
+msDS-LocalEffectiveRecycleTime=OptionalProperties
+msDs-masteredBy=OptionalProperties
+msds-memberOfTransitive=OptionalProperties
+msDS-MembersForAzRoleBL=OptionalProperties
+msDS-MembersOfResourcePropertyListBL=OptionalProperties
+msds-memberTransitive=OptionalProperties
+msDS-NC-RO-Replica-Locations-BL=OptionalProperties
+msDS-NCReplCursors=OptionalProperties
+msDS-NCReplInboundNeighbors=OptionalProperties
+msDS-NCReplOutboundNeighbors=OptionalProperties
+msDS-NcType=OptionalProperties
+msDS-NonMembersBL=OptionalProperties
+msDS-ObjectReferenceBL=OptionalProperties
+msDS-OIDToGroupLinkBl=OptionalProperties
+msDS-OperationsForAzRoleBL=OptionalProperties
+msDS-OperationsForAzTaskBL=OptionalProperties
+msDS-parentdistname=OptionalProperties
+msDS-PrincipalName=OptionalProperties
+msDS-PSOApplied=OptionalProperties
+msDS-ReplAttributeMetaData=OptionalProperties
+msDS-ReplValueMetaData=OptionalProperties
+msDS-ReplValueMetaDataExt=OptionalProperties
+msDS-RevealedDSAs=OptionalProperties
+msDS-RevealedListBL=OptionalProperties
+msDS-TasksForAzRoleBL=OptionalProperties
+msDS-TasksForAzTaskBL=OptionalProperties
+msDS-TDOEgressBL=OptionalProperties
+msDS-TDOIngressBL=OptionalProperties
+msDS-ValueTypeReferenceBL=OptionalProperties
+msSFU30PosixMemberOf=OptionalProperties
+name=OptionalProperties
+netbootSCPBL=OptionalProperties
+nonSecurityMemberBL=OptionalProperties
+objectGUID=OptionalProperties
+objectVersion=OptionalProperties
+otherWellKnownObjects=OptionalProperties
+ownerBL=OptionalProperties
+partialAttributeDeletionList=OptionalProperties
+partialAttributeSet=OptionalProperties
+possibleInferiors=OptionalProperties
+proxiedObjectName=OptionalProperties
+proxyAddresses=OptionalProperties
+queryPolicyBL=OptionalProperties
+replPropertyMetaData=OptionalProperties
+replUpToDateVector=OptionalProperties
+repsFrom=OptionalProperties
+repsTo=OptionalProperties
+revision=OptionalProperties
+sDRightsEffective=OptionalProperties
+serverReferenceBL=OptionalProperties
+showInAdvancedViewOnly=OptionalProperties
+siteObjectBL=OptionalProperties
+structuralObjectClass=OptionalProperties
+subRefs=OptionalProperties
+subSchemaSubEntry=OptionalProperties
+systemFlags=OptionalProperties
+url=OptionalProperties
+uSNChanged=OptionalProperties
+uSNCreated=OptionalProperties
+uSNDSALastObjRemoved=OptionalProperties
+USNIntersite=OptionalProperties
+uSNLastObjRem=OptionalProperties
+uSNSource=OptionalProperties
+wbemPath=OptionalProperties
+wellKnownObjects=OptionalProperties
+whenChanged=OptionalProperties
+whenCreated=OptionalProperties
+wWWHomePage=OptionalProperties",2014-12-29T16:55:55.145-0800
+msad,WIN-6LR3JNJ6LVD,ActiveDirectory,ActiveDirectory,"12/29/2014 16:55:55.145
+dcName=LDAP://WIN-6LR3JNJ6LVD.spl.com/
+admonEventType=schema
+className=printQueue
+classCN=Print-Queue
+cn=MandatoryProperties
+instanceType=MandatoryProperties
+nTSecurityDescriptor=MandatoryProperties
+objectCategory=MandatoryProperties
+objectClass=MandatoryProperties
+printerName=MandatoryProperties
+serverName=MandatoryProperties
+shortServerName=MandatoryProperties
+uNCName=MandatoryProperties
+versionNumber=MandatoryProperties
+cn=OptionalProperties
+instanceType=OptionalProperties
+nTSecurityDescriptor=OptionalProperties
+objectCategory=OptionalProperties
+objectClass=OptionalProperties
+printerName=OptionalProperties
+serverName=OptionalProperties
+shortServerName=OptionalProperties
+uNCName=OptionalProperties
+versionNumber=OptionalProperties
+adminDescription=OptionalProperties
+adminDisplayName=OptionalProperties
+allowedAttributes=OptionalProperties
+allowedAttributesEffective=OptionalProperties
+allowedChildClasses=OptionalProperties
+allowedChildClassesEffective=OptionalProperties
+assetNumber=OptionalProperties
+bridgeheadServerListBL=OptionalProperties
+bytesPerMinute=OptionalProperties
+canonicalName=OptionalProperties
+createTimeStamp=OptionalProperties
+defaultPriority=OptionalProperties
+description=OptionalProperties
+directReports=OptionalProperties
+displayName=OptionalProperties
+displayNamePrintable=OptionalProperties
+distinguishedName=OptionalProperties
+driverName=OptionalProperties
+driverVersion=OptionalProperties
+dSASignature=OptionalProperties
+dSCorePropagationData=OptionalProperties
+extensionName=OptionalProperties
+flags=OptionalProperties
+fromEntry=OptionalProperties
+frsComputerReferenceBL=OptionalProperties
+fRSMemberReferenceBL=OptionalProperties
+fSMORoleOwner=OptionalProperties
+isCriticalSystemObject=OptionalProperties
+isDeleted=OptionalProperties
+isPrivilegeHolder=OptionalProperties
+isRecycled=OptionalProperties
+keywords=OptionalProperties
+lastKnownParent=OptionalProperties
+location=OptionalProperties
+managedBy=OptionalProperties
+managedObjects=OptionalProperties
+masteredBy=OptionalProperties
+memberOf=OptionalProperties
+modifyTimeStamp=OptionalProperties
+mS-DS-ConsistencyChildCount=OptionalProperties
+mS-DS-ConsistencyGuid=OptionalProperties
+msCOM-PartitionSetLink=OptionalProperties
+msCOM-UserLink=OptionalProperties
+msDFSR-ComputerReferenceBL=OptionalProperties
+msDFSR-MemberReferenceBL=OptionalProperties
+msDS-Approx-Immed-Subordinates=OptionalProperties
+msDS-AuthenticatedToAccountlist=OptionalProperties
+msDS-ClaimSharesPossibleValuesWithBL=OptionalProperties
+msDS-EnabledFeatureBL=OptionalProperties
+msDS-HostServiceAccountBL=OptionalProperties
+msDS-IsDomainFor=OptionalProperties
+msDS-IsFullReplicaFor=OptionalProperties
+msDS-IsPartialReplicaFor=OptionalProperties
+msDS-IsPrimaryComputerFor=OptionalProperties
+msDS-KrbTgtLinkBl=OptionalProperties
+msDS-LastKnownRDN=OptionalProperties
+msDS-LocalEffectiveDeletionTime=OptionalProperties
+msDS-LocalEffectiveRecycleTime=OptionalProperties
+msDs-masteredBy=OptionalProperties
+msds-memberOfTransitive=OptionalProperties
+msDS-MembersForAzRoleBL=OptionalProperties
+msDS-MembersOfResourcePropertyListBL=OptionalProperties
+msds-memberTransitive=OptionalProperties
+msDS-NC-RO-Replica-Locations-BL=OptionalProperties
+msDS-NCReplCursors=OptionalProperties
+msDS-NCReplInboundNeighbors=OptionalProperties
+msDS-NCReplOutboundNeighbors=OptionalProperties
+msDS-NcType=OptionalProperties
+msDS-NonMembersBL=OptionalProperties
+msDS-ObjectReferenceBL=OptionalProperties
+msDS-OIDToGroupLinkBl=OptionalProperties
+msDS-OperationsForAzRoleBL=OptionalProperties
+msDS-OperationsForAzTaskBL=OptionalProperties
+msDS-parentdistname=OptionalProperties
+msDS-PrincipalName=OptionalProperties
+msDS-PSOApplied=OptionalProperties
+msDS-ReplAttributeMetaData=OptionalProperties
+msDS-ReplValueMetaData=OptionalProperties
+msDS-ReplValueMetaDataExt=OptionalProperties
+msDS-RevealedDSAs=OptionalProperties
+msDS-RevealedListBL=OptionalProperties
+msDS-Settings=OptionalProperties
+msDS-TasksForAzRoleBL=OptionalProperties
+msDS-TasksForAzTaskBL=OptionalProperties
+msDS-TDOEgressBL=OptionalProperties
+msDS-TDOIngressBL=OptionalProperties
+msDS-ValueTypeReferenceBL=OptionalProperties
+msSFU30PosixMemberOf=OptionalProperties
+name=OptionalProperties
+netbootSCPBL=OptionalProperties
+nonSecurityMemberBL=OptionalProperties
+objectGUID=OptionalProperties
+objectVersion=OptionalProperties
+operatingSystem=OptionalProperties
+operatingSystemHotfix=OptionalProperties
+operatingSystemServicePack=OptionalProperties
+operatingSystemVersion=OptionalProperties
+otherWellKnownObjects=OptionalProperties
+ownerBL=OptionalProperties
+partialAttributeDeletionList=OptionalProperties
+partialAttributeSet=OptionalProperties
+physicalLocationObject=OptionalProperties
+portName=OptionalProperties
+possibleInferiors=OptionalProperties
+printAttributes=OptionalProperties
+printBinNames=OptionalProperties
+printCollate=OptionalProperties
+printColor=OptionalProperties
+printDuplexSupported=OptionalProperties
+printEndTime=OptionalProperties
+printFormName=OptionalProperties
+printKeepPrintedJobs=OptionalProperties
+printLanguage=OptionalProperties
+printMACAddress=OptionalProperties
+printMaxCopies=OptionalProperties
+printMaxResolutionSupported=OptionalProperties
+printMaxXExtent=OptionalProperties
+printMaxYExtent=OptionalProperties
+printMediaReady=OptionalProperties
+printMediaSupported=OptionalProperties
+printMemory=OptionalProperties
+printMinXExtent=OptionalProperties
+printMinYExtent=OptionalProperties
+printNetworkAddress=OptionalProperties
+printNotify=OptionalProperties
+printNumberUp=OptionalProperties
+printOrientationsSupported=OptionalProperties
+printOwner=OptionalProperties
+printPagesPerMinute=OptionalProperties
+printRate=OptionalProperties
+printRateUnit=OptionalProperties
+printSeparatorFile=OptionalProperties
+printShareName=OptionalProperties
+printSpooling=OptionalProperties
+printStaplingSupported=OptionalProperties
+printStartTime=OptionalProperties
+printStatus=OptionalProperties
+priority=OptionalProperties
+proxiedObjectName=OptionalProperties
+proxyAddresses=OptionalProperties
+queryPolicyBL=OptionalProperties
+replPropertyMetaData=OptionalProperties
+replUpToDateVector=OptionalProperties
+repsFrom=OptionalProperties
+repsTo=OptionalProperties
+revision=OptionalProperties
+sDRightsEffective=OptionalProperties
+serverReferenceBL=OptionalProperties
+showInAdvancedViewOnly=OptionalProperties
+siteObjectBL=OptionalProperties
+structuralObjectClass=OptionalProperties
+subRefs=OptionalProperties
+subSchemaSubEntry=OptionalProperties
+systemFlags=OptionalProperties
+url=OptionalProperties
+uSNChanged=OptionalProperties
+uSNCreated=OptionalProperties
+uSNDSALastObjRemoved=OptionalProperties
+USNIntersite=OptionalProperties
+uSNLastObjRem=OptionalProperties
+uSNSource=OptionalProperties
+wbemPath=OptionalProperties
+wellKnownObjects=OptionalProperties
+whenChanged=OptionalProperties
+whenCreated=OptionalProperties
+wWWHomePage=OptionalProperties",2014-12-29T16:55:55.145-0800
+msad,WIN-6LR3JNJ6LVD,ActiveDirectory,ActiveDirectory,"12/29/2014 16:55:55.145
+dcName=LDAP://WIN-6LR3JNJ6LVD.spl.com/
+admonEventType=schema
+className=queryPolicy
+classCN=Query-Policy
+instanceType=MandatoryProperties
+nTSecurityDescriptor=MandatoryProperties
+objectCategory=MandatoryProperties
+objectClass=MandatoryProperties
+instanceType=OptionalProperties
+nTSecurityDescriptor=OptionalProperties
+objectCategory=OptionalProperties
+objectClass=OptionalProperties
+adminDescription=OptionalProperties
+adminDisplayName=OptionalProperties
+allowedAttributes=OptionalProperties
+allowedAttributesEffective=OptionalProperties
+allowedChildClasses=OptionalProperties
+allowedChildClassesEffective=OptionalProperties
+bridgeheadServerListBL=OptionalProperties
+canonicalName=OptionalProperties
+cn=OptionalProperties
+createTimeStamp=OptionalProperties
+description=OptionalProperties
+directReports=OptionalProperties
+displayName=OptionalProperties
+displayNamePrintable=OptionalProperties
+distinguishedName=OptionalProperties
+dSASignature=OptionalProperties
+dSCorePropagationData=OptionalProperties
+extensionName=OptionalProperties
+flags=OptionalProperties
+fromEntry=OptionalProperties
+frsComputerReferenceBL=OptionalProperties
+fRSMemberReferenceBL=OptionalProperties
+fSMORoleOwner=OptionalProperties
+isCriticalSystemObject=OptionalProperties
+isDeleted=OptionalProperties
+isPrivilegeHolder=OptionalProperties
+isRecycled=OptionalProperties
+lastKnownParent=OptionalProperties
+lDAPAdminLimits=OptionalProperties
+lDAPIPDenyList=OptionalProperties
+managedObjects=OptionalProperties
+masteredBy=OptionalProperties
+memberOf=OptionalProperties
+modifyTimeStamp=OptionalProperties
+mS-DS-ConsistencyChildCount=OptionalProperties
+mS-DS-ConsistencyGuid=OptionalProperties
+msCOM-PartitionSetLink=OptionalProperties
+msCOM-UserLink=OptionalProperties
+msDFSR-ComputerReferenceBL=OptionalProperties
+msDFSR-MemberReferenceBL=OptionalProperties
+msDS-Approx-Immed-Subordinates=OptionalProperties
+msDS-AuthenticatedToAccountlist=OptionalProperties
+msDS-ClaimSharesPossibleValuesWithBL=OptionalProperties
+msDS-EnabledFeatureBL=OptionalProperties
+msDS-HostServiceAccountBL=OptionalProperties
+msDS-IsDomainFor=OptionalProperties
+msDS-IsFullReplicaFor=OptionalProperties
+msDS-IsPartialReplicaFor=OptionalProperties
+msDS-IsPrimaryComputerFor=OptionalProperties
+msDS-KrbTgtLinkBl=OptionalProperties
+msDS-LastKnownRDN=OptionalProperties
+msDS-LocalEffectiveDeletionTime=OptionalProperties
+msDS-LocalEffectiveRecycleTime=OptionalProperties
+msDs-masteredBy=OptionalProperties
+msds-memberOfTransitive=OptionalProperties
+msDS-MembersForAzRoleBL=OptionalProperties
+msDS-MembersOfResourcePropertyListBL=OptionalProperties
+msds-memberTransitive=OptionalProperties
+msDS-NC-RO-Replica-Locations-BL=OptionalProperties
+msDS-NCReplCursors=OptionalProperties
+msDS-NCReplInboundNeighbors=OptionalProperties
+msDS-NCReplOutboundNeighbors=OptionalProperties
+msDS-NcType=OptionalProperties
+msDS-NonMembersBL=OptionalProperties
+msDS-ObjectReferenceBL=OptionalProperties
+msDS-OIDToGroupLinkBl=OptionalProperties
+msDS-OperationsForAzRoleBL=OptionalProperties
+msDS-OperationsForAzTaskBL=OptionalProperties
+msDS-parentdistname=OptionalProperties
+msDS-PrincipalName=OptionalProperties
+msDS-PSOApplied=OptionalProperties
+msDS-ReplAttributeMetaData=OptionalProperties
+msDS-ReplValueMetaData=OptionalProperties
+msDS-ReplValueMetaDataExt=OptionalProperties
+msDS-RevealedDSAs=OptionalProperties
+msDS-RevealedListBL=OptionalProperties
+msDS-TasksForAzRoleBL=OptionalProperties
+msDS-TasksForAzTaskBL=OptionalProperties
+msDS-TDOEgressBL=OptionalProperties
+msDS-TDOIngressBL=OptionalProperties
+msDS-ValueTypeReferenceBL=OptionalProperties
+msSFU30PosixMemberOf=OptionalProperties
+name=OptionalProperties
+netbootSCPBL=OptionalProperties
+nonSecurityMemberBL=OptionalProperties
+objectGUID=OptionalProperties
+objectVersion=OptionalProperties
+otherWellKnownObjects=OptionalProperties
+ownerBL=OptionalProperties
+partialAttributeDeletionList=OptionalProperties
+partialAttributeSet=OptionalProperties
+possibleInferiors=OptionalProperties
+proxiedObjectName=OptionalProperties
+proxyAddresses=OptionalProperties
+queryPolicyBL=OptionalProperties
+replPropertyMetaData=OptionalProperties
+replUpToDateVector=OptionalProperties
+repsFrom=OptionalProperties
+repsTo=OptionalProperties
+revision=OptionalProperties
+sDRightsEffective=OptionalProperties
+serverReferenceBL=OptionalProperties
+showInAdvancedViewOnly=OptionalProperties
+siteObjectBL=OptionalProperties
+structuralObjectClass=OptionalProperties
+subRefs=OptionalProperties
+subSchemaSubEntry=OptionalProperties
+systemFlags=OptionalProperties
+url=OptionalProperties
+uSNChanged=OptionalProperties
+uSNCreated=OptionalProperties
+uSNDSALastObjRemoved=OptionalProperties
+USNIntersite=OptionalProperties
+uSNLastObjRem=OptionalProperties
+uSNSource=OptionalProperties
+wbemPath=OptionalProperties
+wellKnownObjects=OptionalProperties
+whenChanged=OptionalProperties
+whenCreated=OptionalProperties
+wWWHomePage=OptionalProperties",2014-12-29T16:55:55.145-0800
+msad,WIN-6LR3JNJ6LVD,ActiveDirectory,ActiveDirectory,"12/29/2014 16:55:55.160
+dcName=LDAP://WIN-6LR3JNJ6LVD.spl.com/
+admonEventType=schema
+className=remoteMailRecipient
+classCN=Remote-Mail-Recipient
+cn=MandatoryProperties
+instanceType=MandatoryProperties
+nTSecurityDescriptor=MandatoryProperties
+objectCategory=MandatoryProperties
+objectClass=MandatoryProperties
+cn=OptionalProperties
+instanceType=OptionalProperties
+nTSecurityDescriptor=OptionalProperties
+objectCategory=OptionalProperties
+objectClass=OptionalProperties
+adminDescription=OptionalProperties
+adminDisplayName=OptionalProperties
+allowedAttributes=OptionalProperties
+allowedAttributesEffective=OptionalProperties
+allowedChildClasses=OptionalProperties
+allowedChildClassesEffective=OptionalProperties
+bridgeheadServerListBL=OptionalProperties
+canonicalName=OptionalProperties
+createTimeStamp=OptionalProperties
+description=OptionalProperties
+directReports=OptionalProperties
+displayName=OptionalProperties
+displayNamePrintable=OptionalProperties
+distinguishedName=OptionalProperties
+dSASignature=OptionalProperties
+dSCorePropagationData=OptionalProperties
+extensionName=OptionalProperties
+flags=OptionalProperties
+fromEntry=OptionalProperties
+frsComputerReferenceBL=OptionalProperties
+fRSMemberReferenceBL=OptionalProperties
+fSMORoleOwner=OptionalProperties
+garbageCollPeriod=OptionalProperties
+info=OptionalProperties
+isCriticalSystemObject=OptionalProperties
+isDeleted=OptionalProperties
+isPrivilegeHolder=OptionalProperties
+isRecycled=OptionalProperties
+labeledURI=OptionalProperties
+lastKnownParent=OptionalProperties
+legacyExchangeDN=OptionalProperties
+managedBy=OptionalProperties
+managedObjects=OptionalProperties
+masteredBy=OptionalProperties
+memberOf=OptionalProperties
+modifyTimeStamp=OptionalProperties
+mS-DS-ConsistencyChildCount=OptionalProperties
+mS-DS-ConsistencyGuid=OptionalProperties
+msCOM-PartitionSetLink=OptionalProperties
+msCOM-UserLink=OptionalProperties
+msDFSR-ComputerReferenceBL=OptionalProperties
+msDFSR-MemberReferenceBL=OptionalProperties
+msDS-Approx-Immed-Subordinates=OptionalProperties
+msDS-AuthenticatedToAccountlist=OptionalProperties
+msDS-ClaimSharesPossibleValuesWithBL=OptionalProperties
+msDS-EnabledFeatureBL=OptionalProperties
+msDS-GeoCoordinatesAltitude=OptionalProperties
+msDS-GeoCoordinatesLatitude=OptionalProperties
+msDS-GeoCoordinatesLongitude=OptionalProperties
+msDS-HostServiceAccountBL=OptionalProperties
+msDS-IsDomainFor=OptionalProperties
+msDS-IsFullReplicaFor=OptionalProperties
+msDS-IsPartialReplicaFor=OptionalProperties
+msDS-IsPrimaryComputerFor=OptionalProperties
+msDS-KrbTgtLinkBl=OptionalProperties
+msDS-LastKnownRDN=OptionalProperties
+msDS-LocalEffectiveDeletionTime=OptionalProperties
+msDS-LocalEffectiveRecycleTime=OptionalProperties
+msDs-masteredBy=OptionalProperties
+msds-memberOfTransitive=OptionalProperties
+msDS-MembersForAzRoleBL=OptionalProperties
+msDS-MembersOfResourcePropertyListBL=OptionalProperties
+msds-memberTransitive=OptionalProperties
+msDS-NC-RO-Replica-Locations-BL=OptionalProperties
+msDS-NCReplCursors=OptionalProperties
+msDS-NCReplInboundNeighbors=OptionalProperties
+msDS-NCReplOutboundNeighbors=OptionalProperties
+msDS-NcType=OptionalProperties
+msDS-NonMembersBL=OptionalProperties
+msDS-ObjectReferenceBL=OptionalProperties
+msDS-OIDToGroupLinkBl=OptionalProperties
+msDS-OperationsForAzRoleBL=OptionalProperties
+msDS-OperationsForAzTaskBL=OptionalProperties
+msDS-parentdistname=OptionalProperties
+msDS-PhoneticDisplayName=OptionalProperties
+msDS-PrincipalName=OptionalProperties
+msDS-PSOApplied=OptionalProperties
+msDS-ReplAttributeMetaData=OptionalProperties
+msDS-ReplValueMetaData=OptionalProperties
+msDS-ReplValueMetaDataExt=OptionalProperties
+msDS-RevealedDSAs=OptionalProperties
+msDS-RevealedListBL=OptionalProperties
+msDS-TasksForAzRoleBL=OptionalProperties
+msDS-TasksForAzTaskBL=OptionalProperties
+msDS-TDOEgressBL=OptionalProperties
+msDS-TDOIngressBL=OptionalProperties
+msDS-ValueTypeReferenceBL=OptionalProperties
+msExchAssistantName=OptionalProperties
+msExchLabeledURI=OptionalProperties
+msSFU30PosixMemberOf=OptionalProperties
+name=OptionalProperties
+netbootSCPBL=OptionalProperties
+nonSecurityMemberBL=OptionalProperties
+objectGUID=OptionalProperties
+objectVersion=OptionalProperties
+otherWellKnownObjects=OptionalProperties
+ownerBL=OptionalProperties
+partialAttributeDeletionList=OptionalProperties
+partialAttributeSet=OptionalProperties
+possibleInferiors=OptionalProperties
+proxiedObjectName=OptionalProperties
+proxyAddresses=OptionalProperties
+queryPolicyBL=OptionalProperties
+remoteSource=OptionalProperties
+remoteSourceType=OptionalProperties
+replPropertyMetaData=OptionalProperties
+replUpToDateVector=OptionalProperties
+repsFrom=OptionalProperties
+repsTo=OptionalProperties
+revision=OptionalProperties
+sDRightsEffective=OptionalProperties
+secretary=OptionalProperties
+serverReferenceBL=OptionalProperties
+showInAddressBook=OptionalProperties
+showInAdvancedViewOnly=OptionalProperties
+siteObjectBL=OptionalProperties
+structuralObjectClass=OptionalProperties
+subRefs=OptionalProperties
+subSchemaSubEntry=OptionalProperties
+systemFlags=OptionalProperties
+telephoneNumber=OptionalProperties
+textEncodedORAddress=OptionalProperties
+url=OptionalProperties
+userCert=OptionalProperties
+userCertificate=OptionalProperties
+userSMIMECertificate=OptionalProperties
+uSNChanged=OptionalProperties
+uSNCreated=OptionalProperties
+uSNDSALastObjRemoved=OptionalProperties
+USNIntersite=OptionalProperties
+uSNLastObjRem=OptionalProperties
+uSNSource=OptionalProperties
+wbemPath=OptionalProperties
+wellKnownObjects=OptionalProperties
+whenChanged=OptionalProperties
+whenCreated=OptionalProperties
+wWWHomePage=OptionalProperties",2014-12-29T16:55:55.160-0800
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,

deployment-apps/Splunk_TA_microsoft_ad_FW/splunkbase.manifest

@@ -0,0 +1,193 @@
+{
+  "version": "1.0",
+  "date": "2022-11-12T09:53:00.606260897Z",
+  "hashAlgorithm": "SHA-256",
+  "app": {
+    "id": 3207,
+    "version": "1.0.0",
+    "files": [
+      {
+        "path": "README.txt",
+        "hash": "335c6eb5154d29dea68740224a32828835539dbf51d63580491ff05dfe216f0f"
+      },
+      {
+        "path": "appserver/static/appIcon.png",
+        "hash": "b0bca6df1563c074c7dbfcac48a7b67cef44697b42e76ffbb76b999f0383ccdc"
+      },
+      {
+        "path": "bin/Invoke-MonitoredScript.ps1",
+        "hash": "fb3a7f75f06713aebe80d3d1d10db61664fcd38d2a1fc0bc763353d38b666dcf"
+      },
+      {
+        "path": "bin/powershell/2012r2-health.ps1",
+        "hash": "6544efaf45d1678f8e5568d9c88735cc41bbcd695932c6dfc1fbc554edeece9d"
+      },
+      {
+        "path": "bin/powershell/2012r2-repl-stats.ps1",
+        "hash": "cda4c1ce194a0938b2203ca848fe0444edc35dcfa95883830c8edf6787b382dd"
+      },
+      {
+        "path": "bin/powershell/2012r2-siteinfo.ps1",
+        "hash": "66b9c4f04827278ee4e1fd4bcafa4450e3a486929dbf2c8f64ad219483a57957"
+      },
+      {
+        "path": "bin/powershell/nt6-health.ps1",
+        "hash": "8dc46640de6994cd95afdeac7c089adc7802a7683dd275b3095a1c48b8d4bef4"
+      },
+      {
+        "path": "bin/powershell/nt6-repl-stat.ps1",
+        "hash": "748e1080879de1f0f57c37d45139e81754148fd8eb8011cabd970433bc19e7f7"
+      },
+      {
+        "path": "bin/powershell/nt6-siteinfo.ps1",
+        "hash": "4a373467f500ecd2e2f7c2c669a8e81f945d4cd5d64be6123aa6f5ecf16c1bea"
+      },
+      {
+        "path": "bin/runpowershell.cmd",
+        "hash": "beea35625656a376f6ee73ce9c7d68af385cff7530633047ca5d13c3206f663a"
+      },
+      {
+        "path": "default/admon.conf",
+        "hash": "358a14c4789b1f57b39965c74e0296cb27a5a2935fb76a47932f259aaf46643f"
+      },
+      {
+        "path": "default/app.conf",
+        "hash": "d0784e87a2d5b06e617a422661db24462e3ef5760651e8c0577a696a40460c79"
+      },
+      {
+        "path": "default/eventgen.conf",
+        "hash": "f382ca4a7453479af1f4032fdcf39256f210c20c6341fff418044385b9a656e8"
+      },
+      {
+        "path": "default/eventtypes.conf",
+        "hash": "167a365b1bcb855c34545aa109c05477d94b41dfa887424fa8ac4e2779ad4808"
+      },
+      {
+        "path": "default/indexes.conf",
+        "hash": "8b901fd7fc55c8d28594ef2c24d9596c8e23975b1b03a51b51a3bb23e70dbacb"
+      },
+      {
+        "path": "default/inputs.conf",
+        "hash": "d252aec114efbb3bc3d0e3e3df4916bfad28fe460a8ddac6ef2c8707c71323a2"
+      },
+      {
+        "path": "default/perfmon.conf",
+        "hash": "f91ccffd1eea74e5d9827f02fddfe91267008a1b4f750798a58c81e980c895b1"
+      },
+      {
+        "path": "default/props.conf",
+        "hash": "af9d9b9eddf5b22d722c89dff1d27ec57bc6cf7b4a71a125733f1bfc284f3064"
+      },
+      {
+        "path": "default/transforms.conf",
+        "hash": "785168b8b71f0e3d27683b2611c4ac1eefd218963055edef73572466682a27f9"
+      },
+      {
+        "path": "license-eula.rtf",
+        "hash": "52ed437423e1fec818c133c2aa5399a09051e3d852214bb097abd4493bf524c7"
+      },
+      {
+        "path": "license-eula.txt",
+        "hash": "b1f64d4d3c6a8711e9967e05a2f2e354e24273191ac98ffd0b643319e60ac747"
+      },
+      {
+        "path": "metadata/default.meta",
+        "hash": "36b54b7b56bb6b352ad81dccdbca54060ff8eec123b82fa8730d88ec650a0521"
+      },
+      {
+        "path": "samples/MSAD-NT6-Health.sample",
+        "hash": "f96d77e334d2d37807b0c62686b9c3ab8526bd32c63c83fdb8c0f9787bebd0c6"
+      },
+      {
+        "path": "samples/MSAD-NT6-SiteInfo.sample",
+        "hash": "1929c250bfbd950d166236f7d54d63e27d62411ed4616bed2022ad02894430d0"
+      },
+      {
+        "path": "samples/WinEventLog-DFS-Replication.csv",
+        "hash": "b6262233298831a28339b739124d8ef492e2cecc8d511f35bfe0205c99d64211"
+      },
+      {
+        "path": "samples/WinEventLog-Directory-Service.csv",
+        "hash": "4bf5b618e367198567611a26425feb63452104ac5ec851d273e884a58fbc77ad"
+      },
+      {
+        "path": "samples/perfmon-Memory.csv",
+        "hash": "4f10667c0658cc8f14b3d668f34aa48c169b7a7342b6deb95229dcf9d3a12924"
+      },
+      {
+        "path": "samples/perfmon-NTDS.csv",
+        "hash": "796f6ff5cca1cb241109fdeebde0412bf5e8c389111387f3e8c2e7c62464a054"
+      },
+      {
+        "path": "samples/perfmon-Network_Interface.csv",
+        "hash": "19dd51d72a585d672dbe311d368b398093b45fe9bc034931b47dae490277c429"
+      },
+      {
+        "path": "samples/perfmon-Processor.csv",
+        "hash": "dfebcace4f6788d39e694d4732c36142c53d4e5a75b58fdcde8e7da44e4933cb"
+      },
+      {
+        "path": "samples/sourcetype-ActiveDirectory.csv",
+        "hash": "c259d6b8e932b7c433769e75ce574acfc555070ab881da0b1bcf51c17f4825ed"
+      },
+      {
+        "path": "static/appIcon.png",
+        "hash": "ed6f90e4767434de479b483bbf61a33e6a6df49e6343e175a4429571d6f94ca4"
+      },
+      {
+        "path": "static/appIconAlt.png",
+        "hash": "ed6f90e4767434de479b483bbf61a33e6a6df49e6343e175a4429571d6f94ca4"
+      },
+      {
+        "path": "static/appIcon_2x.png",
+        "hash": "ed6f90e4767434de479b483bbf61a33e6a6df49e6343e175a4429571d6f94ca4"
+      },
+      {
+        "path": "static/appIconAlt_2x.png",
+        "hash": "ed6f90e4767434de479b483bbf61a33e6a6df49e6343e175a4429571d6f94ca4"
+      }
+    ]
+  },
+  "products": [
+    {
+      "platform": "splunk",
+      "product": "enterprise",
+      "versions": [
+        "7.0",
+        "7.1",
+        "7.2"
+      ],
+      "architectures": [
+        "x86_64"
+      ],
+      "operatingSystems": [
+        "windows",
+        "linux",
+        "macos",
+        "freebsd",
+        "solaris",
+        "aix"
+      ]
+    },
+    {
+      "platform": "splunk",
+      "product": "cloud",
+      "versions": [
+        "7.0",
+        "7.1",
+        "7.2"
+      ],
+      "architectures": [
+        "x86_64"
+      ],
+      "operatingSystems": [
+        "windows",
+        "linux",
+        "macos",
+        "freebsd",
+        "solaris",
+        "aix"
+      ]
+    }
+  ]
+}

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/bin/Invoke-MonitoredScript.ps1

@@ -0,0 +1,89 @@
+<#
+    .SYNOPSIS
+        & .\Invoke-MonitoredScript.ps1 "MyScript.ps1"
+        
+    .DESCRIPTION
+        Outputs additional Splunk events related to the running and
+        errors in the script.
+#>
+[CmdletBinding()]
+param(
+    #Command to execute.
+    [Parameter(Position=0, Mandatory=$true)]
+    [ValidateNotNullOrEmpty()]
+    [string] $Command,
+	
+	# Splunk Sourcetype Prefix for generated events
+    [Parameter()]
+    [ValidateNotNull()]
+    [string] $SourceTypePrefix="Powershell:",
+	
+	# Maximum number of errors to convert into events
+    [Parameter()]
+    [ValidateRange(0, 100)]
+    [int] $MaxErrorCount
+)
+
+$WrappedScriptExecutionSummary= New-Object -TypeName PSObject -Property (
+    [ordered]@{
+        SplunkSourceType="$($SourceTypePrefix)ScriptExecutionSummary";
+        Identity=[guid]::NewGuid().ToString();
+        InvocationLine=$MyInvocation.Line;
+        TerminatingError=$false; ErrorCount=0; Elapsed=""
+    })
+$originalLocation = Get-Location
+
+try
+{
+    Set-Location (Split-Path -Parent $MyInvocation.MyCommand.Definition)
+    $ScriptStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
+    $Error.Clear()
+    Invoke-Expression $Command
+}
+catch
+{
+    $WrappedScriptExecutionSummary.TerminatingError = $true;
+}
+finally
+{
+    Set-Location $originalLocation
+    $WrappedScriptExecutionSummary.Elapsed = $ScriptStopWatch.Elapsed.ToString("hh\:mm\:ss\.fff")
+    $WrappedScriptExecutionSummary.ErrorCount = $Error.Count
+        
+    if ($Error.Count -gt 0) {
+        $ei = $Error.Count - 1
+        if ($PSBoundParameters.ContainsKey('MaxErrorCount')) {
+            if ($MaxErrorCount -lt $Error.Count) {
+                $ei = $MaxErrorCount - 1
+            }
+            # Always emit terminating errors
+            if ($ei -eq -1 -and $WrappedScriptExecutionSummary.TerminatingError) {
+                $ei = 1
+            }
+        }
+
+        for(; $ei -ge 0; $ei--) {
+            $errorRecord = New-Object -TypeName PSObject -Property (
+                [ordered]@{
+                    SplunkSourceType="$($SourceTypePrefix)ScriptExecutionErrorRecord";
+                    ParentIdentity=$WrappedScriptExecutionSummary.Identity;
+                    ErrorIndex=$ei;
+                    ErrorMessage=$Error[$ei].ToString();
+                    PositionMessage=$Error[$ei].InvocationInfo.PositionMessage;
+                    CategoryInfo=$Error[$ei].CategoryInfo.ToString();
+                    FullyQualifiedErrorId=$Error[$ei].FullyQualifiedErrorId
+                })
+
+            if ($Error[$ei].Exception -ne $null) {
+                Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name Exception -Value $Error[$ei].Exception.ToString()
+                if ($Error[$ei].Exception.InnerException -ne $null) {
+                    Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name InnerException -Value $Error[$ei].Exception.InnerException.ToString()
+                }
+            }
+
+            Write-Output $errorRecord
+        }
+    }
+
+    Write-Output $WrappedScriptExecutionSummary
+}

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/bin/powershell/2012r2-health.ps1

@@ -0,0 +1,58 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+
+$ServerName = $env:ComputerName
+
+$DomainController = Get-ADDomainController -Identity $ServerName	
+$Domain 		  = Get-ADDomain -Identity $DomainController.Domain
+$Forest			  = Get-ADForest -Identity $DomainController.Forest
+$ReplicationSite  = Get-ADReplicationSite -Identity $DomainController.Site
+$Computer		  = Get-ADComputer -Identity $ServerName -Properties *
+$RootDSE		  = Get-ADRootDSE -Server $ServerName
+$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
+
+$ISTG 		  = ($DomainController.NTDSSettingsObjectDN -eq $ReplicationSite.InterSiteTopologyGenerator)
+$SYSVOL 	  = (Get-SMBShare SYSVOL -ErrorAction SilentlyContinue)
+Try {
+    $DnsRegister  = [System.Net.Dns]::GetHostByName($DomainController.HostName)
+} Catch { 
+    # The Catch will set $DnsRegister = $null if the GetHostByName fails for some reason
+}
+$SchemaVersion= Get-ADObject -Filter * -SearchScope Base -Properties objectVersion `
+			-SearchBase $RootDSE.schemaNamingContext
+$DCWeight	  = (Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters").GetValue("LdapSrvWeight", $null)
+if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
+	$DCWeight = 100
+}
+$FSMORoles 	= ($DomainController | Select -Expand OperationMasterRoles | %{ $_.ToString().Replace("Master","") } )
+
+$SvcRunning	= @(Get-Service $RequiredServices | ? Status -eq "Running" | select -expand Name)
+$SvcStopped	= @(Get-Service $RequiredServices | ? Status -ne "Running" | select -expand Name)
+$ProcsOK	= (($SvcStopped.Count -eq 0) -or ($SvcStopped.Count -eq 1 -and ($SvcStopped[0] -eq "ntfrs" -or $SvcStopped[0] -eq "dfsr")))
+
+New-Object PSObject -Property @{
+	Server			= $DomainController.Name
+	DomainDNSName	= $DomainController.Domain
+	DomainNetBIOSName = $Domain.NetBIOSName
+	DomainLevel		= $Domain.DomainMode
+	Site			= $DomainController.Site
+	ForestName		= $DomainController.Forest
+	ForestLevel		= $Forest.ForestMode
+	Created			= $Computer.whenCreated
+	Changed			= $Computer.whenChanged
+	GlobalCatalog	= $DomainController.IsGlobalCatalog
+	RODC			= $DomainController.IsReadOnly
+	Enabled			= $DomainController.Enabled
+	HighestUSN		= $RootDSE.highestCommittedUSN
+	SchemaVersion	= $SchemaVersion.objectVersion
+	DCWeight		= $DCWeight
+	IsIntersiteTopologyGenerator = $ISTG
+	OperatingSystem	= $DomainController.OperatingSystem
+	ServicePack		= $DomainController.OperatingSystemServicePack
+	OSVersion		= $DomainController.OperatingSystemVersion
+	FSMORoles		= $FSMORoles -join " "
+	ServicesRunning	= $SvcRunning -join ","
+	ServicesNotRunning = $SvcStopped -join ","
+	ProcsOK			= $ProcsOK
+	SYSVOLShare		= ($SYSVOL -ne $null)
+	DNSRegister		= ($DnsRegister -ne $null)
+}

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/bin/powershell/2012r2-repl-stats.ps1

@@ -0,0 +1,17 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+
+Get-ADReplicationPartnerMetaData -Target $env:ComputerName -PartnerType Inbound -Partition * | %{
+	$src_host = Get-ADObject -Filter * -SearchBase $_.Partner.Replace("CN=NTDS Settings,","") `
+				-SearchScope Base -Properties dNSHostName
+
+	New-Object PSObject -Property @{
+		LastAttemptedSync	= $_.LastReplicationAttempt
+		LastSuccessfulSync	= $_.LastReplicationSuccess
+		type			= "ReplicationEvent"
+		usn			= $_.LastChangeUsn
+		src_host		= $src_host.dNSHostName
+		Result			= $_.LastReplicationResult
+		transport		= $_.IntersiteTransportType
+		naming_context		= $_.Partition
+	}	
+}

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/bin/powershell/2012r2-siteinfo.ps1

@@ -0,0 +1,74 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+#
+# Get the Information about this site
+#
+$ServerName = $env:ComputerName
+
+$DC 	= Get-ADDomainController -Identity $ServerName
+$Site	= Get-ADReplicationSite -Identity $DC.Site
+$Object = Get-ADObject -Filter * -SearchScope base -Properties * `
+		-SearchBase $Site.DistinguishedName
+
+$Location 	= if ($Object.location -eq $null) { "" } else { $Object.location }
+$ISTG	  	= Get-ADDomainController -Filter `
+			'NTDSSettingsObjectDN -eq $Site.IntersiteTopologyGenerator'
+$SiteLinks 	= Get-ADReplicationSiteLink -Filter 'SitesIncluded -eq $Site' -Properties *
+$AdjacentSites 	= ($SiteLinks | Select -Expand SitesIncluded | `
+			Where-Object { $_ -ne $Site.DistinguishedName } | `
+			Sort-Object | Get-Unique | `
+			Foreach-Object { Get-ADReplicationSite $_ } )
+$Subnets	= Get-ADReplicationSubnet -Filter 'Site -eq $Site'
+
+########################################################################
+#
+# SITE
+#
+$SiteInfo = @(
+	"Type=`"Site`""
+	"ForestName=`"$($DC.Forest)`""
+	"Site=`"$($Object.CN)`""
+	"Location=`"$Location`""
+	"IntersiteTopologyGenerator=`"$($ISTG.HostName)`""
+)
+$AdjacentSites | %{ $SiteLink += "AdjacentSite=`"$($_.Name)`"" }
+$SiteLinks     | %{ $SiteInfo += "SiteLink=`"$($_.Name)`"" }
+$Subnets       | %{ $SiteInfo += "Subnet=`"$($_.Name)`"" }
+Write-Output ($SiteInfo -join " ")
+#
+########################################################################
+#
+# SITELINK
+#
+$SiteLinks | %{
+	# These values are not stored in the object unless you change them
+	$cost 		= if ($_.Cost -eq $null) { 100 } else { $_.Cost }
+	$options 	= if ($_.options -eq $null) { 0 } else { $_.options }
+	$replInterval	= if ($_.replInterval -eq $null) { 180 * 60 } else { $_.replInterval * 60 }
+	$notifications	= if ($options -band 0x01) { "True" } else { "False" }
+	$reciprocal 	= if ($options -band 0x02) { "True" } else { "False" }
+	$compression	= if ($options -band 0x04) { "False" } else { "True" }
+
+	$SiteLink = @(
+		"Type=`"SiteLink`""
+		"ForestName=`"$($DC.Forest)`""
+		"Name=`"$($_.Name)`""
+		"Cost=`"$($_.Cost)`""
+		"DataCompressionEnabled=$compression"
+		"NotificationEnabled=$notifications"
+		"ReciprocalReplicationEnabled=$reciprocal"
+		"TransportType=$($_.InterSiteTransportProtocol)" 
+		"ReplicationIntervalSecs=$replInterval"
+	)
+	Write-Output ($SiteLink -join " ")
+}
+
+$Subnets | Foreach-Object {
+	$Subnet = @(
+		"Type=`"Subnet`""
+		"ForestName=`"$($DC.Forest)`""
+		"Name=`"$($_.Name)`""
+		"Site=`"$($Site.Name)`""
+		"Location=`"$($_.Location)`""
+	)
+	Write-Output ($Subnet -join " ")
+}

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/bin/powershell/nt6-health.ps1

@@ -0,0 +1,170 @@
+#
+# Determine the health and statistics of this Active Directory Controller
+#
+$Output = New-Object System.Collections.ArrayList
+$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+[void]$Output.Add($Date)			
+
+# Name of Server
+$ServerName = $env:ComputerName
+[void]$Output.Add("Server=""$ServerName""")
+$BSSN = "\\" + $ServerName
+
+# Domain Information
+
+$S_DS_AD_DOM = [System.DirectoryServices.ActiveDirectory.Domain]::getComputerDomain()
+$WMI_CS      = (Get-WmiObject Win32_ComputerSystem)
+$WMI_DOMAIN	 = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
+
+$DomainDNSName = $WMI_CS.Domain
+$DomainNetBIOSName = $WMI_DOMAIN.DomainName
+$DomainLevel   = $S_DS_AD_DOM.DomainMode
+[void]$Output.Add("DomainDNSName=`"$DomainDNSName`"");
+[void]$Output.Add("DomainNetBIOSName=`"$DomainNetBIOSName`"");
+[void]$Output.Add("DomainLevel=`"$DomainLevel`"");
+
+# Site Information
+$SiteName = $WMI_DOMAIN.ClientSiteName
+[void]$Output.Add("Site=`"$SiteName`"");
+
+# Forest Information
+$ForestName = $S_DS_AD_DOM.Forest.Name
+$ForestLevel = $S_DS_AD_DOM.Forest.ForestMode
+[void]$Output.Add("ForestName=`"$ForestName`"");
+[void]$Output.Add("ForestLevel=`"$ForestLevel`"");
+
+# Domain Controller Flags
+$IsRO = "False"
+$IsEnabled = "False"
+$IsGC = "False"
+$USN = "Unknown"
+$MyName = ($env:ComputerName + "." + $DomainDNSName).ToLower()
+if ($WMI_DOMAIN.Status -eq "OK") {
+	$MyDC = $S_DS_AD_DOM.DomainControllers | Where-Object { $_.Name.ToLower() -eq $MyName.ToLower() }
+	if ($MyDC) {
+		if ($MyDC.IsGlobalCatalog()) {
+			$IsGC = "True"
+		}
+		$USN = $MyDC.HighestCommittedUsn
+		$IsEnabled = "True"
+		
+		$entry = $MyDC.getDirectoryEntry()
+		[void]$Output.Add("Created=`"$($entry.whenCreated)`"")
+		[void]$Output.Add("Changed=`"$($entry.whenChanged)`"")
+		
+		$DN = $entry.Path
+		$ServerEntry = [ADSI]"$DN"
+		$ServerEntry.GetInfoEx(@("msDS-IsRODC"),0)
+		$IsRO = $ServerEntry."msDS-IsRODC"
+	}
+}
+[void]$Output.Add("GlobalCatalog=`"$IsGC`"")
+[void]$Output.Add("RODC=`"$IsRO`"")
+[void]$Output.Add("Enabled=`"$IsEnabled`"")
+[void]$Output.Add("HighestUSN=`"$USN`"")
+
+$SchemaInfo = Get-Item "HKLM:System\CurrentControlSet\Services\NTDS\Parameters"
+$SchemaVersion = $SchemaInfo.GetValue("Schema Version")
+[void]$Output.Add("SchemaVersion=$SchemaVersion")
+
+$NetLogonParams = Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters"
+$DCWeight = $NetLogonParams.GetValue("LdapSrvWeight", $null)
+if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
+	$DCWeight = 100	# This is the default value
+}
+[void]$Output.Add("DCWeight=$DCWeight")
+
+$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
+
+# Is this host a BridgeHead Server?
+# Field BridgeheadServer (Collection of DirectoryServer objects - check to see if we are listed and set IsBridgeHeadServer=True/False accordingly)
+
+# Is this host a Intersite Topology Generator
+if ($SiteInfoObj.IntersiteTopologyGenerator.Name -and ($SiteInfoObj.IntersiteTopologyGenerator.Name -eq $ServerName -or $SiteInfoObj.IntersiteTopologyGenerator.Name.ToLower() -eq $MyName)) {
+	[void]$Output.Add("IsIntersiteTopologyGenerator=`"True`"")
+} else {
+	[void]$Output.Add("IsIntersiteTopologyGenerator=`"False`"")
+}
+
+
+#
+# Windows Version and Build #
+#
+$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion"
+$OS = $WindowsInfo.GetValue("ProductName")
+$OSSP = $WindowsInfo.GetValue("CSDVersion")
+$WinVer = $WindowsInfo.GetValue("CurrentVersion")
+$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber")
+$OSVER = "$WinVer ($WinBuild)"
+
+[void]$Output.Add("OperatingSystem=""$OS""")
+[void]$Output.Add("ServicePack=""$OSSP""")
+[void]$Output.Add("OSVersion=""$OSVER""")
+
+#
+# FSMO Roles (Schema, DomainNaming, Infrastructure, RIDMaster, PDC)
+#
+$aFSMO = @()
+if ($MyDC -and $MyDC.Roles) {
+	foreach ($role in $MyDC.Roles) {
+		switch ($role) {
+			"SchemaRole"			{ $aFSMO += "Schema" }
+			"NamingRole"			{ $aFSMO += "DomainNaming" }
+			"InfrastructureRole"	{ $aFSMO += "Infrastructure" }
+			"PdcRole"				{ $aFSMO += "PDCEmulator" }
+			"RidRole"				{ $aFSMO += "RIDMaster" }
+		}
+	}
+}
+$FSMORoles = [string]::join(' ', $aFSMO)
+[void]$Output.Add("FSMORoles=""$FSMORoles""")
+
+#
+# Required Processes Running
+#		FRS, DFS-R, Net Logon, KDC, W32Time, ISMSERV
+#
+$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
+$srvr = @()
+$srvnr = @()
+foreach ($srv in $RequiredServices) {
+	$status = (Get-Service $srv).Status
+	if ($status -eq "Running") {
+		$srvr += $srv
+	} else {
+		$srvnr += $srv
+	}
+}
+# Note that the only case that ProcsOK == True is when there is ONE service
+# that isn't running - You need one replication services (ntfrs or dfsr) but
+# not both
+$ProcsOK = "False"
+if (($srvnr.Count -eq 0) -or ($srvnr.Count -eq 1 -and ($srvnr[0] -eq "ntfrs" -or $srvnr[0] -eq "dfsr"))) {
+	$ProcsOK = "True"
+}
+$ServicesRunning = [string]::join(',', $srvr)
+$ServicesNotRunning = [string]::join(',', $srvnr)
+[void]$Output.Add("ServicesRunning=""$ServicesRunning""")
+[void]$Output.Add("ServicesNotRunning=""$ServicesNotRunning""")
+[void]$Output.Add("ProcsOK=""$ProcsOK""")
+
+# 
+# Look for Common Problems
+#		SYSVOL is shared out
+#		DC is registered in DNS
+#
+$SysvolShare = (Get-WmiObject Win32_Share|Where-Object { $_.Name -eq "SYSVOL" })
+if ($SysvolShare) {
+	[void]$Output.Add("SYSVOLShare=""True""")
+} else {
+	[void]$Output.Add("SYSVOLShare=""False""")
+}
+
+$DNSEntry = ([System.Net.DNS]::GetHostEntry($ServerName))
+if ($DNSEntry) {
+	[void]$Output.Add("DNSRegister=""True""")
+} else {
+	[void]$Output.Add("DNSRegister=""False""")
+}
+
+# Output the final string
+Write-Host ($output -join " ") 

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/bin/powershell/nt6-siteinfo.ps1

@@ -0,0 +1,41 @@
+#
+# Determine and output information about the Site the server is a member of
+#
+
+$ServerName = $env:ComputerName
+$BSSN = "\\" + $ServerName
+$WMI_DOMAIN	 = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
+$SiteName = $WMI_DOMAIN.ClientSiteName
+$ForestName = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Name
+
+$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
+$ISTG = $SiteInfoObj.IntersiteTopologyGenerator.Name
+
+
+write-host  $Date Type=`"Site`" ForestName=`"$ForestName`" Site=`"$SiteName`" Location=`"$($SiteInfoObj.Location)`" -NoNewline
+$SiteInfoObj.AdjacentSites | Foreach-Object { write-host AdjacentSite=`"$($_.Name)`" -NoNewline }
+write-host IntersiteTopologyGenerator=`"$ISTG`" -NoNewline
+$SiteInfoObj.SiteLinks | Foreach-Object { write-host "" SiteLink=`"$($_.Name)`" -NoNewline }
+$SiteInfoObj.Subnets | Foreach-Object { write-host "" Subnet=`"$($_.Name)`" -nonewline }
+
+write-host #Needed to print a newline for next object
+
+#
+# Output Information about Site Links in this site
+#
+$SiteInfoObj.SiteLinks | Foreach-Object {
+    write-host $Date Type=`"SiteLink`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Cost=$($_.Cost) DataCompressionEnabled=$($_.DataCompressionEnabled) NotificationEnabled=$($_.NotificationEnabled) ReciprocalReplicationEnabled=$($_.ReciprocalReplicationEnabled) TransportType=$($_.TransportType) ReplicationIntervalSecs=$($_.ReplicationInterval.TotalSeconds) -NoNewLine
+	foreach ($site in $_.Sites) {
+		write-host ""Site=`"$($site.Name)`" -NoNewLine
+	}
+}
+Write-Host  #similar to above
+
+#
+# Output Information about Subnets in this site
+#
+
+$SiteInfoObj.Subnets | Foreach-Object {
+    write-Host $Date Type=`"Subnet`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Site=`"$SiteName`" Location=`"$($_.Location)`"
+}	

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/bin/runpowershell.cmd

@@ -0,0 +1,14 @@
+@ECHO OFF
+
+:: ######################################################
+:: #
+:: # Splunk for Microsoft Active Directory
+:: # 
+:: # Copyright (C) 2016 Splunk, Inc.
+:: # All Rights Reserved
+:: #
+:: ######################################################
+
+set SplunkApp=Splunk_TA_microsoft_ad
+
+%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionPolicy RemoteSigned -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%1'"

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/admon.conf

@@ -0,0 +1,3 @@
+[NearestDC]
+disabled = 0
+monitorSubtree = 1

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/app.conf

@@ -0,0 +1,16 @@
+[install]
+state = enabled
+is_configured = false
+build = 30
+
+[ui]
+is_visible = false
+label = Splunk Add-on for Microsoft Active Directory
+
+[launcher]
+author = Splunk
+description = {"name":"Splunk Add-on for Microsoft Active Directory"}
+version = 1.0.0
+
+[package]
+id = Splunk_TA_microsoft_ad

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/eventgen.conf

@@ -0,0 +1,156 @@
+#### Default replacement for all csv logs
+[perfmon-.*\.csv]
+index=perfmon
+sampletype = csv
+timeMultiple = 2
+## replace timestamp 09/09/2010 23:36:32.0128
+token.0.token = ^(\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
+token.0.replacementType = timestamp
+token.0.replacement = %m/%d/%Y %H:%M:%S
+
+# Perfmon Collection
+[perfmon-Processor.csv]
+backfill = -15m
+backfillSearch = index=perfmon sourcetype=Perfmon:Processor
+source = Perfmon:Processor
+sourcetype = Perfmon:Processor
+
+[perfmon-Memory.csv]
+backfill = -15m
+backfillSearch = index=perfmon sourcetype=Perfmon:Memory
+source = Perfmon:Memory
+sourcetype = Perfmon:Memory
+
+[perfmon-Network_Interface.csv]
+backfill = -15m
+backfillSearch = index=perfmon sourcetype=Perfmon:Network_Interface
+source = Perfmon:Network_Interface
+sourcetype = Perfmon:Network_Interface
+
+## TODO
+#[perfmon://DFS_Replicated_Folders]
+#object = DFS Replicated Folders
+#counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
+#index=perfmon
+
+[perfmon-NTDS.csv]
+backfill = -15m
+backfillSearch = index=perfmon sourcetype=Perfmon:NTDS
+source = Perfmon:NTDS
+sourcetype = Perfmon:NTDS
+
+# TODO
+#[admon://NearestDC]
+#[sourcetype-ActiveDirectory.csv]
+#sampletype = csv
+#timeMultiple = 2
+#backfill = -15m
+#backfillSearch = index=msad sourcetype=ActiveDirectory
+#index = msad
+#source = ActiveDirectory
+#sourcetype = ActiveDirectory
+## replace timestamp 09/09/2010 23:36:32.0128
+#token.0.token = ^(\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+
+#token.0.replacementType = timestamp
+#token.0.replacement = %m/%d/%Y %H:%M:%S
+
+## TODO
+#[monitor://C:\Windows\debug\netlogon.log]
+#sourcetype=MSAD:NT6:Netlogon
+#index=msad
+
+## Windows 2012 R2
+[WinEventLog-DFS-Replication.csv]
+sampletype = csv
+timeMultiple = 2
+backfill = -15m
+backfillSearch = index=wineventlog sourcetype=WinEventLog:DFS-Replication
+index=wineventlog
+source = WinEventLog:DFS Replication
+sourcetype = WinEventLog:DFS-Replication
+## replace timestamp 03/11/10 01:12:01 PM
+token.0.token = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
+token.0.replacementType = timestamp
+token.0.replacement = %m/%d/%Y %I:%M:%S %p
+
+[WinEventLog-Directory-Service.csv]
+sampletype = csv
+timeMultiple = 2
+backfill = -15m
+backfillSearch = index=wineventlog sourcetype=Directory-Service
+index=wineventlog
+source = WinEventLog:Directory Service
+sourcetype = WinEventLog:Directory-Service
+## replace timestamp 03/11/10 01:12:01 PM
+token.0.token = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm]
+token.0.replacementType = timestamp
+token.0.replacement = %m/%d/%Y %I:%M:%S %p
+
+## TODO for Win2k3
+#[WinEventLog-File-Replication-Service.csv]
+#sampletype = csv
+#timeMultiple = 2
+#backfill = -15m
+#backfillSearch = index=wineventlog sourcetype=WinEventLog:File-Replication-Service
+#index=wineventlog
+#source = WinEventLog:File Replication Service
+#sourcetype = WinEventLog:File-Replication-Service
+#token.1.token = \d{2}.\d{2}.\d{4} \d{2}.\d{2}.\d{2}.\d{3}
+#token.1.replacementType = timestamp
+#token.1.replacement = %Y-%m-%d %H:%M:%S
+
+## TODO generate events to capture
+#[WinEventLog-Key-Management-Service.csv]
+#sampletype = csv
+#timeMultiple = 2
+#backfill = -15m
+#backfillSearch = index=wineventlog sourcetype=WinEventLog:Key-Management-Service
+#index=wineventlog
+#source = WinEventLog:Key Management Service
+#sourcetype = WinEventLog:Key-Management-Service
+#token.1.token = \d{2}.\d{2}.\d{4} \d{2}.\d{2}.\d{2}.\d{3}
+#token.1.replacementType = timestamp
+#token.1.replacement = %Y-%m-%d %H:%M:%S
+
+## TODO 
+#[MSAD-NT6-ad-repl-stat.sample]
+#timeMultiple = 1
+#backfill = -15m
+#backfillSearch = index=msad sourcetype=MSAD:NT6:Replication
+#index = msad
+#source = Powershell
+#sourcetype = MSAD:NT6:Replication
+#token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
+#token.0.replacementType = timestamp
+#token.0.replacement = %Y-%m-%d %H:%M:%S,%f
+#token.1.token = \d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}.\d{3}
+#token.1.replacementType = timestamp
+#token.1.replacement = %m-%d-%Y %H:%M:%S.%f
+#token.2.token = \d{2}/\w{3}/\d{4}:\d{2}:\d{2}\:\d{2}.\d{3}
+#token.2.replacementType = timestamp
+#token.2.replacement = %d/%b/%Y:%H:%M:%S.%f
+#token.3.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
+#token.3.replacementType = timestamp
+#token.3.replacement = %Y-%m-%d %H:%M:%S
+
+#### Default replacement for all sample logs
+[.*\.sample]
+index = msad
+source = Powershell
+token.0.token =  \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}-\d{2}:\d{2}
+token.0.replacementType = timestamp
+token.0.replacement = %Y-%m-%d %H:%M:%S
+
+#[script://.\bin\runpowershell.cmd ad-health.ps1]
+[MSAD-NT6-Health.sample]
+timeMultiple = 1
+backfill = -15m
+backfillSearch = index=msad sourcetype=MSAD:NT6:Health
+sourcetype = MSAD:NT6:Health
+
+#[script://.\bin\runpowershell.cmd siteinfo.ps1]
+[MSAD-NT6-SiteInfo.sample]
+timeMultiple = 1
+backfill = -15m
+backfillSearch = index=msad sourcetype=MSAD:NT6:SiteInfo
+sourcetype = MSAD:NT6:SiteInfo

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/eventtypes.conf

@@ -0,0 +1,53 @@
+### AD Eventtypes ####
+
+[admon]
+search = source=ActiveDirectory
+
+[wineventlog-ds]
+search = source="WinEventLog:Directory Service"
+
+[perfmon]
+search = source="Perfmon:*"
+
+[powershell]
+search = source=Powershell
+
+[ad-files]
+search = index=msad 
+
+[perfmon-ntds]
+search = eventtype=perfmon sourcetype="Perfmon:NTDS"
+
+[msad-dc-health]
+search = eventtype=powershell sourcetype="MSAD:*:Health"
+
+[msad-rep-health]
+search = eventtype=powershell sourcetype="MSAD:*:Replication"
+
+[msad-site]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo"
+
+[msad-subnetinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Subnet"
+
+[msad-sitelinkinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="SiteLink"
+
+[msad-siteinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Site"
+
+[msad-subnet-affinity]
+search = sourcetype="MSAD:*:Netlogon" msad_affinity=NO_CLIENT_SITE
+
+[admon-gpo]
+search = eventtype=admon objectCategory="*CN=Group-Policy-Container*"
+
+[admon-group]
+search = eventtype=admon objectCategory="*CN=Group*"
+
+[admon-computer]
+search = eventtype=admon objectCategory="*CN=Computer*"
+
+[admon-user]
+search = eventtype=admon objectCategory="*CN=Person*"
+

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/perfmon.conf

@@ -0,0 +1,42 @@
+[PERFMON:Processor]
+object = Processor
+counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
+instances = *
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[PERFMON:Memory]
+object = Memory
+counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[PERFMON:Network_Interface]
+object = Network Interface
+counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size  
+instances = *
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[PERFMON:DFS_Replicated_Folders]
+object = DFS Replicated Folders
+counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
+instances = *
+interval = 30
+disabled = 0
+index=perfmon
+useEnglishOnly=true
+
+[PERFMON:NTDS]
+object = NTDS
+counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run    
+interval = 10
+disabled = 0
+index=perfmon
+useEnglishOnly=true

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/props.conf

@@ -0,0 +1,21 @@
+[MSAD:NT6:Health]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+
+[MSAD:NT6:SiteInfo]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+REPORT-extractions = MSAD-SiteInfo-AdjacentSites, MSAD-SiteInfo-Sites, MSAD-SiteInfo-SiteLinks, MSAD-SiteInfo-Subnets
+
+[MSAD:NT6:Replication]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+
+[MSAD:NT6:Netlogon]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+LINE_BREAKER = ([\r\n]+(?=\d{2}\/\d{2} \d{2}:\d{2}:\d{2} \[))
+EXTRACT-subnetaffinity = \s(?<src_domain>[^:]+): (?<msad_affinity>NO_CLIENT_SITE): (?<src_host>[^\s]+) (?<src_ip>[0-9A-Fa-f:\.]+)
+
+[MSAD:SubnetAffinity]
+EXTRACT-subnetaffinity = (?<src_nt_domain>\w+): NO_CLIENT_SITE: (?<src_host>\w+) (?<src_ip>[0-9\.]+)

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/transforms.conf

@@ -0,0 +1,24 @@
+[MSAD-Netlogon-Subnetaffinity]
+DEST_KEY=MetaData:Sourcetype
+REGEX=.*NO_CLIENT_SITE:.*
+FORMAT=sourcetype::MSAD:SubnetAffinity
+
+[MSAD-SiteInfo-AdjacentSites]
+REGEX=AdjacentSite="([^"]+)
+FORMAT=AdjacentSite::$1
+MV_ADD=True
+
+[MSAD-SiteInfo-SiteLinks]
+REGEX=SiteLink="([^"]+)
+FORMAT=SiteLink::$1
+MV_ADD=True
+
+[MSAD-SiteInfo-Sites]
+REGEX=Site="([^"]+)
+FORMAT=Site::$1
+MV_ADD=True
+
+[MSAD-SiteInfo-Subnets]
+REGEX=Subnet="([^"]+)
+FORMAT=Subnet::$1
+MV_ADD=True

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/license-eula.rtf

@@ -0,0 +1,57 @@
+{\rtf1\ansi\ansicpg1252\deff0{\fonttbl{\f0\fswiss\fcharset0 Helvetica;}}
+{\*\generator Msftedit 5.41.21.2508;}
+{\info
+{\title Splunk Software License Agreement}
+{\*\company Splunk Inc.}}\viewkind4\uc1\pard\qc\lang1033\b\f0\fs22 SPLUNK SOFTWARE LICENSE AGREEMENT\par
+\pard\b0\fs18\par
+THIS SPLUNK SOFTWARE LICENSE AGREEMENT (THE "AGREEMENT") GOVERNS ALL SOFTWARE PROVIDED BY SPLUNK INC. ("SPLUNK") INCLUDING FREE SPLUNK SOFTWARE ("FREE SOFTWARE") AND SOFTWARE PURCHASED THROUGH SPLUNK'S ONLINE STORE OR OTHER CHANNELS ("PURCHASED SOFTWARE"), COLLECTIVELY THE SPLUNK SOFTWARE ("SOFTWARE") AND ANY AND ALL UPDATES, UPGRADES, AND MODIFICATIONS THERETO. CONFIRMATION OF YOUR ORDERS ("ORDER CONFIRMATION") WILL BE DEEMED INCORPORATED INTO AND MADE PART OF THIS AGREEMENT.\par
+\par
+YOU WILL BE REQUIRED TO INDICATE YOUR AGREEMENT TO THESE TERMS AND CONDITIONS IN ORDER TO DOWNLOAD THE SOFTWARE AND REGISTER WITH SPLUNK IN ORDER TO OBTAIN LICENSE KEYS NECESSARY TO COMPLETE THE INSTALLATION PROCESS FOR PURCHASED SOFTWARE.  BY CLICKING ON THE "YES" BUTTON, DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING ANY MEDIA THAT CONTAINS THE SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT.\par
+\par
+IF YOU AGREE TO THESE TERMS ON BEHALF OF A BUSINESS, YOU REPRESENT AND WARRANT THAT YOU HAVE AUTHORITY TO BIND THAT BUSINESS TO THIS AGREEMENT, AND YOUR AGREEMENT TO THESE TERMS WILL BE TREATED AS THE AGREEMENT OF THE BUSINESS. IN THAT EVENT, "YOU" AND "YOUR" REFER HEREIN TO THAT BUSINESS.\par
+\par
+"Splunk Developer API" means the documentation and functionality enabling  the creation of extensions to the Software. "Example Modules" means the  source code and binary form of examples that use the Splunk Developer  API.  \par
+\par
+PURCHASED SOFTWARE TERM. Unless earlier terminated, this Agreement will be  in effect perpetually for any Purchased Software. "Term" means the period in  which the Agreement is in effect.\par
+\par
+PURCHASED SOFTWARE FREE TRIAL. Notwithstanding the foregoing, if the  applicable Order Confirmation is limited to a free trial license, then  the Term will be limited to the free trial period specified in the Order  Confirmation, this Agreement and any license rights granted hereunder will  automatically terminate at the end of the free trial period, and there  will be no Renewal Term. Any license keys provided for a free trial will automatically expire and may cause the Software to become non-operational at the end of the free trial period. Provisions in this Agreement regarding License Fees, Maintenance and Support, and Warranty will not apply to free trials.\par
+\par
+PURCHASED SOFTWARE LICENSE. Subject to your compliance with the terms and conditions of this Agreement, including your payment of the license fees set forth in each Order Confirmation (the "License Fees"), Splunk grants you a nonexclusive, nontransferable, revocable, limited license during the Term to use the Software for which you have paid the applicable License Fees as set forth in your Order Confirmation(s), only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you) and only subject to the following conditions: you may use each Splunk Server with an Enterprise license to index no more than the peak daily volume of uncompressed data for which you have paid the applicable License Fees as set forth in your Order Confirmation (the "Maximum Peak Daily Volume"). The Software will be configured to display warnings and/or cease indexing data when the Maximum Peak Daily Volume is reached.\par
+\par
+FREE SOFTWARE LICENSE. Subject to the terms and conditions of this Agreement, Splunk grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Free Splunk Software in binary form only and only subject to the following conditions: (i) to index no more than 500MB of peak daily volume of uncompressed data (the 'Maximum Peak Daily Volume') and only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you). The Software will be configured to display warnings, reduce available functionality, and/or cease indexing data when the Maximum Peak Daily Volume is reached.\par
+\par
+EXTENSION LICENSE. Splunk further grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Splunk Developer API and Example Modules included with the Software solely for the purpose of developing extensions to access the Splunk API or Example Modules for Your use in conjunction with the Software (collectively, "Your Extensions"). You agree to assume full responsibility for the performance of Your Extensions, and shall indemnify, hold harmless, and defend Splunk (including all of its officers, employees, directors, subsidiaries, representatives, affiliates and agents) and Splunk's suppliers from and against any claims or lawsuits, including attorney's fees and expenses, that arise or result from Your Extensions pursuant to this Agreement. You retain title to and copyright for Your Extensions, subject to Splunk's title to and copyright for the Software, the Splunk Developer API, and the Example Modules as specified in Ownership and Copyrights, below. This Agreement does not grant you any distribution rights. If you want to distribute or provide to any third parties Your Extensions, you must first register as a Splunk application developer and agree to the Splunk Developer Agreement at http://www.splunk.com/goto/devagreement. You will not remove or change any Splunk copyright notices or branding included in the Splunk Software or required by Splunk's Identity Guidelines as set forth at http://www.splunk.com/goto/splunkpowered, Splunk Developer APIs, or Example Modules, and will include such notices and branding in each copy of Your Extensions, the Splunk Software, the Splunk Developer APIs, and the Examples Modules that you make or distribute.\par
+\par
+PURCHASED SOFTWARE RESTRICTIONS. You agree not to (i) use the Software except as expressly authorized in this Agreement and your Order Confirmation; (ii) copy the Software (except as required to run the Software and for reasonable backup purposes); (iii) modify, adapt, or create derivative works of the Software; (iv) rent, lease, loan, resell, transfer, sublicense (including but not limited to offering any of the functionality of the Software on a service provider, hosted or time sharing basis) or distribute the Software to any third party; (v) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (vi) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vii) authorize any third parties to do any of the above.\par
+\par
+FREE SOFTWARE RESTRICTIONS. You shall not (i) decompile, disassemble or reverse engineer the Free Software without the express written authorization of Splunk; (ii) modify, adapt, or create derivative works of the Free Software; (iii) rent, lease, loan, or resell the Free Software, the Splunk Developer API, Example Modules, or Your Extensions (including but not limited to offering the functionality of the Free Software on an applications service provider or time sharing basis), except as expressly permitted in the Splunkbase Application Developer Agreement; (iv) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (v) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vi) authorize any third parties to do any of the above.\par
+\par
+OWNERSHIP. Splunk and/or its licensors own all worldwide right, title and interest in and to the Software, including all worldwide intellectual property rights therein. You will not delete or in any manner alter the copyright, trademark, and other proprietary rights notices appearing in or on the Software as provided. All right, title, and interest in and to all copies the Splunk Developer API, and the Example Modules remains with Splunk and/or its licensors. The Software, Splunk Developer API, and Example Modules are copyrighted and protected by the laws of the United States and other countries, and international treaty provisions. You may not remove any copyright notices from the Software, the Splunk Developer API, or the Example Modules.\par
+\par
+PURCHASED SOFTWARE LICENSE AND FEES. In order to access and use the Software, you are required to pay to Splunk the License Fees in accordance with your Order Confirmation. The License Fees will be due and payable in accordance with the terms set forth in your Order Confirmation. Any failure to pay the License Fees in accordance with an Order Confirmation will result in automatic revocation and termination of this Agreement and all rights and licenses granted hereunder. All License Fees are non-refundable once paid.\par
+\par
+MAINTENANCE AND SUPPORT. Subject to your payment of the applicable annual maintenance and support fees set forth in your Order Confirmation (the "Support Fees"), Splunk will provide the level of support for the Purchased Software identified in your Order Confirmation in accordance with the support descriptions set forth on Splunk's website at www.splunk.com. Splunk is not obligated to support, update or upgrade the Free Software.\par
+\par
+PURCHASED SOFTWARE VERIFICATION AND AUDIT. At Splunk's written request, you will furnish Splunk with a certification signed by an officer of your company verifying that the Software is being used in accordance with the terms and conditions of this Agreement and the applicable Order Confirmations. Upon at least ten (10) days prior written notice, Splunk may audit your use of the Software to ensure that you are in compliance with the terms of this Agreement and the applicable Orders. Any such audit will be conducted during regular business hours at your facilities, will not unreasonably interfere with your business activities and will be in compliance with your reasonable security procedures. You will provide Splunk with access to the relevant records and facilities. If an audit reveals that you have exceeded the daily peak volume during the period audited, then Splunk will invoice you, and you will promptly pay Splunk any underpaid fees based on Splunk's price list in effect at the time the audit is completed. If the daily peak volume usage exceeds ten percent (10%) of the licensed usage, then you will also pay Splunk's reasonable costs of conducting the audit.\par
+\par
+PURCHASED SOFTWARE WARRANTY. Splunk warrants that for a period of thirty (30) days after your registration of the Software with Splunk, the Software will substantially achieve any material function described in documentation for the Software published by Splunk. As Splunk's sole liability and your sole remedy for any failure of the Software to conform to this warranty, Splunk will repair or replace (at Splunk's option) your copy of the Software.\par
+\par
+WARRANTY DISCLAIMER. EXCEPT AS SET FORTH ABOVE, SPLUNK DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, QUIET ENJOYMENT AND WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. Splunk does not warrant (i) that the Software, developer's API'S or example modules will meet your requirements, (ii) that the Software will operate in the combinations that you may select, (iii) that the Software will serve the purposes intended by you, or (iv) that the operation of the Software will be error free or uninterrupted or that any Software errors will be corrected.\par
+\par
+LIMITATION OF LIABILITY. SPLUNK'S TOTAL CUMULATIVE LIABILITY TO YOU, FROM ALL CAUSES OF ACTION AND ALL THEORIES OF LIABILITY, WILL BE LIMITED TO AND WILL NOT EXCEED THE AMOUNTS PAID BY YOU TO SPLUNK IN THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO SUCH LIABILITY. IN NO EVENT WILL SPLUNK BE LIABLE TO YOU FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING LOSS OF USE, DATA, OR PROFITS, BUSINESS INTERRUPTION, OR COSTS OF PROCURING SUBSTITUTE SOFTWARE) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE USE OR PERFORMANCE OF THE SOFTWARE, WHETHER SUCH LIABILITY ARISES FROM CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SPLUNK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. THE PARTIES HAVE AGREED THAT THESE LIMITATIONS WILL SURVIVE AND APPLY EVEN IF ANY REMEDY IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. WITHOUT LIMITING THE FOREGOING, SPLUNK WILL HAVE NO LIABILITY OR RESPONSIBILITY FOR ANY BUSINESS INTERRUPTION OR LOSS OF DATA ARISING FROM THE AUTOMATIC TERMINATION OF THE LICENSE RIGHTS GRANTED HEREIN AND ANY ASSOCIATED CESSATION OF THE SOFTWARE FUNCTIONS. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.\par
+\par
+PURCHASED SOFTWARE INDEMNITY. Splunk will defend, indemnify and hold you harmless from and against any loss, damage, liability or cost (including reasonable attorneys' fees) resulting from any third party claim that the Purchased Software infringes or violates any third party's patent, copyright or trademark rights; provided that you promptly notify Splunk in writing of any and all such claims. In the event of any loss, damage, liability or cost for which Splunk is obligated to indemnify you hereunder, Splunk shall have sole control of the defense and all related settlement negotiations, and you shall reasonably cooperate with Splunk in the defense and/or settlement thereof at Splunk's expense; provided that you may participate in such defense using your own counsel, at your own expense.\par
+\par
+TERMINATION. You may terminate this Agreement at any time by destroying or returning to Splunk all copies of the Software, including any documentation, in your possession and control, and providing to Splunk a written statement signed by an authorized representative of your company notifying Splunk that you are terminating the Agreement and certifying such destruction or return. Upon thirty days notice, Splunk may terminate this Agreement (and your license rights) upon notice in the event that you breach any provision of this Agreement and have not cured the breach during such notice period. Upon any expiration or termination of this Agreement, the rights and licenses granted hereunder will automatically terminate, and you agree to immediately cease using the Software and to return or destroy all copies of the Software in your possession or control. In the event of termination of this Agreement, Splunk will have no obligation to refund any License Fees, Support Fees, or other fees received from you during the Term. All provisions of this Agreement related to disclaimers of warranties, limitation of liability, remedies, damages, or Splunk's proprietary rights shall survive termination.\par
+\par
+SEVERABILITY. All rights and remedies, whether conferred hereunder or by any other instrument or law, will be cumulative and may be exercised singularly or concurrently. Failure by either Splunk or You to enforce any term will not be deemed a waiver of future enforcement of that or any other term. The terms and conditions stated herein are declared to be severable. Should any term(s) or condition(s) of this Agreement be held to be invalid or unenforceable the validity, construction and enforceability of the remaining terms and conditions of this Agreement shall not be affected.\par
+\par
+EXPORT. You agree to comply fully with all relevant export laws and regulations of the United States ("Export Laws") to ensure that the Software is not (i) exported or re-exported directly or indirectly in violation of Export Laws; or (ii) intended to be used for any purposes prohibited by the Export Laws, including but not limited to nuclear, chemical, or biological weapons proliferation.\par
+\par
+GOVERNMENT RESTRICTED RIGHTS. The Software shall be classified as "commercial computer software" as defined in the applicable provisions of the Federal Acquisition Regulation (the "FAR") and supplements thereto, including the Department of Defense (DoD) FAR Supplement (the "DFARS"). The parties acknowledge that the Software was developed entirely at private expense and that no part of the Software was first produced in the performance of a Government contract. If the Software is supplied for use by DoD, the Software is delivered subject to the terms of this Agreement and in accordance with DFARS 227.7202-1(a) and 227.7202-3(a) (1995), with restricted rights in accordance with DFARS 252.227-7013(c)(1)(ii) (OCT 1988), as applicable. If the Software is supplied for use by a Federal agency other than DoD, the Software is restricted computer software delivered subject to the terms of this Agreement and FAR 12.212(a) (1995); (ii) FAR 52.227-19; or FAR 52.227-14(ALT III), as applicable.\par
+\par
+PUBLICITY.  You agree that Splunk may identify you as a Splunk customer on Splunk websites, client lists, press releases, and/or other marketing.  You also agree that Splunk may publish a brief description highlighting your deployment of the Software.\par
+\par
+GENERAL. This Agreement shall be governed by and construed in accordance with the laws of the State of California, as if performed wholly within the state and without giving effect to the principles of conflict of law. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in the Northern District of California and the parties hereby consent to personal jurisdiction and venue therein. If any portion hereof is found to be void or unenforceable, the remaining provisions of this Agreement shall remain in full force and effect. Neither party may assign this Agreement, in whole or in part, except in connection with an internal reorganization or a sale of the business with which this Agreement is associated without Splunk's prior written consent, and any attempt to assign this Agreement other than as permitted above will be null and void. This Agreement is intended for the sole and exclusive benefit of the parties and is not intended to benefit any third party. Only the parties to this Agreement may enforce it. This Agreement and any Order Confirmations constitute the complete and exclusive understanding and agreement between the parties regarding their subject matter and supersede all prior or contemporaneous agreements or understandings, written or oral, relating to their subject matter. Any waiver, modification or amendment of any provision of this Agreement will be effective only if in writing and signed by duly authorized representatives of both parties.\par
+}
+

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/metadata/default.meta

@@ -0,0 +1,35 @@
+# shared Application-level permissions
+[]
+access = read : [ * ], write : [ admin ]
+export = system
+
+######################################################
+#
+# Splunk for Windows Infrastructure
+# Windows Domain Controller Data Definition
+# 
+# Copyright (C) 2016 Splunk, Inc.
+# All Rights Reserved
+#
+######################################################
+[]
+access = read : [ * ], write : [ admin, power ]
+
+[eventtypes]
+export = system
+
+[props]
+export = system
+
+[transforms]
+export = system
+
+[lookups]
+export = system
+
+[tags]
+export = system
+
+[viewstates]
+access = read : [ * ], write : [ * ]
+export = system

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/samples/MSAD-NT6-Health.sample

@@ -0,0 +1 @@
+2015-01-06T10:37:54-08:00 Server="WIN-6LR3JNJ6LVD" DomainDNSName="spl.com" DomainNetBIOSName="SPL" DomainLevel="Windows2012R2Domain" Site="Default-First-Site-Name" ForestName="spl.com" ForestLevel="Windows2012R2Forest" Created="12/29/2014 23:52:50" Changed="12/29/2014 23:53:54" GlobalCatalog="True" RODC="False" Enabled="True" HighestUSN="13547" SchemaVersion=69 DCWeight=100 IsIntersiteTopologyGenerator="True" OperatingSystem="Windows Server 2012 R2 Datacenter Evaluation" ServicePack="" OSVersion="6.3 (9600)" FSMORoles="Schema DomainNaming PDCEmulator RIDMaster Infrastructure" ServicesRunning="dfsr,netlogon,kdc,w32time,ismserv" ServicesNotRunning="ntfrs" ProcsOK="True" SYSVOLShare="True" DNSRegister="True"

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/samples/MSAD-NT6-SiteInfo.sample

@@ -0,0 +1,2 @@
+2015-01-06T10:52:12-08:00 Type="Site" ForestName="spl.com" Site="Default-First-Site-Name" Location=""IntersiteTopologyGenerator="WIN-6LR3JNJ6LVD.spl.com" SiteLink="DEFAULTIPSITELINK"
+2015-01-06T10:52:12-08:00 Type="SiteLink" ForestName="spl.com" Name="DEFAULTIPSITELINK" Cost=100 DataCompressionEnabled=True NotificationEnabled=False ReciprocalReplicationEnabled=False TransportType=Rpc ReplicationIntervalSecs=10800 Site="Default-First-Site-Name"

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/samples/WinEventLog-DFS-Replication.csv

@@ -0,0 +1,239 @@
+index,host,source,sourcetype,"_raw","_time"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:50:21 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1002
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=1
+Keywords=Classic
+Message=The DFS Replication service is starting.","2014-12-29T15:50:21.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:50:21 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1004
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=2
+Keywords=Classic
+Message=The DFS Replication service has started.","2014-12-29T15:50:21.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:50:22 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1314
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=3
+Keywords=Classic
+Message=The DFS Replication service successfully configured the debug log files. 
+ 
+Additional Information: 
+Debug Log File Path: C:\Windows\debug","2014-12-29T15:50:22.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:50:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=6102
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=4
+Keywords=Classic
+Message=The DFS Replication service has successfully registered the WMI provider.","2014-12-29T15:50:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:50:25 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1202
+EventType=2
+Type=Error
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=5
+Keywords=Classic
+Message=The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues. 
+ 
+Additional Information: 
+Error: 1355 (The specified domain either does not exist or could not be contacted.)","2014-12-29T15:50:25.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:52:51 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1006
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=6
+Keywords=Classic
+Message=The DFS Replication service is stopping.","2014-12-29T15:52:51.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:52:51 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1008
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD
+TaskCategory=None
+OpCode=None
+RecordNumber=7
+Keywords=Classic
+Message=The DFS Replication service has stopped.","2014-12-29T15:52:51.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:53:56 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1002
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=8
+Keywords=Classic
+Message=The DFS Replication service is starting.","2014-12-29T15:53:56.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:53:56 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1004
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=9
+Keywords=Classic
+Message=The DFS Replication service has started.","2014-12-29T15:53:56.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:53:57 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1314
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=10
+Keywords=Classic
+Message=The DFS Replication service successfully configured the debug log files. 
+ 
+Additional Information: 
+Debug Log File Path: C:\Windows\debug","2014-12-29T15:53:57.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:22 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=6102
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=11
+Keywords=Classic
+Message=The DFS Replication service has successfully registered the WMI provider.","2014-12-29T15:54:22.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1206
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=12
+Keywords=Classic
+Message=The DFS Replication service successfully contacted domain controller WIN-6LR3JNJ6LVD.spl.com to access configuration information.","2014-12-29T15:54:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=8000
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=13
+Keywords=Classic
+Message=The DFSR global settings required for SYSVOL migration have been successfully created on the Primary Domain Controller WIN-6LR3JNJ6LVD. Migration will not be triggered until the DFSR global settings are replicated to all the Domain Controllers. 
+ 
+Additional Information: 
+Primary Domain Controller: WIN-6LR3JNJ6LVD","2014-12-29T15:54:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=6016
+EventType=3
+Type=Warning
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=14
+Keywords=Classic
+Message=The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically. 
+ 
+Additional Information: 
+Object Category: msDFSR-LocalSettings 
+Object DN: CN=DFSR-LocalSettings,CN=WIN-6LR3JNJ6LVD,OU=Domain Controllers,DC=spl,DC=com 
+Error: 1355 (The specified domain either does not exist or could not be contacted.) 
+Domain Controller:  
+Polling Cycle: 60","2014-12-29T15:54:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=1210
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=15
+Keywords=Classic
+Message=The DFS Replication service successfully set up an RPC listener for incoming replication requests. 
+ 
+Additional Information: 
+Port: 0","2014-12-29T15:54:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:54:24 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=4602
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=16
+Keywords=Classic
+Message=The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:\Windows\SYSVOL\domain. This member is the designated primary member for this replicated folder. No user action is required. To check for the presence of the SYSVOL share, open a command prompt window and then type ""net share"". 
+ 
+Additional Information: 
+Replicated Folder Name: SYSVOL Share 
+Replicated Folder ID: A79DA0C9-AA74-4327-8F80-912BAE1B5BA5 
+Replication Group Name: Domain System Volume 
+Replication Group ID: 064E4F9C-D856-4C96-BCA0-FCE04B28E229 
+Member ID: 5CDB09D2-F4E2-4974-A9EA-C745E52B961D 
+Read-Only: 0","2014-12-29T15:54:24.000-0800"
+wineventlog,"WIN-6LR3JNJ6LVD","WinEventLog:DFS Replication","WinEventLog:DFS-Replication","12/29/2014 03:59:26 PM
+LogName=DFS Replication
+SourceName=DFSR
+EventCode=6018
+EventType=4
+Type=Information
+ComputerName=WIN-6LR3JNJ6LVD.spl.com
+TaskCategory=None
+OpCode=None
+RecordNumber=17
+Keywords=Classic
+Message=The DFS Replication service successfully updated configuration in Active Directory Domain Services. 
+ 
+Additional Information: 
+Domain Controller: WIN-6LR3JNJ6LVD.spl.com 
+Polling Cycle: 60 minutes","2014-12-29T15:59:26.000-0800"

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/samples/perfmon-Memory.csv

@@ -0,0 +1,691 @@
+index,host,source,sourcetype,"_raw","_time"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 07:21:33.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T07:21:33.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 07:21:33.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T07:21:33.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107072144.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:21:44.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 07:23:19.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:23:19.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 07:23:52.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 07:23:52.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:23:52.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 07:24:43.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T07:24:43.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 07:24:50.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 07:24:50.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:24:50.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 07:24:59.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:24:59.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 07:25:03.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 07:25:03.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:25:03.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 07:25:43.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T07:25:43.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107072600.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:26:00.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107072821.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:28:21.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107072834.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:28:34.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073052.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:30:52.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073138.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:31:38.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073308.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:33:08.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073346.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:33:46.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073828.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:38:28.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107073925.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:39:25.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074014.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:40:14.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074134.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:41:34.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074333.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:43:33.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074623.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:46:23.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074702.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:47:02.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107074932.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:49:32.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107075020.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:50:20.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107075312.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T07:53:12.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107075507.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T07:55:07.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107075509.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:55:09.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107075929.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T07:59:29.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080005.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:00:05.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080137.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:01:37.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080252.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:02:52.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080353.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:03:53.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080522.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:05:22.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107080726.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:07:26.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081106.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:11:06.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081145.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:11:45.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081157.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:11:57.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081434.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:14:34.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081625.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:16:25.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107081909.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:19:09.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107082051.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:20:51.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107082113.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:21:13.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 08:22:08.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T08:22:08.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 08:22:58.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 08:22:58.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:22:58.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107082310.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:23:10.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 08:23:13.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:23:13.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 08:23:15.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:23:15.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 08:24:52.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T08:24:52.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107082512.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:25:12.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 08:25:21.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:25:21.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107082541.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:25:41.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 08:25:46.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T08:25:46.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 08:26:34.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:26:34.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 08:26:34.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 08:26:34.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:26:34.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 08:26:54.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 08:26:54.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T08:26:54.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083207.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:32:07.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083208.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:32:08.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083210.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:32:10.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083306.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:33:06.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083444.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:34:44.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083507.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:35:07.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107083840.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:38:40.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084026.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:40:26.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084159.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:41:59.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084335.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:43:35.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084540.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:45:40.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084652.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:46:52.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084750.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:47:50.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107084801.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:48:01.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107085132.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:51:32.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107085245.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T08:52:45.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107085324.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:53:24.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107085328.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T08:53:28.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107085939.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T08:59:39.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090038.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T09:00:38.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090229.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T09:02:29.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090255.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T09:02:55.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090325.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T09:03:25.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090529.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T09:05:29.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107090756.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T09:07:56.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091022.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T09:10:22.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091221.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T09:12:21.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091358.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T09:13:58.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091548.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T09:15:48.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091655.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T09:16:55.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107091951.433557
+AvailableMBytes=620
+CommittedBytes=959897600
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+
+","2015-01-07T09:19:51.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107092121.433557
+AvailableMBytes=0
+CommittedBytes=1610014720
+PagesPersec=0
+PercentCommittedBytesInUse=27
+wmi_type=Memory
+","2015-01-07T09:21:21.433-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","20150107092216.155273
+TotalPhysicalMemory=8589402112
+wmi_type=ComputerSystem
+","2015-01-07T09:22:16.155-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 09:22:53.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T09:22:53.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 09:23:22.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T09:23:22.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=0
+
+01/07/2015 09:24:16.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=1102970880
+","2015-01-07T09:24:16.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 09:24:59.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:24:59.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 09:25:17.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:25:17.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 09:25:29.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 09:25:29.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:25:29.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 09:26:18.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:26:18.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","01/07/2015 09:26:29.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:26:29.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 09:26:40.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 09:26:40.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:26:40.498-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Memory","Perfmon:Memory","counter=""Available MBytes""
+Value=432
+
+01/07/2015 09:27:13.498
+collection=""Available Memory""
+object=Memory
+counter=""Committed Bytes""
+Value=649986048
+
+01/07/2015 09:27:13.498
+collection=""Available Memory""
+object=Memory
+","2015-01-07T09:27:13.498-0800"

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/samples/perfmon-NTDS.csv

@@ -0,0 +1,325 @@
+index,host,source,sourcetype,"_raw","_time"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/06/2015 08:43:05.895 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM Enumerations/sec""
+instance=0
+Value=0.29967345482647922","2015-01-06T08:43:05.895-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/07/2015 16:42:35.898 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Writes/sec""
+instance=0
+Value=0.099989717057497818","2015-01-07T16:42:35.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 04:42:55.902 -0800
+collection=NTDS
+object=NTDS
+counter=""Tombstones Visited/sec""
+instance=0
+Value=0.19993737361646211","2015-01-08T04:42:55.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 04:57:55.911 -0800
+collection=NTDS
+object=NTDS
+counter=""Link Values Cleaned/sec""
+instance=0
+Value=0.099840647338003227","2015-01-08T04:57:55.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 06:06:35.911 -0800
+collection=NTDS
+object=NTDS
+counter=""ATQ Request Latency""
+instance=0
+Value=1","2015-01-08T06:06:35.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 07:54:25.909 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM Universal Group Membership Evaluations/sec""
+instance=0
+Value=0.79868269270079395","2015-01-08T07:54:25.909-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 07:54:25.909 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM Global Group Membership Evaluations/sec""
+instance=0
+Value=0.39934134635039698","2015-01-08T07:54:25.909-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 10:17:45.896 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Server Name Translations/sec""
+instance=0
+Value=0.10001909164421305","2015-01-08T10:17:45.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 11:35:05.904 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Threads in Use""
+instance=0
+Value=1","2015-01-08T11:35:05.904-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 11:35:05.904 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Active Threads""
+instance=0
+Value=1","2015-01-08T11:35:05.904-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 11:35:05.904 -0800
+collection=NTDS
+object=NTDS
+counter=""ATQ Threads LDAP""
+instance=0
+Value=1","2015-01-08T11:35:05.904-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 11:43:05.897 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Bind Time""
+instance=0
+Value=16","2015-01-08T11:43:05.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 12:42:55.900 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Security Descriptor sub-operations/sec""
+instance=0
+Value=0.099958433285102732","2015-01-08T12:42:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 12:42:55.900 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Directory Writes/sec""
+instance=0
+Value=0.099958433285102732","2015-01-08T12:42:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 12:42:55.900 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM GC Evaluations/sec""
+instance=0
+Value=0.099958433285102732","2015-01-08T12:42:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 12:42:55.900 -0800
+collection=NTDS
+object=NTDS
+counter=""Database modifys/sec""
+instance=0
+Value=0.099958433285102732","2015-01-08T12:42:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM Transitive Membership Evaluations/sec""
+instance=0
+Value=0.19990305901056343","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""SAM Domain Local Group Membership Evaluations/sec""
+instance=0
+Value=0.19990305901056343","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Client Binds/sec""
+instance=0
+Value=0.29985458851584512","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Client Name Translations/sec""
+instance=0
+Value=0.19990305901056343","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""Subtree searches/sec""
+instance=0
+Value=0.49975764752640855","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:05.905 -0800
+collection=NTDS
+object=NTDS
+counter=""Onelevel searches/sec""
+instance=0
+Value=0.49975764752640855","2015-01-08T13:23:05.905-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Client Sessions""
+instance=0
+Value=6","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Searches/sec""
+instance=0
+Value=0.19980189043158039","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Monitor List Size""
+instance=0
+Value=23","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Search sub-operations/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Name Cache hit rate""
+instance=0
+Value=100","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DRA Highest USN Issued (Low part)""
+instance=0
+Value=13754","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DRA Highest USN Committed (Low part)""
+instance=0
+Value=13754","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes from SAM""
+instance=0
+Value=31.824234354194409","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes from LDAP""
+instance=0
+Value=31.824234354194409","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes from LSA""
+instance=0
+Value=1.5978695073235687","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes from KCC""
+instance=0
+Value=0.26631158455392812","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes Other""
+instance=0
+Value=33.954727030625833","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches from SAM""
+instance=0
+Value=0.36251921748771537","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches from LDAP""
+instance=0
+Value=85.941663513366905","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches from LSA""
+instance=0
+Value=0.82426814779141133","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches from KCC""
+instance=0
+Value=1.7615258619092855","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches Other""
+instance=0
+Value=0.9213809600673174","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Directory Searches/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Reads from SAM""
+instance=0
+Value=8.2577697791929126","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Reads from LSA""
+instance=0
+Value=11.123416626289195","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Reads from KCC""
+instance=0
+Value=65.795666920467923","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Reads Other""
+instance=0
+Value=14.823146674049974","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS Directory Reads/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Successful Binds/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""ATQ Threads Total""
+instance=0
+Value=4","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP New Connections/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""LDAP Closed Connections/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Writes from NTDSAPI""
+instance=0
+Value=0.53262316910785623","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""DS % Searches from NTDSAPI""
+instance=0
+Value=10.188642299377367","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""Negotiated Binds/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""Base searches/sec""
+instance=0
+Value=0.099900945215790196","2015-01-08T13:23:15.910-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:NTDS","Perfmon:NTDS","01/08/2015 13:23:15.910 -0800
+collection=NTDS
+object=NTDS
+counter=""Approximate highest DNT""
+instance=0
+Value=4106","2015-01-08T13:23:15.910-0800"

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/samples/perfmon-Network_Interface.csv

@@ -0,0 +1,601 @@
+index,host,source,sourcetype,"_raw","_time"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:35.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:57:35.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:35.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:57:35.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1529.8530970086738","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=5.0991770438168977","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=5.0991770438168977","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1529.8530970086738","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=5.0991770438168977","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:45.902 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:57:45.902-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=2872.6871895740651","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6996190959581003","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6996190959581003","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=2872.6871895740651","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6996190959581003","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:57:55.900 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:57:55.900-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1638.2918550198196","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=7.3990599494334246","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=7.3990599494334246","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1638.2918550198196","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=7.3990599494334246","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:05.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:05.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=595.90854474142463","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.3006012045094013","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.3006012045094013","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=595.90854474142463","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.3006012045094013","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:15.897 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:15.897-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=704.46304386871861","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.1997796795580102","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.1997796795580102","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=704.46304386871861","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.1997796795580102","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:25.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:25.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1192.2075493465447","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=6.689381610101206","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=5.591124927845784","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Sent/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1.0982566822554218","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1105.5451129649352","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=5.591124927845784","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Sent/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=86.662436381609652","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Sent Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1.0982566822554218","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:35.913 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:35.913-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1800.8628638823084","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6142161568625077","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6142161568625077","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1800.8628638823084","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=9.6142161568625077","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:45.898 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:45.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1689.493548428871","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=8.39350946699936","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=8.39350946699936","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=1689.493548428871","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=8.39350946699936","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:58:55.908 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:58:55.908-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3277.0170112259821","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=14.010761385605054","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10.307917305123718","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Sent/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.7028440804813356","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=2692.3679539780915","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.5026903464012635","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=6.8052269587224554","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Sent/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=584.64905724789094","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Sent Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=3.6027672134412998","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Sent Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=0.1000768670400361","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:05.896 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:59:05.896-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Total/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=945.11287219552071","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=Packets/sec
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.7960056946172953","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.7960056946172953","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=10000000000","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Bytes Received/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=945.11287219552071","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Received Non-Unicast/sec""
+instance=""Microsoft Hyper-V Network Adapter""
+Value=4.7960056946172953","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=100000","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Packets Outbound Errors""
+instance=""Teredo Tunneling Pseudo-Interface""
+Value=1","2015-01-08T08:59:15.899-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Network_Interface","Perfmon:Network_Interface","01/08/2015 08:59:15.899 -0800
+collection=Network_Interface
+object=""Network Interface""
+counter=""Current Bandwidth""
+instance=isatap.sv.splunk.com
+Value=100000","2015-01-08T08:59:15.899-0800"

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/samples/perfmon-Processor.csv

@@ -0,0 +1,601 @@
+index,host,source,sourcetype,"_raw","_time"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=0
+Value=67.621733062522324","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=0
+Value=13.80635534591949","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=0
+Value=53.815377716602839","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=0
+Value=52.971034378980889","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=0
+Value=222.87812578325921","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=1
+Value=29.278552056381123","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=1
+Value=28.413473566751957","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=1
+Value=0.93670791978303147","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=1
+Value=421.76936807414972","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=1
+Value=2.3986883492368705","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=1
+Value=68.450316412441637","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=1
+Value=10.044048752374991","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=1
+Value=58.406267660066646","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=1
+Value=34.980871759704364","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=1
+Value=178.70228201814686","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=2
+Value=53.00848602421793","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=2
+Value=52.143407534588746","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=2
+Value=0.93670791978303147","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=2
+Value=323.32320040755314","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=2
+Value=5.2971034378980892","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=2
+Value=45.186218533607978","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=2
+Value=19.985201513600099","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=2
+Value=25.201017020007882","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=2
+Value=87.452179399260899","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=2
+Value=79.756387612125948","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=3
+Value=53.476839984109439","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=3
+Value=50.738345654914205","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=3
+Value=2.8101237593490946","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=3
+Value=305.03320174462203","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=3
+Value=7.1960650477106114","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=3
+Value=43.503773209374152","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=3
+Value=23.701992595061615","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=3
+Value=19.801780614312538","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=3
+Value=83.054584092326635","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=3
+Value=72.56032256441533","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=_Total
+Value=41.299637026930029","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=_Total
+Value=39.88814558409409","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=_Total
+Value=1.4831208729897998","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=_Total
+Value=1626.7104821741377","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=_Total
+Value=85.85305383310299","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""DPC Rate""
+instance=_Total
+Value=1","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=_Total
+Value=56.19051030448653","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=_Total
+Value=16.884399551739047","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=_Total
+Value=39.306110752747472","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=_Total
+Value=258.45866963027277","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:45.911 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=_Total
+Value=553.89711797794735","2015-01-06T16:07:45.911-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=0
+Value=34.914622303244947","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=0
+Value=33.168509787769402","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=0
+Value=1.7210075833276575","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=0
+Value=823.56220066152093","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% DPC Time""
+instance=0
+Value=0.31291046969593778","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=0
+Value=143.26738501661032","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPC Rate""
+instance=0
+Value=3","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=0
+Value=60.557508128012159","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=0
+Value=17.873095569305907","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=0
+Value=42.684412558706256","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=0
+Value=112.03089017022148","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=0
+Value=282.22974029477604","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=1
+Value=31.159696666893698","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=1
+Value=29.570039386266117","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=1
+Value=1.5645523484796888","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=1
+Value=620.82533507197809","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=1
+Value=4.204912767783112","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=1
+Value=61.47471430072541","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=1
+Value=12.921011524497604","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=1
+Value=48.553702776227802","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=1
+Value=94.910888187104533","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=1
+Value=233.87324346527024","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=2
+Value=50.873056257737773","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=2
+Value=48.814033272566284","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=2
+Value=2.0339180530235956","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=2
+Value=489.37175259342501","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=2
+Value=6.9080709756436844","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=2
+Value=46.665294600150588","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=2
+Value=18.364897705512139","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=2
+Value=28.300396894638446","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=2
+Value=118.63861023388066","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=2
+Value=149.57475416828498","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=3
+Value=61.981377931943562","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=3
+Value=58.514257833140363","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=3
+Value=3.4420151666553149","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=3
+Value=402.77057297122525","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=3
+Value=11.813802538057315","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=3
+Value=35.490470689641256","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=3
+Value=21.128300682268986","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=3
+Value=14.362170007372271","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=3
+Value=115.23463323138957","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=3
+Value=82.095915942432185","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Processor Time""
+instance=_Total
+Value=44.732187789298251","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% User Time""
+instance=_Total
+Value=42.516710570592295","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Privileged Time""
+instance=_Total
+Value=2.190373287871564","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=Interrupts/sec
+instance=_Total
+Value=2336.5298612981492","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% DPC Time""
+instance=_Total
+Value=0.078227617423984444","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPCs Queued/sec""
+instance=_Total
+Value=166.19417129809443","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""DPC Rate""
+instance=_Total
+Value=3","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% Idle Time""
+instance=_Total
+Value=51.046996428975596","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C1 Time""
+instance=_Total
+Value=17.571826370396156","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""% C2 Time""
+instance=_Total
+Value=33.475170058579444","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C1 Transitions/sec""
+instance=_Total
+Value=440.81502182259624","2015-01-06T16:07:55.898-0800"
+perfmon,"WIN-6LR3JNJ6LVD","Perfmon:Processor","Perfmon:Processor","01/06/2015 16:07:55.898 -0800
+collection=Processor
+object=Processor
+counter=""C2 Transitions/sec""
+instance=_Total
+Value=747.77365387076338","2015-01-06T16:07:55.898-0800"

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/samples/sourcetype-ActiveDirectory.csv

@@ -0,0 +1,793 @@
+index,host,source,sourcetype,_raw,_time
+msad,WIN-6LR3JNJ6LVD,ActiveDirectory,ActiveDirectory,"12/29/2014 16:55:55.145
+dcName=LDAP://WIN-6LR3JNJ6LVD.spl.com/
+admonEventType=schema
+className=pKIEnrollmentService
+classCN=PKI-Enrollment-Service
+instanceType=MandatoryProperties
+nTSecurityDescriptor=MandatoryProperties
+objectCategory=MandatoryProperties
+objectClass=MandatoryProperties
+instanceType=OptionalProperties
+nTSecurityDescriptor=OptionalProperties
+objectCategory=OptionalProperties
+objectClass=OptionalProperties
+adminDescription=OptionalProperties
+adminDisplayName=OptionalProperties
+allowedAttributes=OptionalProperties
+allowedAttributesEffective=OptionalProperties
+allowedChildClasses=OptionalProperties
+allowedChildClassesEffective=OptionalProperties
+bridgeheadServerListBL=OptionalProperties
+cACertificate=OptionalProperties
+cACertificateDN=OptionalProperties
+canonicalName=OptionalProperties
+certificateTemplates=OptionalProperties
+cn=OptionalProperties
+createTimeStamp=OptionalProperties
+description=OptionalProperties
+directReports=OptionalProperties
+displayName=OptionalProperties
+displayNamePrintable=OptionalProperties
+distinguishedName=OptionalProperties
+dNSHostName=OptionalProperties
+dSASignature=OptionalProperties
+dSCorePropagationData=OptionalProperties
+enrollmentProviders=OptionalProperties
+extensionName=OptionalProperties
+flags=OptionalProperties
+fromEntry=OptionalProperties
+frsComputerReferenceBL=OptionalProperties
+fRSMemberReferenceBL=OptionalProperties
+fSMORoleOwner=OptionalProperties
+isCriticalSystemObject=OptionalProperties
+isDeleted=OptionalProperties
+isPrivilegeHolder=OptionalProperties
+isRecycled=OptionalProperties
+lastKnownParent=OptionalProperties
+managedObjects=OptionalProperties
+masteredBy=OptionalProperties
+memberOf=OptionalProperties
+modifyTimeStamp=OptionalProperties
+mS-DS-ConsistencyChildCount=OptionalProperties
+mS-DS-ConsistencyGuid=OptionalProperties
+msCOM-PartitionSetLink=OptionalProperties
+msCOM-UserLink=OptionalProperties
+msDFSR-ComputerReferenceBL=OptionalProperties
+msDFSR-MemberReferenceBL=OptionalProperties
+msDS-Approx-Immed-Subordinates=OptionalProperties
+msDS-AuthenticatedToAccountlist=OptionalProperties
+msDS-ClaimSharesPossibleValuesWithBL=OptionalProperties
+msDS-EnabledFeatureBL=OptionalProperties
+msDS-HostServiceAccountBL=OptionalProperties
+msDS-IsDomainFor=OptionalProperties
+msDS-IsFullReplicaFor=OptionalProperties
+msDS-IsPartialReplicaFor=OptionalProperties
+msDS-IsPrimaryComputerFor=OptionalProperties
+msDS-KrbTgtLinkBl=OptionalProperties
+msDS-LastKnownRDN=OptionalProperties
+msDS-LocalEffectiveDeletionTime=OptionalProperties
+msDS-LocalEffectiveRecycleTime=OptionalProperties
+msDs-masteredBy=OptionalProperties
+msds-memberOfTransitive=OptionalProperties
+msDS-MembersForAzRoleBL=OptionalProperties
+msDS-MembersOfResourcePropertyListBL=OptionalProperties
+msds-memberTransitive=OptionalProperties
+msDS-NC-RO-Replica-Locations-BL=OptionalProperties
+msDS-NCReplCursors=OptionalProperties
+msDS-NCReplInboundNeighbors=OptionalProperties
+msDS-NCReplOutboundNeighbors=OptionalProperties
+msDS-NcType=OptionalProperties
+msDS-NonMembersBL=OptionalProperties
+msDS-ObjectReferenceBL=OptionalProperties
+msDS-OIDToGroupLinkBl=OptionalProperties
+msDS-OperationsForAzRoleBL=OptionalProperties
+msDS-OperationsForAzTaskBL=OptionalProperties
+msDS-parentdistname=OptionalProperties
+msDS-PrincipalName=OptionalProperties
+msDS-PSOApplied=OptionalProperties
+msDS-ReplAttributeMetaData=OptionalProperties
+msDS-ReplValueMetaData=OptionalProperties
+msDS-ReplValueMetaDataExt=OptionalProperties
+msDS-RevealedDSAs=OptionalProperties
+msDS-RevealedListBL=OptionalProperties
+msDS-TasksForAzRoleBL=OptionalProperties
+msDS-TasksForAzTaskBL=OptionalProperties
+msDS-TDOEgressBL=OptionalProperties
+msDS-TDOIngressBL=OptionalProperties
+msDS-ValueTypeReferenceBL=OptionalProperties
+msPKI-Enrollment-Servers=OptionalProperties
+msPKI-Site-Name=OptionalProperties
+msSFU30PosixMemberOf=OptionalProperties
+name=OptionalProperties
+netbootSCPBL=OptionalProperties
+nonSecurityMemberBL=OptionalProperties
+objectGUID=OptionalProperties
+objectVersion=OptionalProperties
+otherWellKnownObjects=OptionalProperties
+ownerBL=OptionalProperties
+partialAttributeDeletionList=OptionalProperties
+partialAttributeSet=OptionalProperties
+possibleInferiors=OptionalProperties
+proxiedObjectName=OptionalProperties
+proxyAddresses=OptionalProperties
+queryPolicyBL=OptionalProperties
+replPropertyMetaData=OptionalProperties
+replUpToDateVector=OptionalProperties
+repsFrom=OptionalProperties
+repsTo=OptionalProperties
+revision=OptionalProperties
+sDRightsEffective=OptionalProperties
+serverReferenceBL=OptionalProperties
+showInAdvancedViewOnly=OptionalProperties
+signatureAlgorithms=OptionalProperties
+siteObjectBL=OptionalProperties
+structuralObjectClass=OptionalProperties
+subRefs=OptionalProperties
+subSchemaSubEntry=OptionalProperties
+systemFlags=OptionalProperties
+url=OptionalProperties
+uSNChanged=OptionalProperties
+uSNCreated=OptionalProperties
+uSNDSALastObjRemoved=OptionalProperties
+USNIntersite=OptionalProperties
+uSNLastObjRem=OptionalProperties
+uSNSource=OptionalProperties
+wbemPath=OptionalProperties
+wellKnownObjects=OptionalProperties
+whenChanged=OptionalProperties
+whenCreated=OptionalProperties
+wWWHomePage=OptionalProperties",2014-12-29T16:55:55.145-0800
+msad,WIN-6LR3JNJ6LVD,ActiveDirectory,ActiveDirectory,"12/29/2014 16:55:55.145
+dcName=LDAP://WIN-6LR3JNJ6LVD.spl.com/
+admonEventType=schema
+className=msPKI-PrivateKeyRecoveryAgent
+classCN=ms-PKI-Private-Key-Recovery-Agent
+instanceType=MandatoryProperties
+nTSecurityDescriptor=MandatoryProperties
+objectCategory=MandatoryProperties
+objectClass=MandatoryProperties
+userCertificate=MandatoryProperties
+instanceType=OptionalProperties
+nTSecurityDescriptor=OptionalProperties
+objectCategory=OptionalProperties
+objectClass=OptionalProperties
+userCertificate=OptionalProperties
+adminDescription=OptionalProperties
+adminDisplayName=OptionalProperties
+allowedAttributes=OptionalProperties
+allowedAttributesEffective=OptionalProperties
+allowedChildClasses=OptionalProperties
+allowedChildClassesEffective=OptionalProperties
+bridgeheadServerListBL=OptionalProperties
+canonicalName=OptionalProperties
+cn=OptionalProperties
+createTimeStamp=OptionalProperties
+description=OptionalProperties
+directReports=OptionalProperties
+displayName=OptionalProperties
+displayNamePrintable=OptionalProperties
+distinguishedName=OptionalProperties
+dSASignature=OptionalProperties
+dSCorePropagationData=OptionalProperties
+extensionName=OptionalProperties
+flags=OptionalProperties
+fromEntry=OptionalProperties
+frsComputerReferenceBL=OptionalProperties
+fRSMemberReferenceBL=OptionalProperties
+fSMORoleOwner=OptionalProperties
+isCriticalSystemObject=OptionalProperties
+isDeleted=OptionalProperties
+isPrivilegeHolder=OptionalProperties
+isRecycled=OptionalProperties
+lastKnownParent=OptionalProperties
+managedObjects=OptionalProperties
+masteredBy=OptionalProperties
+memberOf=OptionalProperties
+modifyTimeStamp=OptionalProperties
+mS-DS-ConsistencyChildCount=OptionalProperties
+mS-DS-ConsistencyGuid=OptionalProperties
+msCOM-PartitionSetLink=OptionalProperties
+msCOM-UserLink=OptionalProperties
+msDFSR-ComputerReferenceBL=OptionalProperties
+msDFSR-MemberReferenceBL=OptionalProperties
+msDS-Approx-Immed-Subordinates=OptionalProperties
+msDS-AuthenticatedToAccountlist=OptionalProperties
+msDS-ClaimSharesPossibleValuesWithBL=OptionalProperties
+msDS-EnabledFeatureBL=OptionalProperties
+msDS-HostServiceAccountBL=OptionalProperties
+msDS-IsDomainFor=OptionalProperties
+msDS-IsFullReplicaFor=OptionalProperties
+msDS-IsPartialReplicaFor=OptionalProperties
+msDS-IsPrimaryComputerFor=OptionalProperties
+msDS-KrbTgtLinkBl=OptionalProperties
+msDS-LastKnownRDN=OptionalProperties
+msDS-LocalEffectiveDeletionTime=OptionalProperties
+msDS-LocalEffectiveRecycleTime=OptionalProperties
+msDs-masteredBy=OptionalProperties
+msds-memberOfTransitive=OptionalProperties
+msDS-MembersForAzRoleBL=OptionalProperties
+msDS-MembersOfResourcePropertyListBL=OptionalProperties
+msds-memberTransitive=OptionalProperties
+msDS-NC-RO-Replica-Locations-BL=OptionalProperties
+msDS-NCReplCursors=OptionalProperties
+msDS-NCReplInboundNeighbors=OptionalProperties
+msDS-NCReplOutboundNeighbors=OptionalProperties
+msDS-NcType=OptionalProperties
+msDS-NonMembersBL=OptionalProperties
+msDS-ObjectReferenceBL=OptionalProperties
+msDS-OIDToGroupLinkBl=OptionalProperties
+msDS-OperationsForAzRoleBL=OptionalProperties
+msDS-OperationsForAzTaskBL=OptionalProperties
+msDS-parentdistname=OptionalProperties
+msDS-PrincipalName=OptionalProperties
+msDS-PSOApplied=OptionalProperties
+msDS-ReplAttributeMetaData=OptionalProperties
+msDS-ReplValueMetaData=OptionalProperties
+msDS-ReplValueMetaDataExt=OptionalProperties
+msDS-RevealedDSAs=OptionalProperties
+msDS-RevealedListBL=OptionalProperties
+msDS-TasksForAzRoleBL=OptionalProperties
+msDS-TasksForAzTaskBL=OptionalProperties
+msDS-TDOEgressBL=OptionalProperties
+msDS-TDOIngressBL=OptionalProperties
+msDS-ValueTypeReferenceBL=OptionalProperties
+msSFU30PosixMemberOf=OptionalProperties
+name=OptionalProperties
+netbootSCPBL=OptionalProperties
+nonSecurityMemberBL=OptionalProperties
+objectGUID=OptionalProperties
+objectVersion=OptionalProperties
+otherWellKnownObjects=OptionalProperties
+ownerBL=OptionalProperties
+partialAttributeDeletionList=OptionalProperties
+partialAttributeSet=OptionalProperties
+possibleInferiors=OptionalProperties
+proxiedObjectName=OptionalProperties
+proxyAddresses=OptionalProperties
+queryPolicyBL=OptionalProperties
+replPropertyMetaData=OptionalProperties
+replUpToDateVector=OptionalProperties
+repsFrom=OptionalProperties
+repsTo=OptionalProperties
+revision=OptionalProperties
+sDRightsEffective=OptionalProperties
+serverReferenceBL=OptionalProperties
+showInAdvancedViewOnly=OptionalProperties
+siteObjectBL=OptionalProperties
+structuralObjectClass=OptionalProperties
+subRefs=OptionalProperties
+subSchemaSubEntry=OptionalProperties
+systemFlags=OptionalProperties
+url=OptionalProperties
+uSNChanged=OptionalProperties
+uSNCreated=OptionalProperties
+uSNDSALastObjRemoved=OptionalProperties
+USNIntersite=OptionalProperties
+uSNLastObjRem=OptionalProperties
+uSNSource=OptionalProperties
+wbemPath=OptionalProperties
+wellKnownObjects=OptionalProperties
+whenChanged=OptionalProperties
+whenCreated=OptionalProperties
+wWWHomePage=OptionalProperties",2014-12-29T16:55:55.145-0800
+msad,WIN-6LR3JNJ6LVD,ActiveDirectory,ActiveDirectory,"12/29/2014 16:55:55.145
+dcName=LDAP://WIN-6LR3JNJ6LVD.spl.com/
+admonEventType=schema
+className=printQueue
+classCN=Print-Queue
+cn=MandatoryProperties
+instanceType=MandatoryProperties
+nTSecurityDescriptor=MandatoryProperties
+objectCategory=MandatoryProperties
+objectClass=MandatoryProperties
+printerName=MandatoryProperties
+serverName=MandatoryProperties
+shortServerName=MandatoryProperties
+uNCName=MandatoryProperties
+versionNumber=MandatoryProperties
+cn=OptionalProperties
+instanceType=OptionalProperties
+nTSecurityDescriptor=OptionalProperties
+objectCategory=OptionalProperties
+objectClass=OptionalProperties
+printerName=OptionalProperties
+serverName=OptionalProperties
+shortServerName=OptionalProperties
+uNCName=OptionalProperties
+versionNumber=OptionalProperties
+adminDescription=OptionalProperties
+adminDisplayName=OptionalProperties
+allowedAttributes=OptionalProperties
+allowedAttributesEffective=OptionalProperties
+allowedChildClasses=OptionalProperties
+allowedChildClassesEffective=OptionalProperties
+assetNumber=OptionalProperties
+bridgeheadServerListBL=OptionalProperties
+bytesPerMinute=OptionalProperties
+canonicalName=OptionalProperties
+createTimeStamp=OptionalProperties
+defaultPriority=OptionalProperties
+description=OptionalProperties
+directReports=OptionalProperties
+displayName=OptionalProperties
+displayNamePrintable=OptionalProperties
+distinguishedName=OptionalProperties
+driverName=OptionalProperties
+driverVersion=OptionalProperties
+dSASignature=OptionalProperties
+dSCorePropagationData=OptionalProperties
+extensionName=OptionalProperties
+flags=OptionalProperties
+fromEntry=OptionalProperties
+frsComputerReferenceBL=OptionalProperties
+fRSMemberReferenceBL=OptionalProperties
+fSMORoleOwner=OptionalProperties
+isCriticalSystemObject=OptionalProperties
+isDeleted=OptionalProperties
+isPrivilegeHolder=OptionalProperties
+isRecycled=OptionalProperties
+keywords=OptionalProperties
+lastKnownParent=OptionalProperties
+location=OptionalProperties
+managedBy=OptionalProperties
+managedObjects=OptionalProperties
+masteredBy=OptionalProperties
+memberOf=OptionalProperties
+modifyTimeStamp=OptionalProperties
+mS-DS-ConsistencyChildCount=OptionalProperties
+mS-DS-ConsistencyGuid=OptionalProperties
+msCOM-PartitionSetLink=OptionalProperties
+msCOM-UserLink=OptionalProperties
+msDFSR-ComputerReferenceBL=OptionalProperties
+msDFSR-MemberReferenceBL=OptionalProperties
+msDS-Approx-Immed-Subordinates=OptionalProperties
+msDS-AuthenticatedToAccountlist=OptionalProperties
+msDS-ClaimSharesPossibleValuesWithBL=OptionalProperties
+msDS-EnabledFeatureBL=OptionalProperties
+msDS-HostServiceAccountBL=OptionalProperties
+msDS-IsDomainFor=OptionalProperties
+msDS-IsFullReplicaFor=OptionalProperties
+msDS-IsPartialReplicaFor=OptionalProperties
+msDS-IsPrimaryComputerFor=OptionalProperties
+msDS-KrbTgtLinkBl=OptionalProperties
+msDS-LastKnownRDN=OptionalProperties
+msDS-LocalEffectiveDeletionTime=OptionalProperties
+msDS-LocalEffectiveRecycleTime=OptionalProperties
+msDs-masteredBy=OptionalProperties
+msds-memberOfTransitive=OptionalProperties
+msDS-MembersForAzRoleBL=OptionalProperties
+msDS-MembersOfResourcePropertyListBL=OptionalProperties
+msds-memberTransitive=OptionalProperties
+msDS-NC-RO-Replica-Locations-BL=OptionalProperties
+msDS-NCReplCursors=OptionalProperties
+msDS-NCReplInboundNeighbors=OptionalProperties
+msDS-NCReplOutboundNeighbors=OptionalProperties
+msDS-NcType=OptionalProperties
+msDS-NonMembersBL=OptionalProperties
+msDS-ObjectReferenceBL=OptionalProperties
+msDS-OIDToGroupLinkBl=OptionalProperties
+msDS-OperationsForAzRoleBL=OptionalProperties
+msDS-OperationsForAzTaskBL=OptionalProperties
+msDS-parentdistname=OptionalProperties
+msDS-PrincipalName=OptionalProperties
+msDS-PSOApplied=OptionalProperties
+msDS-ReplAttributeMetaData=OptionalProperties
+msDS-ReplValueMetaData=OptionalProperties
+msDS-ReplValueMetaDataExt=OptionalProperties
+msDS-RevealedDSAs=OptionalProperties
+msDS-RevealedListBL=OptionalProperties
+msDS-Settings=OptionalProperties
+msDS-TasksForAzRoleBL=OptionalProperties
+msDS-TasksForAzTaskBL=OptionalProperties
+msDS-TDOEgressBL=OptionalProperties
+msDS-TDOIngressBL=OptionalProperties
+msDS-ValueTypeReferenceBL=OptionalProperties
+msSFU30PosixMemberOf=OptionalProperties
+name=OptionalProperties
+netbootSCPBL=OptionalProperties
+nonSecurityMemberBL=OptionalProperties
+objectGUID=OptionalProperties
+objectVersion=OptionalProperties
+operatingSystem=OptionalProperties
+operatingSystemHotfix=OptionalProperties
+operatingSystemServicePack=OptionalProperties
+operatingSystemVersion=OptionalProperties
+otherWellKnownObjects=OptionalProperties
+ownerBL=OptionalProperties
+partialAttributeDeletionList=OptionalProperties
+partialAttributeSet=OptionalProperties
+physicalLocationObject=OptionalProperties
+portName=OptionalProperties
+possibleInferiors=OptionalProperties
+printAttributes=OptionalProperties
+printBinNames=OptionalProperties
+printCollate=OptionalProperties
+printColor=OptionalProperties
+printDuplexSupported=OptionalProperties
+printEndTime=OptionalProperties
+printFormName=OptionalProperties
+printKeepPrintedJobs=OptionalProperties
+printLanguage=OptionalProperties
+printMACAddress=OptionalProperties
+printMaxCopies=OptionalProperties
+printMaxResolutionSupported=OptionalProperties
+printMaxXExtent=OptionalProperties
+printMaxYExtent=OptionalProperties
+printMediaReady=OptionalProperties
+printMediaSupported=OptionalProperties
+printMemory=OptionalProperties
+printMinXExtent=OptionalProperties
+printMinYExtent=OptionalProperties
+printNetworkAddress=OptionalProperties
+printNotify=OptionalProperties
+printNumberUp=OptionalProperties
+printOrientationsSupported=OptionalProperties
+printOwner=OptionalProperties
+printPagesPerMinute=OptionalProperties
+printRate=OptionalProperties
+printRateUnit=OptionalProperties
+printSeparatorFile=OptionalProperties
+printShareName=OptionalProperties
+printSpooling=OptionalProperties
+printStaplingSupported=OptionalProperties
+printStartTime=OptionalProperties
+printStatus=OptionalProperties
+priority=OptionalProperties
+proxiedObjectName=OptionalProperties
+proxyAddresses=OptionalProperties
+queryPolicyBL=OptionalProperties
+replPropertyMetaData=OptionalProperties
+replUpToDateVector=OptionalProperties
+repsFrom=OptionalProperties
+repsTo=OptionalProperties
+revision=OptionalProperties
+sDRightsEffective=OptionalProperties
+serverReferenceBL=OptionalProperties
+showInAdvancedViewOnly=OptionalProperties
+siteObjectBL=OptionalProperties
+structuralObjectClass=OptionalProperties
+subRefs=OptionalProperties
+subSchemaSubEntry=OptionalProperties
+systemFlags=OptionalProperties
+url=OptionalProperties
+uSNChanged=OptionalProperties
+uSNCreated=OptionalProperties
+uSNDSALastObjRemoved=OptionalProperties
+USNIntersite=OptionalProperties
+uSNLastObjRem=OptionalProperties
+uSNSource=OptionalProperties
+wbemPath=OptionalProperties
+wellKnownObjects=OptionalProperties
+whenChanged=OptionalProperties
+whenCreated=OptionalProperties
+wWWHomePage=OptionalProperties",2014-12-29T16:55:55.145-0800
+msad,WIN-6LR3JNJ6LVD,ActiveDirectory,ActiveDirectory,"12/29/2014 16:55:55.145
+dcName=LDAP://WIN-6LR3JNJ6LVD.spl.com/
+admonEventType=schema
+className=queryPolicy
+classCN=Query-Policy
+instanceType=MandatoryProperties
+nTSecurityDescriptor=MandatoryProperties
+objectCategory=MandatoryProperties
+objectClass=MandatoryProperties
+instanceType=OptionalProperties
+nTSecurityDescriptor=OptionalProperties
+objectCategory=OptionalProperties
+objectClass=OptionalProperties
+adminDescription=OptionalProperties
+adminDisplayName=OptionalProperties
+allowedAttributes=OptionalProperties
+allowedAttributesEffective=OptionalProperties
+allowedChildClasses=OptionalProperties
+allowedChildClassesEffective=OptionalProperties
+bridgeheadServerListBL=OptionalProperties
+canonicalName=OptionalProperties
+cn=OptionalProperties
+createTimeStamp=OptionalProperties
+description=OptionalProperties
+directReports=OptionalProperties
+displayName=OptionalProperties
+displayNamePrintable=OptionalProperties
+distinguishedName=OptionalProperties
+dSASignature=OptionalProperties
+dSCorePropagationData=OptionalProperties
+extensionName=OptionalProperties
+flags=OptionalProperties
+fromEntry=OptionalProperties
+frsComputerReferenceBL=OptionalProperties
+fRSMemberReferenceBL=OptionalProperties
+fSMORoleOwner=OptionalProperties
+isCriticalSystemObject=OptionalProperties
+isDeleted=OptionalProperties
+isPrivilegeHolder=OptionalProperties
+isRecycled=OptionalProperties
+lastKnownParent=OptionalProperties
+lDAPAdminLimits=OptionalProperties
+lDAPIPDenyList=OptionalProperties
+managedObjects=OptionalProperties
+masteredBy=OptionalProperties
+memberOf=OptionalProperties
+modifyTimeStamp=OptionalProperties
+mS-DS-ConsistencyChildCount=OptionalProperties
+mS-DS-ConsistencyGuid=OptionalProperties
+msCOM-PartitionSetLink=OptionalProperties
+msCOM-UserLink=OptionalProperties
+msDFSR-ComputerReferenceBL=OptionalProperties
+msDFSR-MemberReferenceBL=OptionalProperties
+msDS-Approx-Immed-Subordinates=OptionalProperties
+msDS-AuthenticatedToAccountlist=OptionalProperties
+msDS-ClaimSharesPossibleValuesWithBL=OptionalProperties
+msDS-EnabledFeatureBL=OptionalProperties
+msDS-HostServiceAccountBL=OptionalProperties
+msDS-IsDomainFor=OptionalProperties
+msDS-IsFullReplicaFor=OptionalProperties
+msDS-IsPartialReplicaFor=OptionalProperties
+msDS-IsPrimaryComputerFor=OptionalProperties
+msDS-KrbTgtLinkBl=OptionalProperties
+msDS-LastKnownRDN=OptionalProperties
+msDS-LocalEffectiveDeletionTime=OptionalProperties
+msDS-LocalEffectiveRecycleTime=OptionalProperties
+msDs-masteredBy=OptionalProperties
+msds-memberOfTransitive=OptionalProperties
+msDS-MembersForAzRoleBL=OptionalProperties
+msDS-MembersOfResourcePropertyListBL=OptionalProperties
+msds-memberTransitive=OptionalProperties
+msDS-NC-RO-Replica-Locations-BL=OptionalProperties
+msDS-NCReplCursors=OptionalProperties
+msDS-NCReplInboundNeighbors=OptionalProperties
+msDS-NCReplOutboundNeighbors=OptionalProperties
+msDS-NcType=OptionalProperties
+msDS-NonMembersBL=OptionalProperties
+msDS-ObjectReferenceBL=OptionalProperties
+msDS-OIDToGroupLinkBl=OptionalProperties
+msDS-OperationsForAzRoleBL=OptionalProperties
+msDS-OperationsForAzTaskBL=OptionalProperties
+msDS-parentdistname=OptionalProperties
+msDS-PrincipalName=OptionalProperties
+msDS-PSOApplied=OptionalProperties
+msDS-ReplAttributeMetaData=OptionalProperties
+msDS-ReplValueMetaData=OptionalProperties
+msDS-ReplValueMetaDataExt=OptionalProperties
+msDS-RevealedDSAs=OptionalProperties
+msDS-RevealedListBL=OptionalProperties
+msDS-TasksForAzRoleBL=OptionalProperties
+msDS-TasksForAzTaskBL=OptionalProperties
+msDS-TDOEgressBL=OptionalProperties
+msDS-TDOIngressBL=OptionalProperties
+msDS-ValueTypeReferenceBL=OptionalProperties
+msSFU30PosixMemberOf=OptionalProperties
+name=OptionalProperties
+netbootSCPBL=OptionalProperties
+nonSecurityMemberBL=OptionalProperties
+objectGUID=OptionalProperties
+objectVersion=OptionalProperties
+otherWellKnownObjects=OptionalProperties
+ownerBL=OptionalProperties
+partialAttributeDeletionList=OptionalProperties
+partialAttributeSet=OptionalProperties
+possibleInferiors=OptionalProperties
+proxiedObjectName=OptionalProperties
+proxyAddresses=OptionalProperties
+queryPolicyBL=OptionalProperties
+replPropertyMetaData=OptionalProperties
+replUpToDateVector=OptionalProperties
+repsFrom=OptionalProperties
+repsTo=OptionalProperties
+revision=OptionalProperties
+sDRightsEffective=OptionalProperties
+serverReferenceBL=OptionalProperties
+showInAdvancedViewOnly=OptionalProperties
+siteObjectBL=OptionalProperties
+structuralObjectClass=OptionalProperties
+subRefs=OptionalProperties
+subSchemaSubEntry=OptionalProperties
+systemFlags=OptionalProperties
+url=OptionalProperties
+uSNChanged=OptionalProperties
+uSNCreated=OptionalProperties
+uSNDSALastObjRemoved=OptionalProperties
+USNIntersite=OptionalProperties
+uSNLastObjRem=OptionalProperties
+uSNSource=OptionalProperties
+wbemPath=OptionalProperties
+wellKnownObjects=OptionalProperties
+whenChanged=OptionalProperties
+whenCreated=OptionalProperties
+wWWHomePage=OptionalProperties",2014-12-29T16:55:55.145-0800
+msad,WIN-6LR3JNJ6LVD,ActiveDirectory,ActiveDirectory,"12/29/2014 16:55:55.160
+dcName=LDAP://WIN-6LR3JNJ6LVD.spl.com/
+admonEventType=schema
+className=remoteMailRecipient
+classCN=Remote-Mail-Recipient
+cn=MandatoryProperties
+instanceType=MandatoryProperties
+nTSecurityDescriptor=MandatoryProperties
+objectCategory=MandatoryProperties
+objectClass=MandatoryProperties
+cn=OptionalProperties
+instanceType=OptionalProperties
+nTSecurityDescriptor=OptionalProperties
+objectCategory=OptionalProperties
+objectClass=OptionalProperties
+adminDescription=OptionalProperties
+adminDisplayName=OptionalProperties
+allowedAttributes=OptionalProperties
+allowedAttributesEffective=OptionalProperties
+allowedChildClasses=OptionalProperties
+allowedChildClassesEffective=OptionalProperties
+bridgeheadServerListBL=OptionalProperties
+canonicalName=OptionalProperties
+createTimeStamp=OptionalProperties
+description=OptionalProperties
+directReports=OptionalProperties
+displayName=OptionalProperties
+displayNamePrintable=OptionalProperties
+distinguishedName=OptionalProperties
+dSASignature=OptionalProperties
+dSCorePropagationData=OptionalProperties
+extensionName=OptionalProperties
+flags=OptionalProperties
+fromEntry=OptionalProperties
+frsComputerReferenceBL=OptionalProperties
+fRSMemberReferenceBL=OptionalProperties
+fSMORoleOwner=OptionalProperties
+garbageCollPeriod=OptionalProperties
+info=OptionalProperties
+isCriticalSystemObject=OptionalProperties
+isDeleted=OptionalProperties
+isPrivilegeHolder=OptionalProperties
+isRecycled=OptionalProperties
+labeledURI=OptionalProperties
+lastKnownParent=OptionalProperties
+legacyExchangeDN=OptionalProperties
+managedBy=OptionalProperties
+managedObjects=OptionalProperties
+masteredBy=OptionalProperties
+memberOf=OptionalProperties
+modifyTimeStamp=OptionalProperties
+mS-DS-ConsistencyChildCount=OptionalProperties
+mS-DS-ConsistencyGuid=OptionalProperties
+msCOM-PartitionSetLink=OptionalProperties
+msCOM-UserLink=OptionalProperties
+msDFSR-ComputerReferenceBL=OptionalProperties
+msDFSR-MemberReferenceBL=OptionalProperties
+msDS-Approx-Immed-Subordinates=OptionalProperties
+msDS-AuthenticatedToAccountlist=OptionalProperties
+msDS-ClaimSharesPossibleValuesWithBL=OptionalProperties
+msDS-EnabledFeatureBL=OptionalProperties
+msDS-GeoCoordinatesAltitude=OptionalProperties
+msDS-GeoCoordinatesLatitude=OptionalProperties
+msDS-GeoCoordinatesLongitude=OptionalProperties
+msDS-HostServiceAccountBL=OptionalProperties
+msDS-IsDomainFor=OptionalProperties
+msDS-IsFullReplicaFor=OptionalProperties
+msDS-IsPartialReplicaFor=OptionalProperties
+msDS-IsPrimaryComputerFor=OptionalProperties
+msDS-KrbTgtLinkBl=OptionalProperties
+msDS-LastKnownRDN=OptionalProperties
+msDS-LocalEffectiveDeletionTime=OptionalProperties
+msDS-LocalEffectiveRecycleTime=OptionalProperties
+msDs-masteredBy=OptionalProperties
+msds-memberOfTransitive=OptionalProperties
+msDS-MembersForAzRoleBL=OptionalProperties
+msDS-MembersOfResourcePropertyListBL=OptionalProperties
+msds-memberTransitive=OptionalProperties
+msDS-NC-RO-Replica-Locations-BL=OptionalProperties
+msDS-NCReplCursors=OptionalProperties
+msDS-NCReplInboundNeighbors=OptionalProperties
+msDS-NCReplOutboundNeighbors=OptionalProperties
+msDS-NcType=OptionalProperties
+msDS-NonMembersBL=OptionalProperties
+msDS-ObjectReferenceBL=OptionalProperties
+msDS-OIDToGroupLinkBl=OptionalProperties
+msDS-OperationsForAzRoleBL=OptionalProperties
+msDS-OperationsForAzTaskBL=OptionalProperties
+msDS-parentdistname=OptionalProperties
+msDS-PhoneticDisplayName=OptionalProperties
+msDS-PrincipalName=OptionalProperties
+msDS-PSOApplied=OptionalProperties
+msDS-ReplAttributeMetaData=OptionalProperties
+msDS-ReplValueMetaData=OptionalProperties
+msDS-ReplValueMetaDataExt=OptionalProperties
+msDS-RevealedDSAs=OptionalProperties
+msDS-RevealedListBL=OptionalProperties
+msDS-TasksForAzRoleBL=OptionalProperties
+msDS-TasksForAzTaskBL=OptionalProperties
+msDS-TDOEgressBL=OptionalProperties
+msDS-TDOIngressBL=OptionalProperties
+msDS-ValueTypeReferenceBL=OptionalProperties
+msExchAssistantName=OptionalProperties
+msExchLabeledURI=OptionalProperties
+msSFU30PosixMemberOf=OptionalProperties
+name=OptionalProperties
+netbootSCPBL=OptionalProperties
+nonSecurityMemberBL=OptionalProperties
+objectGUID=OptionalProperties
+objectVersion=OptionalProperties
+otherWellKnownObjects=OptionalProperties
+ownerBL=OptionalProperties
+partialAttributeDeletionList=OptionalProperties
+partialAttributeSet=OptionalProperties
+possibleInferiors=OptionalProperties
+proxiedObjectName=OptionalProperties
+proxyAddresses=OptionalProperties
+queryPolicyBL=OptionalProperties
+remoteSource=OptionalProperties
+remoteSourceType=OptionalProperties
+replPropertyMetaData=OptionalProperties
+replUpToDateVector=OptionalProperties
+repsFrom=OptionalProperties
+repsTo=OptionalProperties
+revision=OptionalProperties
+sDRightsEffective=OptionalProperties
+secretary=OptionalProperties
+serverReferenceBL=OptionalProperties
+showInAddressBook=OptionalProperties
+showInAdvancedViewOnly=OptionalProperties
+siteObjectBL=OptionalProperties
+structuralObjectClass=OptionalProperties
+subRefs=OptionalProperties
+subSchemaSubEntry=OptionalProperties
+systemFlags=OptionalProperties
+telephoneNumber=OptionalProperties
+textEncodedORAddress=OptionalProperties
+url=OptionalProperties
+userCert=OptionalProperties
+userCertificate=OptionalProperties
+userSMIMECertificate=OptionalProperties
+uSNChanged=OptionalProperties
+uSNCreated=OptionalProperties
+uSNDSALastObjRemoved=OptionalProperties
+USNIntersite=OptionalProperties
+uSNLastObjRem=OptionalProperties
+uSNSource=OptionalProperties
+wbemPath=OptionalProperties
+wellKnownObjects=OptionalProperties
+whenChanged=OptionalProperties
+whenCreated=OptionalProperties
+wWWHomePage=OptionalProperties",2014-12-29T16:55:55.160-0800
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,
+,,,,,

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/splunkbase.manifest

@@ -0,0 +1,193 @@
+{
+  "version": "1.0",
+  "date": "2022-11-12T09:53:00.606260897Z",
+  "hashAlgorithm": "SHA-256",
+  "app": {
+    "id": 3207,
+    "version": "1.0.0",
+    "files": [
+      {
+        "path": "README.txt",
+        "hash": "335c6eb5154d29dea68740224a32828835539dbf51d63580491ff05dfe216f0f"
+      },
+      {
+        "path": "appserver/static/appIcon.png",
+        "hash": "b0bca6df1563c074c7dbfcac48a7b67cef44697b42e76ffbb76b999f0383ccdc"
+      },
+      {
+        "path": "bin/Invoke-MonitoredScript.ps1",
+        "hash": "fb3a7f75f06713aebe80d3d1d10db61664fcd38d2a1fc0bc763353d38b666dcf"
+      },
+      {
+        "path": "bin/powershell/2012r2-health.ps1",
+        "hash": "6544efaf45d1678f8e5568d9c88735cc41bbcd695932c6dfc1fbc554edeece9d"
+      },
+      {
+        "path": "bin/powershell/2012r2-repl-stats.ps1",
+        "hash": "cda4c1ce194a0938b2203ca848fe0444edc35dcfa95883830c8edf6787b382dd"
+      },
+      {
+        "path": "bin/powershell/2012r2-siteinfo.ps1",
+        "hash": "66b9c4f04827278ee4e1fd4bcafa4450e3a486929dbf2c8f64ad219483a57957"
+      },
+      {
+        "path": "bin/powershell/nt6-health.ps1",
+        "hash": "8dc46640de6994cd95afdeac7c089adc7802a7683dd275b3095a1c48b8d4bef4"
+      },
+      {
+        "path": "bin/powershell/nt6-repl-stat.ps1",
+        "hash": "748e1080879de1f0f57c37d45139e81754148fd8eb8011cabd970433bc19e7f7"
+      },
+      {
+        "path": "bin/powershell/nt6-siteinfo.ps1",
+        "hash": "4a373467f500ecd2e2f7c2c669a8e81f945d4cd5d64be6123aa6f5ecf16c1bea"
+      },
+      {
+        "path": "bin/runpowershell.cmd",
+        "hash": "beea35625656a376f6ee73ce9c7d68af385cff7530633047ca5d13c3206f663a"
+      },
+      {
+        "path": "default/admon.conf",
+        "hash": "358a14c4789b1f57b39965c74e0296cb27a5a2935fb76a47932f259aaf46643f"
+      },
+      {
+        "path": "default/app.conf",
+        "hash": "d0784e87a2d5b06e617a422661db24462e3ef5760651e8c0577a696a40460c79"
+      },
+      {
+        "path": "default/eventgen.conf",
+        "hash": "f382ca4a7453479af1f4032fdcf39256f210c20c6341fff418044385b9a656e8"
+      },
+      {
+        "path": "default/eventtypes.conf",
+        "hash": "167a365b1bcb855c34545aa109c05477d94b41dfa887424fa8ac4e2779ad4808"
+      },
+      {
+        "path": "default/indexes.conf",
+        "hash": "8b901fd7fc55c8d28594ef2c24d9596c8e23975b1b03a51b51a3bb23e70dbacb"
+      },
+      {
+        "path": "default/inputs.conf",
+        "hash": "d252aec114efbb3bc3d0e3e3df4916bfad28fe460a8ddac6ef2c8707c71323a2"
+      },
+      {
+        "path": "default/perfmon.conf",
+        "hash": "f91ccffd1eea74e5d9827f02fddfe91267008a1b4f750798a58c81e980c895b1"
+      },
+      {
+        "path": "default/props.conf",
+        "hash": "af9d9b9eddf5b22d722c89dff1d27ec57bc6cf7b4a71a125733f1bfc284f3064"
+      },
+      {
+        "path": "default/transforms.conf",
+        "hash": "785168b8b71f0e3d27683b2611c4ac1eefd218963055edef73572466682a27f9"
+      },
+      {
+        "path": "license-eula.rtf",
+        "hash": "52ed437423e1fec818c133c2aa5399a09051e3d852214bb097abd4493bf524c7"
+      },
+      {
+        "path": "license-eula.txt",
+        "hash": "b1f64d4d3c6a8711e9967e05a2f2e354e24273191ac98ffd0b643319e60ac747"
+      },
+      {
+        "path": "metadata/default.meta",
+        "hash": "36b54b7b56bb6b352ad81dccdbca54060ff8eec123b82fa8730d88ec650a0521"
+      },
+      {
+        "path": "samples/MSAD-NT6-Health.sample",
+        "hash": "f96d77e334d2d37807b0c62686b9c3ab8526bd32c63c83fdb8c0f9787bebd0c6"
+      },
+      {
+        "path": "samples/MSAD-NT6-SiteInfo.sample",
+        "hash": "1929c250bfbd950d166236f7d54d63e27d62411ed4616bed2022ad02894430d0"
+      },
+      {
+        "path": "samples/WinEventLog-DFS-Replication.csv",
+        "hash": "b6262233298831a28339b739124d8ef492e2cecc8d511f35bfe0205c99d64211"
+      },
+      {
+        "path": "samples/WinEventLog-Directory-Service.csv",
+        "hash": "4bf5b618e367198567611a26425feb63452104ac5ec851d273e884a58fbc77ad"
+      },
+      {
+        "path": "samples/perfmon-Memory.csv",
+        "hash": "4f10667c0658cc8f14b3d668f34aa48c169b7a7342b6deb95229dcf9d3a12924"
+      },
+      {
+        "path": "samples/perfmon-NTDS.csv",
+        "hash": "796f6ff5cca1cb241109fdeebde0412bf5e8c389111387f3e8c2e7c62464a054"
+      },
+      {
+        "path": "samples/perfmon-Network_Interface.csv",
+        "hash": "19dd51d72a585d672dbe311d368b398093b45fe9bc034931b47dae490277c429"
+      },
+      {
+        "path": "samples/perfmon-Processor.csv",
+        "hash": "dfebcace4f6788d39e694d4732c36142c53d4e5a75b58fdcde8e7da44e4933cb"
+      },
+      {
+        "path": "samples/sourcetype-ActiveDirectory.csv",
+        "hash": "c259d6b8e932b7c433769e75ce574acfc555070ab881da0b1bcf51c17f4825ed"
+      },
+      {
+        "path": "static/appIcon.png",
+        "hash": "ed6f90e4767434de479b483bbf61a33e6a6df49e6343e175a4429571d6f94ca4"
+      },
+      {
+        "path": "static/appIconAlt.png",
+        "hash": "ed6f90e4767434de479b483bbf61a33e6a6df49e6343e175a4429571d6f94ca4"
+      },
+      {
+        "path": "static/appIcon_2x.png",
+        "hash": "ed6f90e4767434de479b483bbf61a33e6a6df49e6343e175a4429571d6f94ca4"
+      },
+      {
+        "path": "static/appIconAlt_2x.png",
+        "hash": "ed6f90e4767434de479b483bbf61a33e6a6df49e6343e175a4429571d6f94ca4"
+      }
+    ]
+  },
+  "products": [
+    {
+      "platform": "splunk",
+      "product": "enterprise",
+      "versions": [
+        "7.0",
+        "7.1",
+        "7.2"
+      ],
+      "architectures": [
+        "x86_64"
+      ],
+      "operatingSystems": [
+        "windows",
+        "linux",
+        "macos",
+        "freebsd",
+        "solaris",
+        "aix"
+      ]
+    },
+    {
+      "platform": "splunk",
+      "product": "cloud",
+      "versions": [
+        "7.0",
+        "7.1",
+        "7.2"
+      ],
+      "architectures": [
+        "x86_64"
+      ],
+      "operatingSystems": [
+        "windows",
+        "linux",
+        "macos",
+        "freebsd",
+        "solaris",
+        "aix"
+      ]
+    }
+  ]
+}

deployment-apps/Splunk_TA_windows_FW/README/transforms.conf.spec

@@ -0,0 +1,6 @@
+[user_account_control_property]
+python.version = {default|python|python2|python3}
+* For Splunk 8.0.x and Python scripts only, selects which Python version to use.
+* Either "default" or "python" select the system-wide default Python version.
+* Optional.
+* Default: not set; uses the system-wide Python version.

deployment-apps/Splunk_TA_windows_FW/THIRDPARTY

@@ -0,0 +1,61 @@
+================================================================================
+================================================================================
+
+          Third-Party Software for splunk-add-on-for-microsoft-windows
+
+--------------------------------------------------------------------------------
+
+The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-microsoft-windows. Any information relevant to third-party vendors listed below are collected using common, reasonable means.
+
+Date generated: 2023-4-21
+
+Revision ID: 6fe5732f57cdacdb08681dc2b91962eac2841f69
+
+================================================================================
+================================================================================
+
+
+
+
+================================================================================
+
+                                Declared License
+
+================================================================================
+
+No declared license found for splunk-add-on-for-microsoft-windows
+
+
+
+
+================================================================================
+
+                              First Party Licenses
+
+================================================================================
+
+No licenses found
+
+
+
+
+
+================================================================================
+
+                                  Dependencies
+
+================================================================================
+
+
+
+
+================================================================================
+                                    License
+
+================================================================================
+
+
+--------------------------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+Report Generated by FOSSA on 2023-4-21

deployment-apps/Splunk_TA_windows_FW/VERSION

@@ -0,0 +1,2 @@
+8.7.0
+8.7.0

deployment-apps/Splunk_TA_windows_FW/app.manifest

@@ -0,0 +1,75 @@
+{
+  "dependencies": null,
+  "incompatibleApps": {
+    "Splunk_TA_microsoft_ad": "<=1.0.0",
+    "Splunk_TA_microsoft_dns": "<=1.0.1"
+  },
+  "info": {
+    "author": [
+      {
+        "name": "Splunk, Inc.",
+        "email": null,
+        "company": null
+      }
+    ],
+    "classification": {
+      "categories": [
+        "IT Operations",
+        "Utilities",
+        "Security, Fraud & Compliance"
+      ],
+      "developmentStatus": "Production/Stable",
+      "intendedAudience": "IT Professionals"
+    },
+    "commonInformationModels": {
+      "Application_State": "==4.15.0",
+      "Authentication": "==4.18.0",
+      "Change": "==4.18.0",
+      "Change_Analysis": "==4.15.0",
+      "Compute_Inventory": "==4.15.0",
+      "Endpoint": "==4.18.0",
+      "Event_Signatures": "==4.18.0",
+      "Network_Sessions": "==4.15.0",
+      "Performance": "==4.15.0",
+      "Updates": "==4.15.0",
+      "Vulnerabilities": "==4.15.0"
+    },
+    "description": "Splunk Add-on for Microsoft Windows",
+    "id": {
+      "group": null,
+      "name": "Splunk_TA_windows",
+      "version": "8.7.0"
+    },
+    "license": {
+      "name": null,
+      "text": "LICENSES/LicenseRef-Splunk-8-2021.txt",
+      "uri": null
+    },
+    "privacyPolicy": {
+      "name": null,
+      "text": null,
+      "uri": null
+    },
+    "releaseDate": null,
+    "releaseNotes": {
+      "name": "README",
+      "text": "./README.txt",
+      "uri": "http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes"
+    },
+    "title": "Splunk Add-on for Microsoft Windows"
+  },
+  "inputGroups": null,
+  "platformRequirements": null,
+  "schemaVersion": "2.0.0",
+  "supportedDeployments": [
+    "_standalone",
+    "_distributed",
+    "_search_head_clustering"
+  ],
+  "targetWorkloads": [
+    "_search_heads",
+    "_forwarders",
+    "_indexers"
+  ],
+  "tasks": null
+}

deployment-apps/Splunk_TA_windows_FW/bin/Invoke-MonitoredScript.ps1

@@ -0,0 +1,89 @@
+<#
+    .SYNOPSIS
+        & .\Invoke-MonitoredScript.ps1 "MyScript.ps1"
+
+    .DESCRIPTION
+        Outputs additional Splunk events related to the running and
+        errors in the script.
+#>
+[CmdletBinding()]
+param(
+    #Command to execute.
+    [Parameter(Position=0, Mandatory=$true)]
+    [ValidateNotNullOrEmpty()]
+    [string] $Command,
+
+	# Splunk Sourcetype Prefix for generated events
+    [Parameter()]
+    [ValidateNotNull()]
+    [string] $SourceTypePrefix="Powershell:",
+
+	# Maximum number of errors to convert into events
+    [Parameter()]
+    [ValidateRange(0, 100)]
+    [int] $MaxErrorCount
+)
+
+$WrappedScriptExecutionSummary= New-Object -TypeName PSObject -Property (
+    [ordered]@{
+        SplunkSourceType="$($SourceTypePrefix)ScriptExecutionSummary";
+        Identity=[guid]::NewGuid().ToString();
+        InvocationLine=$MyInvocation.Line;
+        TerminatingError=$false; ErrorCount=0; Elapsed=""
+    })
+$originalLocation = Get-Location
+
+try
+{
+    Set-Location (Split-Path -Parent $MyInvocation.MyCommand.Definition)
+    $ScriptStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
+    $Error.Clear()
+    Invoke-Expression $Command
+}
+catch
+{
+    $WrappedScriptExecutionSummary.TerminatingError = $true;
+}
+finally
+{
+    Set-Location $originalLocation
+    $WrappedScriptExecutionSummary.Elapsed = $ScriptStopWatch.Elapsed.ToString("hh\:mm\:ss\.fff")
+    $WrappedScriptExecutionSummary.ErrorCount = $Error.Count
+
+    if ($Error.Count -gt 0) {
+        $ei = $Error.Count - 1
+        if ($PSBoundParameters.ContainsKey('MaxErrorCount')) {
+            if ($MaxErrorCount -lt $Error.Count) {
+                $ei = $MaxErrorCount - 1
+            }
+            # Always emit terminating errors
+            if ($ei -eq -1 -and $WrappedScriptExecutionSummary.TerminatingError) {
+                $ei = 1
+            }
+        }
+
+        for(; $ei -ge 0; $ei--) {
+            $errorRecord = New-Object -TypeName PSObject -Property (
+                [ordered]@{
+                    SplunkSourceType="$($SourceTypePrefix)ScriptExecutionErrorRecord";
+                    ParentIdentity=$WrappedScriptExecutionSummary.Identity;
+                    ErrorIndex=$ei;
+                    ErrorMessage=$Error[$ei].ToString();
+                    PositionMessage=$Error[$ei].InvocationInfo.PositionMessage;
+                    CategoryInfo=$Error[$ei].CategoryInfo.ToString();
+                    FullyQualifiedErrorId=$Error[$ei].FullyQualifiedErrorId
+                })
+
+            if ($Error[$ei].Exception -ne $null) {
+                Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name Exception -Value $Error[$ei].Exception.ToString()
+                if ($Error[$ei].Exception.InnerException -ne $null) {
+                    Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name InnerException -Value $Error[$ei].Exception.InnerException.ToString()
+                }
+            }
+
+            Write-Output $errorRecord
+        }
+    }
+
+    Write-Output $WrappedScriptExecutionSummary
+}

deployment-apps/Splunk_TA_windows_FW/bin/log.py

@@ -0,0 +1,120 @@
+#
+# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+# SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+#
+#
+import logging
+import logging.handlers as handlers
+import os
+import os.path as op
+import time
+
+try:
+    from splunk.clilib.bundle_paths import make_splunkhome_path
+except ImportError:
+    from splunk.appserver.mrsparkle.lib.util import make_splunkhome_path
+
+logging.Formatter.converter = time.gmtime
+
+__LOG_FORMAT__ = (
+    "%(asctime)s +0000 log_level=%(levelname)s, pid=%(process)d, "
+    "tid=%(threadName)s, file=%(filename)s, "
+    "func_name=%(funcName)s, code_line_no=%(lineno)d | %(message)s"
+)
+
+
+class Log(object):
+    def __init__(self, namespace=None, default_level=logging.INFO):
+        self._loggers = {}
+        self._default_level = default_level
+        if namespace is None:
+            namespace = self._get_appname_from_path(op.abspath(__file__))
+
+        if namespace:
+            namespace = namespace.lower()
+        self._namespace = namespace
+
+    def get_logger(self, name, level=None, maxBytes=25000000, backupCount=5):
+        """
+        Set up a default logger.
+
+        :param name: The log file name.
+        :param level: The logging level.
+        :param maxBytes: The maximum log file size before rollover.
+        :param backupCount: The number of log files to retain.
+        """
+
+        # Strip ".py" from the log file name if auto-generated by a script.
+        if level is None:
+            level = self._default_level
+
+        name = self._get_log_name(name)
+        if name in self._loggers:
+            return self._loggers[name]
+
+        logger = logging.getLogger(name)
+
+        logfile = make_splunkhome_path(["var", "log", "splunk", name])
+        handler_exists = any(
+            [True for h in logger.handlers if h.baseFilename == logfile]
+        )
+        if not handler_exists:
+            file_handler = handlers.RotatingFileHandler(
+                logfile, mode="a", maxBytes=maxBytes, backupCount=backupCount
+            )
+            formatter = logging.Formatter(__LOG_FORMAT__)
+            file_handler.setFormatter(formatter)
+            logger.addHandler(file_handler)
+            logger.setLevel(level)
+            logger.propagate = False
+
+        self._loggers[name] = logger
+        return logger
+
+    def set_level(self, level, name=None):
+        """
+        Change the log level of the logging
+
+        :param level: the level of the logging to be setLevel
+        :param name: the name of the logging to set, in case it is not set,
+                     all the loggers will be affected
+        """
+
+        if name is not None:
+            name = self._get_log_name(name)
+            logger = self._loggers.get(name)
+            if logger is not None:
+                logger.setLevel(level)
+        else:
+            self._default_level = level
+            for logger in self._loggers.values():
+                logger.setLevel(level)
+
+    def _get_log_name(self, name):
+        if name.endswith(".py"):
+            name = name.replace(".py", "")
+
+        if self._namespace:
+            name = "{}_{}.log".format(self._namespace, name)
+        else:
+            name = "{}.log".format(name)
+        return name
+
+    def _get_appname_from_path(self, absolute_path):
+        absolute_path = op.normpath(absolute_path)
+        parts = absolute_path.split(os.path.sep)
+        parts.reverse()
+        for key in ("apps", "slave-apps", "master-apps"):
+            try:  # nosemgrep: gitlab.bandit.B112
+                idx = parts.index(key)
+            except ValueError:
+                continue
+            else:
+                try:  # nosemgrep: gitlab.bandit.B110
+                    if parts[idx + 1] == "etc":
+                        return parts[idx - 1]
+                except IndexError:
+                    pass
+                continue
+        # return None
+        return "-"

deployment-apps/Splunk_TA_windows_FW/bin/netsh_address.bat

@@ -0,0 +1,5 @@
+@echo off
+REM --------------------------------------------------------
+REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
+REM --------------------------------------------------------
+netsh interface ip show address

deployment-apps/Splunk_TA_windows_FW/bin/powershell/2012r2-health.ps1

@@ -0,0 +1,58 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+
+$ServerName = $env:ComputerName
+
+$DomainController = Get-ADDomainController -Identity $ServerName
+$Domain 		  = Get-ADDomain -Identity $DomainController.Domain
+$Forest			  = Get-ADForest -Identity $DomainController.Forest
+$ReplicationSite  = Get-ADReplicationSite -Identity $DomainController.Site
+$Computer		  = Get-ADComputer -Identity $ServerName -Properties *
+$RootDSE		  = Get-ADRootDSE -Server $ServerName
+$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
+
+$ISTG 		  = ($DomainController.NTDSSettingsObjectDN -eq $ReplicationSite.InterSiteTopologyGenerator)
+$SYSVOL 	  = (Get-SMBShare SYSVOL -ErrorAction SilentlyContinue)
+Try {
+    $DnsRegister  = [System.Net.Dns]::GetHostByName($DomainController.HostName)
+} Catch {
+    # The Catch will set $DnsRegister = $null if the GetHostByName fails for some reason
+}
+$SchemaVersion= Get-ADObject -Filter * -SearchScope Base -Properties objectVersion `
+			-SearchBase $RootDSE.schemaNamingContext
+$DCWeight	  = (Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters").GetValue("LdapSrvWeight", $null)
+if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
+	$DCWeight = 100
+}
+$FSMORoles 	= ($DomainController | Select -Expand OperationMasterRoles | %{ $_.ToString().Replace("Master","") } )
+
+$SvcRunning	= @(Get-Service $RequiredServices | ? Status -eq "Running" | select -expand Name)
+$SvcStopped	= @(Get-Service $RequiredServices | ? Status -ne "Running" | select -expand Name)
+$ProcsOK	= (($SvcStopped.Count -eq 0) -or ($SvcStopped.Count -eq 1 -and ($SvcStopped[0] -eq "ntfrs" -or $SvcStopped[0] -eq "dfsr")))
+
+New-Object PSObject -Property @{
+	Server			= $DomainController.Name
+	DomainDNSName	= $DomainController.Domain
+	DomainNetBIOSName = $Domain.NetBIOSName
+	DomainLevel		= $Domain.DomainMode
+	Site			= $DomainController.Site
+	ForestName		= $DomainController.Forest
+	ForestLevel		= $Forest.ForestMode
+	Created			= $Computer.whenCreated
+	Changed			= $Computer.whenChanged
+	GlobalCatalog	= $DomainController.IsGlobalCatalog
+	RODC			= $DomainController.IsReadOnly
+	Enabled			= $DomainController.Enabled
+	HighestUSN		= $RootDSE.highestCommittedUSN
+	SchemaVersion	= $SchemaVersion.objectVersion
+	DCWeight		= $DCWeight
+	IsIntersiteTopologyGenerator = $ISTG
+	OperatingSystem	= $DomainController.OperatingSystem
+	ServicePack		= $DomainController.OperatingSystemServicePack
+	OSVersion		= $DomainController.OperatingSystemVersion
+	FSMORoles		= $FSMORoles -join " "
+	ServicesRunning	= $SvcRunning -join ","
+	ServicesNotRunning = $SvcStopped -join ","
+	ProcsOK			= $ProcsOK
+	SYSVOLShare		= ($SYSVOL -ne $null)
+	DNSRegister		= ($DnsRegister -ne $null)
+}

deployment-apps/Splunk_TA_windows_FW/bin/powershell/2012r2-repl-stats.ps1

@@ -0,0 +1,17 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+
+Get-ADReplicationPartnerMetaData -Target $env:ComputerName -PartnerType Inbound -Partition * | %{
+	$src_host = Get-ADObject -Filter * -SearchBase $_.Partner.Replace("CN=NTDS Settings,","") `
+				-SearchScope Base -Properties dNSHostName
+
+	New-Object PSObject -Property @{
+		LastAttemptedSync	= $_.LastReplicationAttempt
+		LastSuccessfulSync	= $_.LastReplicationSuccess
+		type			= "ReplicationEvent"
+		usn			= $_.LastChangeUsn
+		src_host		= $src_host.dNSHostName
+		Result			= $_.LastReplicationResult
+		transport		= $_.IntersiteTransportType
+		naming_context		= $_.Partition
+	}
+}

deployment-apps/Splunk_TA_windows_FW/bin/powershell/2012r2-siteinfo.ps1

@@ -0,0 +1,74 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+#
+# Get the Information about this site
+#
+$ServerName = $env:ComputerName
+
+$DC 	= Get-ADDomainController -Identity $ServerName
+$Site	= Get-ADReplicationSite -Identity $DC.Site
+$Object = Get-ADObject -Filter * -SearchScope base -Properties * `
+		-SearchBase $Site.DistinguishedName
+
+$Location 	= if ($Object.location -eq $null) { "" } else { $Object.location }
+$ISTG	  	= Get-ADDomainController -Filter `
+			'NTDSSettingsObjectDN -eq $Site.IntersiteTopologyGenerator'
+$SiteLinks 	= Get-ADReplicationSiteLink -Filter 'SitesIncluded -eq $Site' -Properties *
+$AdjacentSites 	= ($SiteLinks | Select -Expand SitesIncluded | `
+			Where-Object { $_ -ne $Site.DistinguishedName } | `
+			Sort-Object | Get-Unique | `
+			Foreach-Object { Get-ADReplicationSite $_ } )
+$Subnets	= Get-ADReplicationSubnet -Filter 'Site -eq $Site'
+
+########################################################################
+#
+# SITE
+#
+$SiteInfo = @(
+	"Type=`"Site`""
+	"ForestName=`"$($DC.Forest)`""
+	"Site=`"$($Object.CN)`""
+	"Location=`"$Location`""
+	"IntersiteTopologyGenerator=`"$($ISTG.HostName)`""
+)
+$AdjacentSites | %{ $SiteLink += "AdjacentSite=`"$($_.Name)`"" }
+$SiteLinks     | %{ $SiteInfo += "SiteLink=`"$($_.Name)`"" }
+$Subnets       | %{ $SiteInfo += "Subnet=`"$($_.Name)`"" }
+Write-Output ($SiteInfo -join " ")
+#
+########################################################################
+#
+# SITELINK
+#
+$SiteLinks | %{
+	# These values are not stored in the object unless you change them
+	$cost 		= if ($_.Cost -eq $null) { 100 } else { $_.Cost }
+	$options 	= if ($_.options -eq $null) { 0 } else { $_.options }
+	$replInterval	= if ($_.replInterval -eq $null) { 180 * 60 } else { $_.replInterval * 60 }
+	$notifications	= if ($options -band 0x01) { "True" } else { "False" }
+	$reciprocal 	= if ($options -band 0x02) { "True" } else { "False" }
+	$compression	= if ($options -band 0x04) { "False" } else { "True" }
+
+	$SiteLink = @(
+		"Type=`"SiteLink`""
+		"ForestName=`"$($DC.Forest)`""
+		"Name=`"$($_.Name)`""
+		"Cost=`"$($_.Cost)`""
+		"DataCompressionEnabled=$compression"
+		"NotificationEnabled=$notifications"
+		"ReciprocalReplicationEnabled=$reciprocal"
+		"TransportType=$($_.InterSiteTransportProtocol)"
+		"ReplicationIntervalSecs=$replInterval"
+	)
+	Write-Output ($SiteLink -join " ")
+}
+
+$Subnets | Foreach-Object {
+	$Subnet = @(
+		"Type=`"Subnet`""
+		"ForestName=`"$($DC.Forest)`""
+		"Name=`"$($_.Name)`""
+		"Site=`"$($Site.Name)`""
+		"Location=`"$($_.Location)`""
+	)
+	Write-Output ($Subnet -join " ")
+}

deployment-apps/Splunk_TA_windows_FW/bin/powershell/dns-health.ps1

@@ -0,0 +1,114 @@
+#
+# Determine the health and statistics of this Microsoft DNS Server
+#
+$Output = New-Object System.Collections.ArrayList
+$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+write-host -NoNewline ""$Date
+
+# Name of Server
+$ServerName = $env:ComputerName
+write-host -NoNewline ""Server=`"$ServerName`"
+
+#
+# Windows Version and Build #
+#
+$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion"
+$OS = $WindowsInfo.GetValue("ProductName")
+$OSSP = $WindowsInfo.GetValue("CSDVersion")
+$WinVer = $WindowsInfo.GetValue("CurrentVersion")
+$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber")
+$OSVER = "$WinVer ($WinBuild)"
+
+write-host -NoNewline ""OperatingSystem=`"$OS`"
+write-host -NoNewline ""ServicePack=`"$OSSP`"
+write-host -NoNewline ""OSVersion=`"$OSVER`"
+
+#
+# Required Processes Running
+#		DNS Dnscache w32time
+#
+$RequiredServices = @( "DNS", "Dnscache", "w32time" )
+$srvr = @()
+$srvnr = @()
+foreach ($srv in $RequiredServices) {
+	$status = (Get-Service $srv).Status
+	if ($status -eq "Running") {
+		$srvr += $srv
+	} else {
+		$srvnr += $srv
+	}
+}
+
+$ProcsOK = "False"
+if ($srvnr.Count -eq 0) {
+	$ProcsOK = "True"
+}
+
+$ServicesRunning = [string]::join(',', $srvr)
+$ServicesNotRunning = [string]::join(',', $srvnr)
+write-host -NoNewline ""ServicesRunning=`"$ServicesRunning`" ServicesNotRunning=`"$ServicesNotRunning`" ProcsOK=`"$ProcsOK`"
+
+#
+# Settings for this DNS Server
+#
+$dnsInfo = Get-WmiObject -Namespace "root\MicrosoftDNS" -Class MicrosoftDNS_Server -ComputerName $ServerName
+
+# See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682725(v=vs.85).aspx for details
+write-host -NoNewline "" Name=`"$($dnsInfo.Name)`"
+write-host -NoNewline "" Version=`"$($dnsInfo.Version)`"
+write-host -NoNewline "" LogLevel=`"$($dnsInfo.LogLevel)`"
+write-host -NoNewline "" LogFilePath=`"$($dnsInfo.LogFilePath)`"
+write-host -NoNewline "" LogFileMaxSize=`"$($dnsInfo.LogFileMaxSize)`"
+write-host -NoNewline "" LogIPFilterList=`"$($dnsInfo.LogIPFilterList)`"
+write-host -NoNewline "" EventLogLevel=`"$($dnsInfo.EventLogLevel)`"
+write-host -NoNewline "" RpcProtocol=`"$($dnsInfo.RpcProtocol)`"
+write-host -NoNewline "" NameCheckFlag=`"$NameCheckFlag`"
+write-host -NoNewline "" AddressAnswerLimit=`"$($dnsInfo.AddressAnswerLimit)`"
+write-host -NoNewline "" RecursionRetry=`"$($dnsInfo.RecursionRetry)`"
+write-host -NoNewline "" RecursionTimeout=`"$($dnsInfo.RecursionTimeout)`"
+write-host -NoNewline "" DsPollingInterval=`"$($dnsInfo.DsPollingInterval)`"
+write-host -NoNewline "" DsTombstoneInteval=`"$($dnsInfo.DsTombstoneInteval)`"
+write-host -NoNewline "" MaxCacheTTL=`"$($dnsInfo.MaxCacheTTL)`"
+write-host -NoNewline "" MaxNegativeCacheTTL=`"$($dnsInfo.MaxNegativeCacheTTL)`"
+write-host -NoNewline "" SendPort=`"$($dnsInfo.SendPort)`"
+write-host -NoNewline "" XfrConnectTimeout=`"$($dnsInfo.XfrConnectTimeout)`"
+write-host -NoNewline "" BootMethod=`"$($dnsInfo.BootMethod)`"
+write-host -NoNewline "" AllowUpdate=`"$($dnsInfo.AllowUpdate)`"
+write-host -NoNewline "" UpdateOptions=`"$($dnsInfo.UpdateOptions)`"
+write-host -NoNewline "" DsAvailable=`"$($dnsInfo.DsAvailable)`"
+write-host -NoNewline "" DisableAutoReverseZones=`"$($dnsInfo.DisableAutoReverseZones)`"
+write-host -NoNewline "" AutoCacheUpdate=`"$($dnsInfo.AutoCacheUpdate)`"
+write-host -NoNewline "" NoRecursion=`"$($dnsInfo.NoRecursion)`"
+write-host -NoNewline "" RoundRobin=`"$($dnsInfo.RoundRobin)`"
+write-host -NoNewline "" LocalNetPriority=`"$($dnsInfo.LocalNetPriority)`"
+write-host -NoNewline "" StrictFileParsing=`"$($dnsInfo.StrictFileParsing)`"
+write-host -NoNewline "" LooseWildcarding=`"$($dnsInfo.LooseWildcarding)`"
+write-host -NoNewline "" BindSecondaries=`"$($dnsInfo.BindSecondaries)`"
+write-host -NoNewline "" WriteAuthorityNS=`"$($dnsInfo.WriteAuthorityNS)`"
+write-host -NoNewline "" ForwardDelegations=`"$($dnsInfo.ForwardDelegations)`"
+write-host -NoNewline "" SecureResponses=`"$($dnsInfo.SecureResponses)`"
+write-host -NoNewline "" DisjointNets=`"$($dnsInfo.DisjointNets)`"
+write-host -NoNewline "" AutoConfigFileZones=`"$($dnsInfo.AutoConfigFileZones)`"
+write-host -NoNewline "" ScavengingInterval=`"$($dnsInfo.ScavengingInterval)`"
+write-host -NoNewline "" DefaultRefreshInterval=`"$($dnsInfo.DefaultRefreshInterval)`"
+write-host -NoNewline "" DefaultNoRefreshInterval=`"$($dnsInfo.DefaultNoRefreshInterval)`"
+write-host -NoNewline "" DefaultAgingState=`"$($dnsInfo.DefaultAgingState)`"
+write-host -NoNewline "" EDnsCacheTimeout=`"$($dnsInfo.EDnsCacheTimeout)`"
+write-host -NoNewline "" EnableEDnsProbes=`"$($dnsInfo.EnableEDnsProbes)`"
+write-host -NoNewline "" EnableDnsSec=`"$($dnsInfo.EnableDnsSec)`"
+write-host -NoNewline "" ForwardingTimeout=`"$($dnsInfo.ForwardingTimeout)`"
+write-host -NoNewline "" IsSlave=`"$($dnsInfo.IsSlave)`"
+write-host -NoNewline "" EnableDirectoryPartitions=`"$($dnsInfo.EnableDirectoryPartitions)`"
+write-host -NoNewline "" Started=`"$($dnsInfo.Started)`"
+write-host -NoNewline "" StartMode=`"$($dnsInfo.StartMode)`"
+write-host -NoNewline "" Status=`"$($dnsInfo.Status)`"
+
+foreach ($ip in $dnsInfo.Forwarders) {
+	write-host -NoNewline "" Forwarder=`"$ip`"
+}
+foreach ($ip in $dnsInfo.ServerAddresses) {
+	write-host -NoNewline "" ServerAddress=`"$ip`"
+}
+foreach ($ip in $dnsInfo.ListenAddresses) {
+	write-host "" ListenAddress=`"$ip`"
+}

deployment-apps/Splunk_TA_windows_FW/bin/powershell/dns-zoneinfo.ps1

@@ -0,0 +1,79 @@
+#
+# DNS Zone Information
+#
+function Get-WmiCount($a) {
+	if ($a -eq $Null) {
+		$cnt = 0
+	} elseif ($a.GetType().Name -eq "ManagementObject") {
+		$cnt = 1
+	} else {
+		$cnt = $a.Length
+	}
+
+	$cnt
+}
+
+function Output-Zoneinfo($Zone) {
+	#$Output = New-Object System.Collections.ArrayList
+	$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+    write-host -NoNewline $Date Zone=`"$($Zone.Name)`" Aging=`"$($Zone.Aging)`" AllowUpdate=`"$($Zone.AllowUpdate)`" AutoCreated=`"$($Zone.AutoCreated)`" AvailForScavengeTime=`"$($Zone.AvailForScavengeTime)`" Caption=`"$($Zone.Caption)`" ContainerName=`"$($Zone.ContainerName)`" DataFile=`"$($Zone.DataFile)`" DnsServerName=`"$($Zone.DnsServerName)`" DsIntegrated=`"$($Zone.DsIntegrated)`" ForwarderSlave=`"$($Zone.ForwarderSlave)`" ForwarderTimeout=`"$($Zone.ForwarderTimeout)`" LastSuccessfulSoaCheck=`"$($Zone.LastSuccessfulSoaCheck)`" LastSuccessfulXfr=`"$($Zone.LastSuccessfulXfr)`" NoRefreshInterval=`"$($Zone.NoRefreshInterval)`" Notify=`"$($Zone.Notify)`" Paused=`"$($Zone.Paused)`" RefreshInterval=`"$($Zone.RefreshInterval)`" Reverse=`"$($Zone.Reverse)`" SecureSecondaries=`"$($Zone.SecureSecondaries)`" Shutdown=`"$($Zone.Shutdown)`" Status=`"$($Zone.Status)`" UseWins=`"$($Zone.UseWins)`" ZoneType=`"$($Zone.ZoneType)`"
+
+	# Some information on the zone itself - # record by type and total
+	$ZoneName = $Zone.Name
+
+	$SOA  = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_SOAType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$SOAlen = Get-WmiCount($SOA)
+	write-host -NoNewline ""SOA=$SOAlen
+
+	$NS   = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_NSType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$NSlen = Get-WmiCount($NS)
+	write-host -NoNewline ""NS=$NSlen
+
+	$A    = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_AType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$Alen = Get-WmiCount($A)
+	write-host -NoNewline ""A=$Alen
+
+	$AAAA = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_AAAAType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$AAAAlen = Get-WmiCount($AAAA)
+	write-host -NoNewline ""AAAA=$AAAAlen
+
+	$CNAME= Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_CNAMEType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$CNAMElen = Get-WmiCount($CNAME)
+	write-host -NoNewline ""CNAME=$CNAMElen
+
+	$MX   = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_MXType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$MXlen = Get-WmiCount($MX)
+	write-host -NoNewline ""MX=$MXlen
+
+	$SRV  = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_SRVType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$SRVlen = Get-WmiCount($SRV)
+	write-host -NoNewline ""SRV=$SRVlen
+
+	$HINFO= Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_HINFOType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$HINFOlen = Get-WmiCount($HINFO)
+	write-host -NoNewline ""HINFO=$HINFOlen
+
+	$TXT  = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_TXTType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$TXTlen = Get-WmiCount($TXT)
+	write-host -NoNewline ""TXT=$TXTlen
+
+	$RR  = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_ResourceRecord -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$TotalRecords = Get-WmiCount($RR)
+	write-host ""TotalRecords=$TotalRecords
+
+}
+
+#
+# Main Program
+#
+$ServerName = $env:ComputerName
+$Scope = New-Object Management.ManagementScope("\\$ServerName\root\MicrosoftDNS")
+$Path = New-Object Management.ManagementPath("MicrosoftDNS_Zone")
+$Options = New-Object Management.ObjectGetOptions($Null, [System.TimeSpan]::MaxValue, $True)
+
+$ZoneClass = New-Object Management.ManagementClass($Scope, $Path, $Options)
+$Zones = Get-WMIObject -Computer $ServerName -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone"
+$OutputEncoding = [Text.Encoding]::UTF8
+Foreach ($Zone in $Zones) {
+	Output-ZoneInfo($Zone)
+}

deployment-apps/Splunk_TA_windows_FW/bin/powershell/generate_windows_update_logs.ps1

@@ -0,0 +1,20 @@
+## This script generates WindowsUpdate.Log using Get-WindowsUpdateLog in $SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate
+## It monitors the WindowsUpdate.log from $SplunkHome\var\log\Splunk_TA_windows\
+
+Set-Variable -Name "LogFolder" -Value "$SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate"
+Set-Variable -Name "MonitoredLogFile" -Value "$SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate.log"
+
+if (!(Test-Path -Path $LogFolder )) {
+	New-Item -ItemType directory -Path $LogFolder
+}
+
+Get-WindowsUpdateLog -LogPath $LogFolder\WindowsUpdate.log
+
+if ([System.IO.File]::Exists("$MonitoredLogFile")) {
+	Get-Content "$LogFolder\WindowsUpdate.log" | Set-Content -Path "$MonitoredLogFile"
+}
+else {
+Copy-Item -Path "$LogFolder\WindowsUpdate.log" -Destination "$MonitoredLogFile"
+}
+
+exit

deployment-apps/Splunk_TA_windows_FW/bin/powershell/nt6-health.ps1

@@ -0,0 +1,170 @@
+#
+# Determine the health and statistics of this Active Directory Controller
+#
+$Output = New-Object System.Collections.ArrayList
+$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+[void]$Output.Add($Date)
+
+# Name of Server
+$ServerName = $env:ComputerName
+[void]$Output.Add("Server=""$ServerName""")
+$BSSN = "\\" + $ServerName
+
+# Domain Information
+
+$S_DS_AD_DOM = [System.DirectoryServices.ActiveDirectory.Domain]::getComputerDomain()
+$WMI_CS      = (Get-WmiObject Win32_ComputerSystem)
+$WMI_DOMAIN	 = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
+
+$DomainDNSName = $WMI_CS.Domain
+$DomainNetBIOSName = $WMI_DOMAIN.DomainName
+$DomainLevel   = $S_DS_AD_DOM.DomainMode
+[void]$Output.Add("DomainDNSName=`"$DomainDNSName`"");
+[void]$Output.Add("DomainNetBIOSName=`"$DomainNetBIOSName`"");
+[void]$Output.Add("DomainLevel=`"$DomainLevel`"");
+
+# Site Information
+$SiteName = $WMI_DOMAIN.ClientSiteName
+[void]$Output.Add("Site=`"$SiteName`"");
+
+# Forest Information
+$ForestName = $S_DS_AD_DOM.Forest.Name
+$ForestLevel = $S_DS_AD_DOM.Forest.ForestMode
+[void]$Output.Add("ForestName=`"$ForestName`"");
+[void]$Output.Add("ForestLevel=`"$ForestLevel`"");
+
+# Domain Controller Flags
+$IsRO = "False"
+$IsEnabled = "False"
+$IsGC = "False"
+$USN = "Unknown"
+$MyName = ($env:ComputerName + "." + $DomainDNSName).ToLower()
+if ($WMI_DOMAIN.Status -eq "OK") {
+	$MyDC = $S_DS_AD_DOM.DomainControllers | Where-Object { $_.Name.ToLower() -eq $MyName.ToLower() }
+	if ($MyDC) {
+		if ($MyDC.IsGlobalCatalog()) {
+			$IsGC = "True"
+		}
+		$USN = $MyDC.HighestCommittedUsn
+		$IsEnabled = "True"
+
+		$entry = $MyDC.getDirectoryEntry()
+		[void]$Output.Add("Created=`"$($entry.whenCreated)`"")
+		[void]$Output.Add("Changed=`"$($entry.whenChanged)`"")
+
+		$DN = $entry.Path
+		$ServerEntry = [ADSI]"$DN"
+		$ServerEntry.GetInfoEx(@("msDS-IsRODC"),0)
+		$IsRO = $ServerEntry."msDS-IsRODC"
+	}
+}
+[void]$Output.Add("GlobalCatalog=`"$IsGC`"")
+[void]$Output.Add("RODC=`"$IsRO`"")
+[void]$Output.Add("Enabled=`"$IsEnabled`"")
+[void]$Output.Add("HighestUSN=`"$USN`"")
+
+$SchemaInfo = Get-Item "HKLM:System\CurrentControlSet\Services\NTDS\Parameters"
+$SchemaVersion = $SchemaInfo.GetValue("Schema Version")
+[void]$Output.Add("SchemaVersion=$SchemaVersion")
+
+$NetLogonParams = Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters"
+$DCWeight = $NetLogonParams.GetValue("LdapSrvWeight", $null)
+if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
+	$DCWeight = 100	# This is the default value
+}
+[void]$Output.Add("DCWeight=$DCWeight")
+
+$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
+
+# Is this host a BridgeHead Server?
+# Field BridgeheadServer (Collection of DirectoryServer objects - check to see if we are listed and set IsBridgeHeadServer=True/False accordingly)
+
+# Is this host a Intersite Topology Generator
+if ($SiteInfoObj.IntersiteTopologyGenerator.Name -and ($SiteInfoObj.IntersiteTopologyGenerator.Name -eq $ServerName -or $SiteInfoObj.IntersiteTopologyGenerator.Name.ToLower() -eq $MyName)) {
+	[void]$Output.Add("IsIntersiteTopologyGenerator=`"True`"")
+} else {
+	[void]$Output.Add("IsIntersiteTopologyGenerator=`"False`"")
+}
+
+
+#
+# Windows Version and Build #
+#
+$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion"
+$OS = $WindowsInfo.GetValue("ProductName")
+$OSSP = $WindowsInfo.GetValue("CSDVersion")
+$WinVer = $WindowsInfo.GetValue("CurrentVersion")
+$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber")
+$OSVER = "$WinVer ($WinBuild)"
+
+[void]$Output.Add("OperatingSystem=""$OS""")
+[void]$Output.Add("ServicePack=""$OSSP""")
+[void]$Output.Add("OSVersion=""$OSVER""")
+
+#
+# FSMO Roles (Schema, DomainNaming, Infrastructure, RIDMaster, PDC)
+#
+$aFSMO = @()
+if ($MyDC -and $MyDC.Roles) {
+	foreach ($role in $MyDC.Roles) {
+		switch ($role) {
+			"SchemaRole"			{ $aFSMO += "Schema" }
+			"NamingRole"			{ $aFSMO += "DomainNaming" }
+			"InfrastructureRole"	{ $aFSMO += "Infrastructure" }
+			"PdcRole"				{ $aFSMO += "PDCEmulator" }
+			"RidRole"				{ $aFSMO += "RIDMaster" }
+		}
+	}
+}
+$FSMORoles = [string]::join(' ', $aFSMO)
+[void]$Output.Add("FSMORoles=""$FSMORoles""")
+
+#
+# Required Processes Running
+#		FRS, DFS-R, Net Logon, KDC, W32Time, ISMSERV
+#
+$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
+$srvr = @()
+$srvnr = @()
+foreach ($srv in $RequiredServices) {
+	$status = (Get-Service $srv).Status
+	if ($status -eq "Running") {
+		$srvr += $srv
+	} else {
+		$srvnr += $srv
+	}
+}
+# Note that the only case that ProcsOK == True is when there is ONE service
+# that isn't running - You need one replication services (ntfrs or dfsr) but
+# not both
+$ProcsOK = "False"
+if (($srvnr.Count -eq 0) -or ($srvnr.Count -eq 1 -and ($srvnr[0] -eq "ntfrs" -or $srvnr[0] -eq "dfsr"))) {
+	$ProcsOK = "True"
+}
+$ServicesRunning = [string]::join(',', $srvr)
+$ServicesNotRunning = [string]::join(',', $srvnr)
+[void]$Output.Add("ServicesRunning=""$ServicesRunning""")
+[void]$Output.Add("ServicesNotRunning=""$ServicesNotRunning""")
+[void]$Output.Add("ProcsOK=""$ProcsOK""")
+
+#
+# Look for Common Problems
+#		SYSVOL is shared out
+#		DC is registered in DNS
+#
+$SysvolShare = (Get-WmiObject Win32_Share|Where-Object { $_.Name -eq "SYSVOL" })
+if ($SysvolShare) {
+	[void]$Output.Add("SYSVOLShare=""True""")
+} else {
+	[void]$Output.Add("SYSVOLShare=""False""")
+}
+
+$DNSEntry = ([System.Net.DNS]::GetHostEntry($ServerName))
+if ($DNSEntry) {
+	[void]$Output.Add("DNSRegister=""True""")
+} else {
+	[void]$Output.Add("DNSRegister=""False""")
+}
+
+# Output the final string
+Write-Host ($output -join " ")

deployment-apps/Splunk_TA_windows_FW/bin/powershell/nt6-siteinfo.ps1

@@ -0,0 +1,41 @@
+#
+# Determine and output information about the Site the server is a member of
+#
+
+$ServerName = $env:ComputerName
+$BSSN = "\\" + $ServerName
+$WMI_DOMAIN	 = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
+$SiteName = $WMI_DOMAIN.ClientSiteName
+$ForestName = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Name
+
+$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
+$ISTG = $SiteInfoObj.IntersiteTopologyGenerator.Name
+
+
+write-host  $Date Type=`"Site`" ForestName=`"$ForestName`" Site=`"$SiteName`" Location=`"$($SiteInfoObj.Location)`" -NoNewline
+$SiteInfoObj.AdjacentSites | Foreach-Object { write-host AdjacentSite=`"$($_.Name)`" -NoNewline }
+write-host IntersiteTopologyGenerator=`"$ISTG`" -NoNewline
+$SiteInfoObj.SiteLinks | Foreach-Object { write-host "" SiteLink=`"$($_.Name)`" -NoNewline }
+$SiteInfoObj.Subnets | Foreach-Object { write-host "" Subnet=`"$($_.Name)`" -nonewline }
+
+write-host #Needed to print a newline for next object
+
+#
+# Output Information about Site Links in this site
+#
+$SiteInfoObj.SiteLinks | Foreach-Object {
+    write-host $Date Type=`"SiteLink`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Cost=$($_.Cost) DataCompressionEnabled=$($_.DataCompressionEnabled) NotificationEnabled=$($_.NotificationEnabled) ReciprocalReplicationEnabled=$($_.ReciprocalReplicationEnabled) TransportType=$($_.TransportType) ReplicationIntervalSecs=$($_.ReplicationInterval.TotalSeconds) -NoNewLine
+	foreach ($site in $_.Sites) {
+		write-host ""Site=`"$($site.Name)`" -NoNewLine
+	}
+}
+Write-Host  #similar to above
+
+#
+# Output Information about Subnets in this site
+#
+
+$SiteInfoObj.Subnets | Foreach-Object {
+    write-Host $Date Type=`"Subnet`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Site=`"$SiteName`" Location=`"$($_.Location)`"
+}

deployment-apps/Splunk_TA_windows_FW/bin/runpowershell.cmd

@@ -0,0 +1,14 @@
+@ECHO OFF
+
+:: ######################################################
+:: #
+:: # Splunk for Microsoft Windows
+:: #
+:: # Copyright (C) 2021 Splunk, Inc.
+:: # All Rights Reserved
+:: #
+:: ######################################################
+
+set SplunkApp=Splunk_TA_windows
+
+%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionPolicy RemoteSigned -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%1'"

deployment-apps/Splunk_TA_windows_FW/bin/user_account_control_property.py

@@ -0,0 +1,112 @@
+#
+# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+# SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+#
+#
+import csv
+import sys
+import log
+import logging
+
+# Map for possible property flags
+property_flags = {
+    "1": "SCRIPT",
+    "2": "ACCOUNTDISABLE",
+    "8": "HOMEDIR_REQUIRED",
+    "16": "LOCKOUT",
+    "32": "PASSWD_NOTREQD",
+    "64": "PASSWD_CANT_CHANGE",
+    "128": "ENCRYPTED_TEXT_PWD_ALLOWED",
+    "256": "TEMP_DUPLICATE_ACCOUNT",
+    "512": "NORMAL_ACCOUNT",
+    "2048": "INTERDOMAIN_TRUST_ACCOUNT",
+    "4096": "WORKSTATION_TRUST_ACCOUNT",
+    "8192": "SERVER_TRUST_ACCOUNT",
+    "65536": "DONT_EXPIRE_PASSWORD",
+    "131072": "MNS_LOGON_ACCOUNT",
+    "262144": "SMARTCARD_REQUIRED",
+    "524288": "TRUSTED_FOR_DELEGATION",
+    "1048576": "NOT_DELEGATED",
+    "2097152": "USE_DES_KEY_ONLY",
+    "4194304": "DONT_REQ_PREAUTH",
+    "8388608": "PASSWORD_EXPIRED",
+    "16777216": "TRUSTED_TO_AUTH_FOR_DELEGATION",
+    "67108864": "PARTIAL_SECRETS_ACCOUNT",
+}
+
+
+def main():
+
+    logger = log.Log().get_logger("user_account_control_property")
+    logger.info("Lookup script started executing..")
+
+    # prints usage of the lookup script if wrong number of arguments provided
+    if len(sys.argv) != 3:
+        logger.debug(
+            "Usage: python user_account_control_property.py [userAccountControl] [userAccountPropertyFlag]"
+        )
+        logger.debug("Lookup script stopped..")
+        sys.exit(1)
+
+    # Lookup Field names
+    userAccountControl = sys.argv[1]
+    userAccountPropertyFlag = sys.argv[2]
+
+    infile = sys.stdin
+    outfile = sys.stdout
+
+    r = csv.DictReader(infile)
+
+    w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
+
+    w.writeheader()
+
+    # Decode flags for every 'userAccountControl' attribute value present in a search result
+    for result in r:
+        try:
+            if result[userAccountControl].isdigit():
+                attribute_value = int(result[userAccountControl])
+                bit_cnt = 0
+                incorrect_result_flag = False
+                flags = list()
+
+                # Prepare flag list by decoding 'userAccountcontrol' decimal value
+                # As 'userAccountControl' is decimal value, For each bit set to '1' a property flag can be denoted by using 'property_flags' map given above
+                while attribute_value != 0:
+                    if attribute_value & 1 == 1:
+                        flags.append(str(1 << bit_cnt))
+                    attribute_value = attribute_value >> 1
+                    bit_cnt += 1
+
+                # If flag not present in 'property_flags' map, The 'userAccountPropertyFlag' won't be populated in search result
+                for flag in flags:
+                    if flag not in list(property_flags.keys()):
+                        logger.debug(
+                            "'userAccountControl' attribute can not be decoded for value: {}".format(
+                                result[userAccountControl]
+                            )
+                        )
+                        incorrect_result_flag = True
+                        break
+                if incorrect_result_flag:
+                    continue
+                else:
+                    for flag in flags:
+                        result[userAccountPropertyFlag] = property_flags[flag]
+                        w.writerow(result)
+            else:
+                logger.debug(
+                    "'userAccountControl' attribute can not be decoded for value: {}".format(
+                        result[userAccountControl]
+                    )
+                )
+        except:
+            logger.debug(
+                "No results for 'userAccountControl' attribute value :{}".format(
+                    result[userAccountControl]
+                )
+            )
+
+
+if __name__ == "__main__":
+    main()

deployment-apps/Splunk_TA_windows_FW/bin/win_installed_apps.bat

@@ -0,0 +1,67 @@
+@echo off
+REM --------------------------------------------------------
+REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
+REM --------------------------------------------------------
+
+setlocal EnableDelayedExpansion
+
+REM For each app key, print out the name of the app and any parameters under the entry
+for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 72)
+
+REM Do the same as above but with 32-bit apps, first checking if the key exists
+reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" >nul 2>&1
+if %ERRORLEVEL% EQU 0 (
+  for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 84)
+)
+
+goto :eof
+
+:output_reg
+
+
+	REM Echo an empty line to indicate that this is a new entry
+	@echo.
+
+	REM Get the current date and time into into a variable
+	for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
+	set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
+
+	REM Print out the date & time
+	@echo %date_time%
+
+	REM Add the enumerated key
+	@echo Installed application enumerated from %1
+
+	REM Get the name of the app from the last segment in the registry path
+	set app_name=%1
+
+	REM Strips out the first x characters (from input) of the path in order to get just the app name
+	set "app_name=!app_name:~%2%,150!"
+
+	REM Strip the last quote
+	set "app_name=!app_name:~0,-1!"
+
+	REM Store a count value so that we can avoid printing the first entry
+	set count=0
+
+	REM This variable determines if the display name was found
+	set display_name_found=0
+
+	REM Now get the sub-keys
+        for /F "tokens=1,2*" %%A in ('reg query %1') do (
+           set /a count+=1
+
+        REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "<NO" (which indicates the item has no name)
+
+        REM Note that the display name was already found
+           if %%A==DisplayName (
+              set /a display_name_found=1
+              echo %%A="%%C"
+           ) else (
+
+             REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "<NO" (which indicates the item has no name)
+             if not "%%A" == %1 if not "%%A" == "" if not "%%A" == "<NO" if not "%%C" == "" if not %%A==DisplayName echo %%A=%%C
+           )
+        )
+	REM If the display name was not found, then use the name of the registry path name instead
+	if !display_name_found!==0 echo DisplayName="%app_name%"

deployment-apps/Splunk_TA_windows_FW/bin/win_listening_ports.bat

@@ -0,0 +1,50 @@
+@echo off
+REM --------------------------------------------------------
+REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
+REM --------------------------------------------------------
+
+setlocal EnableDelayedExpansion
+
+REM Get the current date and time into a variable
+for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
+set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
+
+REM Get the Tasklist command output and store array with pid and processname
+for /f "tokens=1,2 delims=," %%T in ('tasklist /nh  /fo csv') do (
+     set topic[%%~U]=%%~T
+)
+
+REM Get the list of open ports by running netstat and filtering the results to those that contain actual ports (dropping the header)
+for /f "tokens=*" %%G in ('netstat -nao ^| findstr /r "LISTENING"') do (call :output_ports "%%G")
+goto :eof
+
+:output_ports
+
+	REM Parse the ports list
+	for /f "tokens=1,2,4,5 delims= " %%A in (%1) do (
+		set protocol=%%A
+		set dest=%%B
+		set status=%%C
+		set pid=%%D
+		set appname=!topic[%%D]!
+	)
+
+	REM Skip the header
+	if "!protocol!"=="Proto" goto :eof
+	if "!protocol!"=="Active" goto :eof
+
+	REM Parse the each port
+	for /f "tokens=1,2,3 delims=:" %%A in ("%dest%") do (
+		set dest_ip=%%A
+		set dest_port=%%B
+		set alt_dest_port=%%C
+
+		REM Some entries will exist in the [::]:0 format and thus throw off the parsing. Correct for this:
+		if "!dest_port!" == "]" set dest_port=!alt_dest_port!
+	)
+
+	REM Replace the dest IP with the empty IP range if necessary
+	if "!dest_ip!"=="[" set dest_ip=[::]
+
+	REM Print out the result
+	echo %date_time% transport=%protocol% dest_ip=%dest_ip% dest_port=%dest_port% pid=!pid! appname=%appname%

deployment-apps/Splunk_TA_windows_FW/bin/win_timesync_configuration.bat

@@ -0,0 +1,21 @@
+@echo off
+REM --------------------------------------------------------
+REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
+REM --------------------------------------------------------
+
+setlocal EnableDelayedExpansion
+
+REM Get the time service configuration and timezone.
+
+REM Get the date & time
+for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
+set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
+
+REM Print the date and time. This will be the timestamp of the event.
+echo Current time: %date_time%
+
+REM Print the Windows time service configuration
+w32tm /query /configuration /verbose
+
+REM Print the Windows time zone information
+w32tm /tz

deployment-apps/Splunk_TA_windows_FW/bin/win_timesync_status.bat

@@ -0,0 +1,28 @@
+@echo off
+REM --------------------------------------------------------
+REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
+REM --------------------------------------------------------
+
+setlocal EnableDelayedExpansion
+
+REM Get the last current time synchronization status
+REM
+REM Example:
+REM
+REM     Successful sync:
+REM         Last Successful Sync Time: 1/22/2014 12:06:43 PM
+REM     Unsuccessful sync:
+REM         Last Successful Sync Time: unspecified
+
+REM Get the date & time
+for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
+set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
+
+REM Print the date and time. This will be the timestamp of the event.
+echo Current time: %date_time%
+
+REM Print the Windows time service status
+w32tm /query /status /verbose
+
+REM Print the time zone
+w32tm /tz

deployment-apps/Splunk_TA_windows_FW/default/app.conf

@@ -0,0 +1,28 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+##
+##
+
+[install]
+is_configured = false
+state = enabled
+build = 1682073926
+
+[ui]
+is_visible = false
+label = Splunk Add-on for Microsoft Windows
+docs_section_override = AddOns:released
+
+[launcher]
+author = Splunk, Inc.
+version = 8.7.0
+description = Splunk Add-on for Microsoft Windows
+
+[package]
+id = Splunk_TA_windows
+
+[id]
+name = Splunk_TA_windows
+version = 8.7.0
+

deployment-apps/Splunk_TA_windows_FW/default/eventtypes.conf

@@ -0,0 +1,761 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+## DO NOT EDIT THIS FILE!
+## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
+## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
+## into ../local and edit there.
+##
+
+###### Global Windows Eventtype ######
+
+[windows_event_signature]
+search = sourcetype=WinEventLog OR sourcetype=XmlWinEventLog OR sourcetype=WMI:WinEventLog:System OR sourcetype=WMI:WinEventLog:Security OR sourcetype=WMI:WinEventLog:Application OR sourcetype=wineventlog OR sourcetype=xmlwineventlog
+#tags = track_event_signatures
+
+[wineventlog_windows]
+search = eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security OR eventtype=wineventlog-ds OR eventtype=wineventlog-dfs OR eventtype=wineventlog-keymanagement OR eventtype=wineventlog-filereplication OR eventtype=wineventlog-dns
+#tags = os windows
+
+[wineventlog_application]
+search = source=WinEventLog:Application OR source=WMI:WinEventLog:Application OR source=XmlWinEventLog:Application
+#tags = os windows
+
+[wineventlog_system]
+search = source=WinEventLog:System OR source=WMI:WinEventLog:System OR source=XmlWinEventLog:System
+#tags = os windows
+
+[wineventlog_security]
+search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security
+#tags = os windows
+
+[perfmon_windows]
+search = sourcetype=Perfmon:* OR sourcetype=PerfmonMk:* OR sourcetype=WMI:Perfmon*
+#tags = os windows
+
+[hostmon_windows]
+search = sourcetype=WinHostMon
+#tags = os windows
+
+[hostmon_os]
+search = sourcetype=WinHostMon Type=OperatingSystem
+#tags = os windows memory performance
+
+[hostmon_inventory]
+search = sourcetype=WinHostMon (Type=OperatingSystem OR Type=Processor)
+#tags = os inventory cpu memory
+
+[hostmon_disk]
+search = sourcetype=WinHostMon (Type=Disk)
+#tags = inventory performance storage
+
+[netmon_windows]
+search = sourcetype=WinNetMon
+#tags = os windows
+
+[printmon_windows]
+search = sourcetype=WinPrintMon
+#tags = os windows
+
+[script_windows]
+search = sourcetype=Script:* source=*.bat
+#tags = os windows
+
+[wmi_windows]
+search = sourcetype=WMI:*
+#tags = os windows
+
+[windowsupdatelog_windows]
+search = sourcetype=WindowsUpdateLog
+#tags = os windows
+
+[winregistry_windows]
+search = sourcetype=WinRegistry
+#tags = os windows endpoint change registry
+
+[winapp]
+search = eventtype=wineventlog_application
+
+[winsec]
+search = eventtype=wineventlog_security
+#tags = security
+
+[winsystem]
+search = eventtype=wineventlog_system
+
+
+###### DHCP ######
+[msdhcp]
+search = sourcetype=msdhcp
+#tags = dhcp network session windows
+
+[msdhcp_start]
+search = sourcetype=msdhcp (msdhcp_id=10 OR msdhcp_id=11 OR msdhcp_id=13)
+#tags = start
+
+[msdhcp_end]
+search = sourcetype=msdhcp (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17)
+#tags = end
+
+[DhcpSrvLog]
+search = sourcetype=DhcpSrvLog
+#tags = windows
+
+[DhcpSrvLog_dhcp]
+search = sourcetype=DhcpSrvLog (msdhcp_id=13 OR msdhcp_id=14 OR msdhcp_id=15)
+#tags = dhcp network session
+
+[DhcpSrvLog_start]
+search = sourcetype=DhcpSrvLog (msdhcp_id=10 OR msdhcp_id=11)
+#tags = dhcp network session start
+
+[DhcpSrvLog_end]
+search = sourcetype=DhcpSrvLog (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17 OR msdhcp_id=18)
+#tags = dhcp network session end
+
+
+###### Security: Account Logon ######
+
+## Authentication Ticket Granted/Failed
+## EventCodes 4768, 4772, 672, 676
+[windows_auth_ticket_granted]
+search = eventtype=wineventlog_security (EventCode=4768 OR EventCode=672 OR EventCode=676)
+#tags = authentication
+
+## Service Ticket Granted/Failed
+## EventCodes 4769, 4773, 673, 677
+[windows_service_ticket_granted]
+search = eventtype=wineventlog_security (EventCode=4769 OR EventCode=4773 OR EventCode=673 OR EventCode=677)
+#tags = authentication
+
+## Ticket Granted Renewed
+## EventCodes 4770, 674
+[windows_ticket_renewed]
+search = eventtype=wineventlog_security (EventCode=4770 OR EventCode=674)
+## tags intentionally left blank
+#tags =
+
+## Pre-authentication failed
+## EventCodes 4771, 675
+[windows_pre_auth_failed]
+search = eventtype=wineventlog_security (EventCode=4771 OR EventCode=675)
+#tags = authentication
+
+## Account Mapped for Logon by
+## EventCodes 4774, 678
+[windows_account_mapped]
+search = eventtype=wineventlog_security (EventCode=4774 OR EventCode=678)
+## tags intentionally left blank
+#tags = authentication
+
+## The name: %2 could not be mapped for logon by: %1
+## EventCodes 4775, 679
+[windows_account_notmapped]
+search = eventtype=wineventlog_security (EventCode=4775 OR EventCode=679)
+#tags = authentication
+
+## Account Used for Logon by
+## The domain controller attempted/failed to validate the credentials for an account
+## The logon to account: %2 by: %1 from workstation: %3 failed.
+## EventCodes 4776, 4777, 680, 681
+[windows_account_used4logon]
+search = eventtype=wineventlog_security (EventCode=4776 OR EventCode=4777 OR EventCode=680 OR EventCode=681)
+#tags = authentication
+
+## Session reconnected to winstation
+## EventCodes 4778, 682
+[windows_session_reconnected]
+search = eventtype=wineventlog_security (EventCode=4778 OR EventCode=682)
+## tags intentionally left blank
+#tags =
+
+## Session disconnected from winstation
+## EventCodes 4779, 683
+[windows_session_disconnected]
+search = eventtype=wineventlog_security (EventCode=4779 OR EventCode=683)
+#tags = access stop logoff
+
+
+###### Security: Account Management ######
+[windows_account_management]
+search = eventtype=wineventlog_security (ta_windows_security_CategoryString="Account Management" OR TaskCategory="User Account Management")
+#tags = account change management
+
+## User/Computer Account Created
+## EventCodes 4720, 4741, 624, 645
+[windows_account_created]
+search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4741 OR EventCode=624 OR EventCode=645)
+#tags = add account change
+
+
+## User Account Enabled
+## EventCodes 4722, 626
+[windows_account_enabled]
+search = eventtype=wineventlog_security (EventCode=4722 OR EventCode=626)
+#tags = enable account change
+
+## Change Password Attempt
+## EventCodes 4723, 627
+[windows_account_password_change]
+search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=627)
+#tags = password modify account change
+
+## User Account password set
+## EventCodes 4724, 628
+[windows_account_password_set]
+search = eventtype=wineventlog_security (EventCode=4724 OR EventCode=628)
+#tags = password modify account change
+
+## User Account Disabled
+## EventCodes 4725, 629
+[windows_account_disabled]
+search = eventtype=wineventlog_security (EventCode=4725 OR EventCode=629)
+#tags = disable account change
+
+## User/Computer Account Deleted
+## EventCodes 4726, 4743, 630, 647
+[windows_account_deleted]
+search = eventtype=wineventlog_security (EventCode=4726 OR EventCode=4743 OR EventCode=630 OR EventCode=647)
+#tags = delete account change
+
+## User/Computer Account Changed
+## EventCodes 4738, 4742, 642, 646, 625
+[windows_account_modified]
+search = eventtype=wineventlog_security (EventCode=4738 OR EventCode=4742 OR EventCode=642 OR EventCode=646 OR EventCode=625)
+#tags = modify account change
+
+## User Account Locked Out
+## EventCodes 4740, 644
+[windows_account_lockout]
+search = eventtype=wineventlog_security (EventCode=4740 OR EventCode=644)
+#tags = lock lockout account change
+
+## User Account Unlocked
+## EventCodes 4767, 671
+[windows_account_unlocked]
+search = eventtype=wineventlog_security (EventCode=4767 OR EventCode=671)
+#tags = modify account change
+
+
+###### Security: Audit (Event Log) ######
+
+## The event logging service has shut down
+## EventCode 1100
+[windows_audit_log_stopped]
+search = eventtype=wineventlog_security EventCode=1100
+#tags = stop stopped watchlist
+
+## Audit events have been dropped by the transport.
+## The security Log is now full
+## The event logging service encountered an error
+## EventCodes 1101, 1104, 1108
+[windows_audit_errors]
+search = eventtype=wineventlog_security (EventCode=1101 OR EventCode=1104 OR EventCode=1108)
+#tags = audit error
+
+## The audit log was cleared
+## EventCodes 1102, 517
+[windows_audit_log_cleared]
+search = eventtype=wineventlog_security (EventCode=1102 OR EventCode=517)
+#tags = audit change delete cleared watchlist
+
+## Event log automatic backup
+## EventCode 1105
+[windows_audit_backup]
+search = eventtype=wineventlog_security EventCode=1105
+#tags = audit backup change
+
+## Logon/Logoff audit logs
+## EventCode 4625
+[windows_audit_log_logon]
+search = eventtype=wineventlog_security EventCode=4625 (ta_windows_status=0xC0000064 OR ta_windows_status=0xC000006A OR ta_windows_status=0xC000006F OR ta_windows_status=0xC0000070 OR ta_windows_status=0xC0000071 OR ta_windows_status=0xC0000072 OR ta_windows_status=0XC000018C OR ta_windows_status=0XC0000192 OR ta_windows_status=0xC0000193 OR ta_windows_status=0xC0000234 OR ta_windows_status=0XC00002EE OR ta_windows_status=0XC0000413)
+#tags = audit change
+
+
+###### Security: Logon/Logoff ######
+
+## User Logoff/User initiated logoff
+## EventCodes 4634, 4647, 538, 551
+[windows_logoff]
+search = eventtype=wineventlog_security (EventCode=4634 OR EventCode=4647 OR EventCode=538 OR EventCode=551)
+#tags = access stop logoff
+
+## A logon was attempted using explicit credentials
+## EventCodes 4648, 552
+[windows_logon_explicit]
+search = eventtype=wineventlog_security (EventCode=4648 OR EventCode=552)
+#tags = authentication privileged
+
+## An account failed to log on
+## EventCodes 4625, 529, 530, 531, 532, 533, 534, 535, 536, 537, 539
+[windows_logon_failure]
+search = eventtype=wineventlog_security ((EventCode=4625 AND ta_windows_action!=error) OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)
+#tags = authentication
+
+## An account was successfully logged on
+## EventCodes 4624, 528, 540
+[windows_logon_success]
+search = eventtype=wineventlog_security (EventCode=4624 OR EventCode=528 OR EventCode=540)
+#tags = authentication
+
+
+###### Security: Object Access ######
+
+## Object Open
+## EventCodes 4656, 560
+[windows_object_open]
+search = eventtype=wineventlog_security (EventCode=4656 OR EventCode=560)
+#tags = resource file access start
+
+## Handle Closed
+## EventCodes 4658, 562
+[windows_handle_closed]
+search = eventtype=wineventlog_security (EventCode=4658 OR EventCode=562)
+#tags = resource file access stop
+
+
+###### Security: Policy Change ######
+
+## Audit Policy Change/The audit policy (SACL) on an object was changed
+## EventCodes 4715, 4719, 612
+[windows_audit_policy_change]
+search = eventtype=wineventlog_security (EventCode=4715 OR EventCode=4719 OR EventCode=612)
+#tags = policy configuration modify audit change
+
+## System security access was granted to an account
+## EventCodes 4717, 621
+[windows_security_access_granted]
+search = eventtype=wineventlog_security (EventCode=4717 OR EventCode=621)
+#tags = access authorization add change account
+
+## System security access was removed from an account
+## EventCodes 4718, 622
+[windows_security_access_removed]
+search = eventtype=wineventlog_security (EventCode=4718 OR EventCode=622)
+#tags = access authorization delete change account
+
+## Per User Audit Policy was changed
+## EventCodes 4912, 807
+[windows_audit_policy_changed]
+search = eventtype=wineventlog_security (EventCode=4912 OR EventCode=807)
+#tags = policy configuration modify audit change
+
+## The following policy was active when the Windows Firewall started
+## EventCodes 848, 849, 850
+[windows_firewall_policy_active]
+search = eventtype=wineventlog_security (EventCode=848 OR EventCode=849 OR EventCode=850)
+#tags = application firewall configuration report
+
+## A change has been made to Windows Firewall
+## EventCodes 4946, 4947, 4948, 851, 852
+[windows_firewall_policy_change]
+search = eventtype=wineventlog_security (EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=851 OR EventCode=852)
+#tags = application firewall configuration modify
+
+## The Windows Firewall has detected an application listening for incoming traffic
+## EventCodes 4957, 861
+[windows_firewall_port_listening]
+search = eventtype=wineventlog_security (EventCode=4957 OR EventCode=861)
+#tags = application firewall port listening report
+
+
+###### Security: Privilege Use ######
+
+## Special privileges assigned to new logon
+## EventCodes 4672, 576
+[windows_special_privileges]
+search = eventtype=wineventlog_security (EventCode=4672 OR EventCode=576)
+#tags = authentication privileged
+
+## Privileged Service Called
+## EventCodes 4673, 577
+[windows_privileged_service_call]
+search = eventtype=wineventlog_security (EventCode=4673 OR EventCode=577)
+#tags = process execute start privileged
+
+## Privileged object operation
+## EventCodes 4674, 578
+[windows_privileged_object_operation]
+search = eventtype=wineventlog_security (EventCode=4674 OR EventCode=578)
+#tags = resource execute start privileged
+
+
+###### Security: Process Tracking ######
+
+## A new process has been created
+## EventCodes 4688, 592
+[windows_process_new]
+search = eventtype=wineventlog_security (EventCode=4688 OR EventCode=592)
+#tags = process execute start
+
+## A process has exited
+## EventCodes 4689, 593
+[windows_process_exit]
+search = eventtype=wineventlog_security (EventCode=4689 OR EventCode=593)
+#tags = process execute stop
+
+## A process was assigned a primary token
+## EventCodes 4696, 600
+[windows_process_token]
+search = eventtype=wineventlog_security (EventCode=4696 OR EventCode=600)
+#tags = process execute start privileged
+
+
+###### Security: System ######
+
+## An authentication package has been loaded by the Local Security Authority
+## EventCodes 4610, 514
+[windows_auth_package]
+search = eventtype=wineventlog_security (EventCode=4610 OR EventCode=514)
+#tags = process execute start
+
+## A trusted logon process has registered with the Local Security Authority
+## EventCodes 4611, 515
+[windows_logon_process]
+search = eventtype=wineventlog_security (EventCode=4611 OR EventCode=515)
+#tags = process authorization add
+
+## A notification package has been loaded by the Security Account Manager
+## EventCodes 4614, 518
+[windows_notification_package]
+search = eventtype=wineventlog_security (EventCode=4614 OR EventCode=518)
+#tags = process execute start
+
+
+###### Security:  Vulnerability ######
+## System security domain policy was changed
+## EventCode 4739
+[windows_security_misconfiguration_password_minimum_length]
+search = eventtype=wineventlog_security EventCode="4739" (Min__Password_Length<7 OR Mixed_Domain_Mode<7)
+#tags = misconfiguration password policy vulnerability report audit change
+
+
+###### System: Time ######
+
+## EventCode 35, 37
+[windows_time_sync]
+search = (eventtype=wineventlog_system (SourceName=W32Time OR SourceName=Microsoft-Windows-Time-Service) (EventCode=35 OR EventCode=37)) OR (sourcetype=Script:TimesyncStatus windows_action=success)
+#tags = report time synchronize success performance
+
+## EventCodes 17, 29, 36, 38
+[windows_time_failure]
+search = (eventtype=wineventlog_system (SourceName=W32Time OR Microsoft-Windows-Time-Service) (EventCode=17 OR EventCode=29 OR EventCode=36 OR EventCode=38)) OR (sourcetype=Script:TimesyncStatus windows_action=failure)
+#tags = report time synchronize failure performance
+
+
+###### System: Update ######
+[windows_system_update]
+search = eventtype=wineventlog_system "Windows Update Agent"
+#tags = system update
+
+## EventCodes 17, 18, 19
+[windows_system_update_status]
+search = eventtype=wineventlog_system "Windows Update Agent" (EventCode=17 OR EventCode=18 OR EventCode=19)
+#tags = status
+
+[windows_updatelog]
+search = sourcetype=WindowsUpdateLog
+#tags = system update
+
+[windows_updatelog_status]
+search = sourcetype=WindowsUpdateLog "Content Install" NOT "Download Succeeded" NOT "Reboot Completed" NOT "Hide Update"
+#tags = status
+
+## WMI:Update
+[wmi_installed_packages]
+search = sourcetype=WMI:InstalledUpdates
+#tags = system update status
+
+
+###### Splunk WMI ######
+
+## ComputerSystem
+[wmi_computersystem]
+search = sourcetype=WMI:ComputerSystem
+#tags = performance memory
+
+## CPUTime
+[perfmon_cputime]
+search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime)
+#tags = performance cpu report
+
+[perfmon_cputime_anomalous]
+search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime) windows_cpu_load_percent>90
+#tags = anomalous
+
+[wmi_cputime]
+search = sourcetype=WMI:CPUTime
+#tags = performance cpu report
+
+[wmi_cputime_anomalous]
+search = sourcetype=WMI:CPUTime windows_percent_processor_time>90
+#tags = anomalous
+
+## System
+[perfmon_system]
+search = sourcetype=Perfmon:System OR sourcetype=PerfmonMk:System
+#tags = performance cpu report
+
+## Disk
+[perfmon_freediskspace]
+search = sourcetype=Perfmon:FreeDiskSpace
+#tags = performance storage disk report
+
+[perfmon_freediskspace_anomalous]
+search = sourcetype=Perfmon:FreeDiskSpace windows_storage_free_percent<10
+#tags = anomalous
+
+[perfmon_logicaldisk]
+search = sourcetype=Perfmon:LogicalDisk OR sourcetype=PerfmonMk:LogicalDisk
+#tags = performance storage disk
+
+##ProcessorInformation
+[perfmon_processorinformation]
+search = (sourcetype=Perfmon:ProcessorInformation OR sourcetype=PerfmonMk:ProcessorInformation)
+#tags = performance cpu report process
+
+[wmi_freediskspace]
+search = sourcetype=WMI:FreeDiskSpace
+#tags = performance storage disk report
+
+[wmi_freediskspace_anomalous]
+search = sourcetype=WMI:FreeDiskSpace windows_storage_free_percent<10
+#tags = anomalous
+
+[wmi_logicaldisk]
+search = sourcetype=WMI:LogicalDisk
+#tags = performance storage disk
+
+## Listening Ports
+[script_listeningports]
+search = sourcetype=Script:ListeningPorts
+#tags = port listening report
+
+## Local Processes
+[wmi_localprocesses]
+search = sourcetype=WMI:LocalProcesses
+#tags = process report
+
+[wmi_localprocesses_anomalous]
+search = sourcetype=WMI:LocalProcesses (windows_cpu_load_percent>50) NOT windows_app=*Total
+#tags = anomalous
+
+## Memory
+[perfmon_memory]
+search = sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory
+#tags = performance memory report
+
+[perfmon_memory_anomalous]
+search = (sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory) windows_mem_free<104857600
+#tags = anomalous
+
+[wmi_memory]
+search = sourcetype=WMI:Memory
+#tags = performance memory report
+
+[wmi_memory_anomalous]
+search = sourcetype=WMI:Memory windows_mem_free<104857600
+#tags = anomalous
+
+## Service
+[wmi_service]
+search = sourcetype=WMI:Service
+#tags = service report
+
+[wmi_service_status_anomalous]
+search = sourcetype=WMI:Service Status=* NOT Status=OK
+#tags = anomalous
+
+[wmi_service_state_anomalous]
+search = sourcetype=WMI:Service windows_start_mode=Auto windows_state=* NOT windows_state=Running
+#tags = anomalous
+
+## Network
+[perfmon_network]
+search = sourcetype=Perfmon:Network OR sourcetype=PerfmonMk:Network
+#tags = performance network
+
+[perfmon_network_throughput]
+search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Bytes Total/sec" OR Bytes_Total/sec = *)
+#tags = performance network
+
+[perfmon_network_bandwidth]
+search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Current Bandwidth" OR Current_Bandwidth=*)
+#tags = performance network
+
+[wmi_network_throughput]
+search = sourcetype=WMI:LocalNetwork BytesTotalPersec=*
+#tags = performance network
+
+[wmi_network_bandwidth]
+search = sourcetype=WMI:LocalNetwork CurrentBandwidth=*
+#tags = performance network
+
+## Process
+[perfmon_process]
+search = sourcetype=Perfmon:Process OR sourcetype=PerfmonMk:Process
+#tags = performance process report
+
+## Uptime
+[wmi_uptime]
+search = sourcetype=WMI:Uptime
+#tags = performance uptime report
+
+[wmi_uptime_anomalous]
+search = sourcetype=WMI:Uptime windows_uptime>2592000
+#tags = anomalous
+
+## User Accounts
+[wmi_useraccounts]
+search = sourcetype=WMI:UserAccounts
+#tags = account report inventory user
+
+## Version
+[wmi_version]
+search = sourcetype=WMI:Version
+#tags = system version report inventory
+
+[microsoft_windows_hostmon_process]
+search = sourcetype=WinHostMon source=process
+#tags = process report
+
+[microsoft_windows_hostmon_service]
+search = sourcetype=WinHostMon source=service
+#tags = service report
+
+[microsoft_windows_hostmon_service_time]
+search = sourcetype=WinHostMon source=service Name=W32Time
+#tags = time synchronize os performance
+
+
+### AD/DNS eventtypes###
+
+[wineventlog-ds]
+search = source="WinEventLog:Directory Service" OR source="XmlWinEventLog:Directory Service"
+
+[powershell]
+search = source=Powershell
+
+[msad-dc-health]
+search = eventtype=powershell sourcetype="MSAD:*:Health"
+
+[msad-rep-health]
+search = eventtype=powershell sourcetype="MSAD:*:Replication"
+
+[msad-site]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo"
+
+[msad-subnetinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Subnet"
+
+[msad-sitelinkinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="SiteLink"
+
+[msad-siteinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Site"
+
+[msad-subnet-affinity]
+search = sourcetype="MSAD:*:Netlogon" msad_affinity=NO_CLIENT_SITE
+
+[admon-gpo]
+search = eventtype=admon objectCategory="*CN=Group-Policy-Container*"
+
+[admon-group]
+search = eventtype=admon objectCategory="*CN=Group*"
+
+[admon-computer]
+search = eventtype=admon objectCategory="*CN=Computer*"
+
+[admon-user]
+search = eventtype=admon objectCategory="*CN=Person*"
+
+[admon]
+search = sourcetype=ActiveDirectory
+
+[perfmon]
+search = sourcetype="Perfmon:*" OR sourcetype="PerfmonMk:*"
+
+[ad-files]
+search = sourcetype=MSAD:NT6:Replication OR sourcetype=MSAD:NT6:Health OR sourcetype=MSAD:NT6:SiteInfo OR sourcetype=MSAD:NT6:Netlogon OR sourcetype=ActiveDirectory OR sourcetype=MSAD:NT6:DNS-Health OR sourcetype=MSAD:NT6:DNS-Zone-Information OR sourcetype=MSAD:NT6:DNS
+
+[perfmon-ntds]
+search = eventtype=perfmon (sourcetype="Perfmon:NTDS" OR sourcetype="PerfmonMk:NTDS")
+
+[nt6-dns-events]
+search = sourcetype=MSAD:NT6:DNS
+
+[wineventlog-dns]
+search = source="WinEventLog:DNS Server" OR source="XmlWinEventLog:DNS Server"
+
+[msad-dns-zoneinfo]
+search = eventtype=powershell sourcetype="MSAD:*:DNS-Zone-Information"
+
+[msad-dns-health]
+search = eventtype=powershell sourcetype="MSAD:*:DNS-Health"
+
+[msad-dns-debuglog]
+search = eventtype=ad-files sourcetype="MSAD:*:DNS"
+
+[perfmon-dns]
+search = eventtype=perfmon (sourcetype="Perfmon:DNS" OR sourcetype="PerfmonMk:DNS")
+
+[wineventlog-dfs]
+search = source="WinEventLog:DFS Replication" OR source="XmlWinEventLog:DFS Replication"
+
+[wineventlog-filereplication]
+search = source="WinEventLog:File Replication Service" OR source="XmlWinEventLog:File Replication Service"
+
+[wineventlog-keymanagement]
+search = source="WinEventLog:Key Management Service" OR source="XmlWinEventLog:Key Management Service"
+
+[endpoint_services_processes]
+search = source="WMI:WinEventLog:Security" OR sourcetype="WinEventLog" OR sourcetype="XmlWinEventLog"
+
+## Endpoint Processes
+[windows_endpoint_processes]
+search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security") (EventCode=4688 OR EventCode=4689 OR EventCode=4696 OR EventCode=4673 OR EventCode=4674)
+#tags = process report
+
+## Endpoint Services
+[windows_endpoint_services]
+search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System") (EventCode=1100 OR EventCode=4697 OR EventCode=5024 OR EventCode=5025 OR EventCode=5030 OR EventCode=5033 OR EventCode=5034 OR EventCode=5035 OR EventCode=5478 OR EventCode=7036 OR EventCode=7040 OR EventCode=7045)
+#tags = service report
+
+## Security-CIM Mappings
+
+## Endpoint Registry
+[windows_security_endpoint_registry]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4657 OR (EventCode=4670 AND (Object_Type="Registry" OR ObjectType="Registry")))
+#tags = endpoint registry
+
+## Endpoint Port
+[windows_security_endpoint_port]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5158)
+#tags = listening port
+
+## Change Audit
+[windows_security_change_audit]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=1101 OR EventCode=1108 OR EventCode=4719 OR EventCode=1102)
+#tags = change audit
+
+## Change
+[windows_security_change]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5461 OR EventCode=4698 OR EventCode=4700 OR EventCode=4701 OR EventCode=4702 OR EventCode=4799)
+#tags = change
+
+## Authentication
+[windows_security_authentication]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4624 OR EventCode=4625)
+#tags = authentication
+
+## Change Account - ADDON-42191
+[windows_security_change_account]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) AND EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801)
+#tags = change account
+
+## System-CIM Mapping
+
+# Change Audit - ADDON-48489
+[windows_system_change_audit]
+search = (source=WinEventLog:System OR source=XmlWinEventLog:System) (EventCode=104)
+#tags = change audit

deployment-apps/Splunk_TA_windows_FW/default/inputs.conf

@@ -0,0 +1,435 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+## DO NOT EDIT THIS FILE!
+## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
+## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
+## into ../local and edit there.
+##
+
+
+
+###### OS Logs ######
+[WinEventLog://Application]
+disabled = 1
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+renderXml=true
+
+[WinEventLog://Security]
+disabled = 1
+start_from = oldest
+current_only = 0
+evt_resolve_ad_obj = 1
+checkpointInterval = 5
+blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
+blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
+renderXml=true
+
+[WinEventLog://System]
+disabled = 1
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+renderXml=true
+
+
+###### Forwarded WinEventLogs (WEF) ######
+[WinEventLog://ForwardedEvents]
+disabled = 1
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
+renderXml=true
+host=WinEventLogForwardHost
+
+
+###### WinEventLog Inputs for Active Directory ######
+
+## Application and Services Logs - DFS Replication
+[WinEventLog://DFS Replication]
+disabled = 1
+renderXml=true
+
+## Application and Services Logs - Directory Service
+[WinEventLog://Directory Service]
+disabled = 1
+renderXml=true
+
+## Application and Services Logs - File Replication Service
+[WinEventLog://File Replication Service]
+disabled = 1
+renderXml=true
+
+## Application and Services Logs - Key Management Service
+[WinEventLog://Key Management Service]
+disabled = 1
+renderXml=true
+
+
+###### WinEventLog Inputs for DNS ######
+[WinEventLog://DNS Server]
+disabled=1
+renderXml=true
+
+
+###### DHCP ######
+[monitor://$WINDIR\System32\DHCP]
+disabled = 1
+whitelist = DhcpSrvLog*
+crcSalt = <SOURCE>
+sourcetype = DhcpSrvLog
+
+
+###### Windows Update Log ######
+## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
+[monitor://$WINDIR\WindowsUpdate.log]
+disabled = 1
+sourcetype = WindowsUpdateLog
+
+## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
+## Below stanza will automatically generate WindowsUpdate.log daily
+[powershell://generate_windows_update_logs]
+script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
+schedule = 0 */24 * * *
+disabled = 1
+
+## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
+[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
+disabled = 1
+sourcetype = WindowsUpdateLog
+
+
+###### Monitor Inputs for Active Directory ######
+[monitor://$WINDIR\debug\netlogon.log]
+sourcetype=MSAD:NT6:Netlogon
+disabled=1
+
+
+###### Monitor Inputs for DNS ######
+[MonitorNoHandle://$WINDIR\System32\Dns\dns.log]
+sourcetype=MSAD:NT6:DNS
+disabled=1
+
+
+###### Scripted Input (See also wmi.conf)
+[script://.\bin\win_listening_ports.bat]
+disabled = 1
+## Run once per hour
+interval = 3600
+sourcetype = Script:ListeningPorts
+
+[script://.\bin\win_installed_apps.bat]
+disabled = 1
+## Run once per day
+interval = 86400
+sourcetype = Script:InstalledApps
+
+[script://.\bin\win_timesync_status.bat]
+disabled = 1
+## Run once per hour
+interval = 3600
+sourcetype = Script:TimesyncStatus
+
+[script://.\bin\win_timesync_configuration.bat]
+disabled = 1
+## Run once per hour
+interval = 3600
+sourcetype = Script:TimesyncConfiguration
+
+[script://.\bin\netsh_address.bat]
+disabled = 1
+## Run once per day
+interval = 86400
+sourcetype = Script:NetworkConfiguration
+
+###### Scripted/Powershell Mod inputs Active Directory ######
+
+## Replication Information NT6
+[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:Replication
+interval=300
+disabled=1
+
+## Replication Information 2012r2 and 2016
+[powershell://Replication-Stats]
+script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
+schedule = 0 */5 * ? * *
+source = Powershell
+sourcetype=MSAD:NT6:Replication
+disabled=1
+
+## Health and Topology Information NT6
+[script://.\bin\runpowershell.cmd nt6-health.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:Health
+interval=300
+disabled=1
+
+## Health and Topology Information 2012r2 and 2016
+[powershell://AD-Health]
+script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
+schedule = 0 */5 * ? * *
+source=Powershell
+sourcetype=MSAD:NT6:Health
+disabled=1
+
+
+## Site, Site Link and Subnet Information NT6
+[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:SiteInfo
+interval=3600
+disabled=1
+
+## Site, Site Link and Subnet Information 2012r2 and 2016
+[powershell://Siteinfo]
+script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
+schedule = 0 15 * ? * *
+source = Powershell
+sourcetype=MSAD:NT6:SiteInfo
+disabled=1
+
+
+##### Scripted Inputs for DNS #####
+
+## DNS Zone Information Collection
+[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:DNS-Zone-Information
+interval=3600
+disabled=1
+
+## DNS Health Information Collection
+[script://.\bin\runpowershell.cmd dns-health.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:DNS-Health
+interval=3600
+disabled=1
+
+
+###### Host monitoring ######
+[WinHostMon://Computer]
+interval = 600
+disabled = 1
+type = Computer
+
+[WinHostMon://Process]
+interval = 600
+disabled = 1
+type = Process
+
+[WinHostMon://Processor]
+interval = 600
+disabled = 1
+type = Processor
+
+[WinHostMon://NetworkAdapter]
+interval = 600
+disabled = 1
+type = NetworkAdapter
+
+[WinHostMon://Service]
+interval = 600
+disabled = 1
+type = Service
+
+[WinHostMon://OperatingSystem]
+interval = 600
+disabled = 1
+type = OperatingSystem
+
+[WinHostMon://Disk]
+interval = 600
+disabled = 1
+type = Disk
+
+[WinHostMon://Driver]
+interval = 600
+disabled = 1
+type = Driver
+
+[WinHostMon://Roles]
+interval = 600
+disabled = 1
+type = Roles
+
+###### Print monitoring ######
+[WinPrintMon://printer]
+type = printer
+interval = 600
+baseline = 1
+disabled = 1
+
+[WinPrintMon://driver]
+type = driver
+interval = 600
+baseline = 1
+disabled = 1
+
+[WinPrintMon://port]
+type = port
+interval = 600
+baseline = 1
+disabled = 1
+
+###### Network monitoring ######
+[WinNetMon://inbound]
+direction = inbound
+disabled = 1
+
+[WinNetMon://outbound]
+direction = outbound
+disabled = 1
+
+###### Splunk 5.0+ Performance Counters ######
+## CPU
+[perfmon://CPU]
+counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = Processor
+useEnglishOnly=true
+
+## Logical Disk
+[perfmon://LogicalDisk]
+counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = LogicalDisk
+useEnglishOnly=true
+
+## Physical Disk
+[perfmon://PhysicalDisk]
+counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = PhysicalDisk
+useEnglishOnly=true
+
+## Memory
+[perfmon://Memory]
+counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
+disabled = 1
+interval = 10
+mode = multikv
+object = Memory
+useEnglishOnly=true
+
+## Network
+[perfmon://Network]
+counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = Network Interface
+useEnglishOnly=true
+
+## Process
+[perfmon://Process]
+counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = Process
+useEnglishOnly=true
+
+## ProcessInformation
+[perfmon://ProcessorInformation]
+counters = % Processor Time; Processor Frequency
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = Processor Information
+useEnglishOnly=true
+
+## System
+[perfmon://System]
+counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = System
+useEnglishOnly=true
+
+
+###### Perfmon Inputs from TA-AD/TA-DNS ######
+[perfmon://Processor]
+object = Processor
+counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
+instances = *
+interval = 10
+disabled = 1
+mode = multikv
+useEnglishOnly=true
+
+[perfmon://Network_Interface]
+object = Network Interface
+counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
+instances = *
+interval = 10
+disabled = 1
+mode = multikv
+useEnglishOnly=true
+
+[perfmon://DFS_Replicated_Folders]
+object = DFS Replicated Folders
+counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
+instances = *
+interval = 30
+disabled = 1
+mode = multikv
+useEnglishOnly=true
+
+[perfmon://NTDS]
+object = NTDS
+counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run
+interval = 10
+disabled = 1
+mode = multikv
+useEnglishOnly=true
+
+[perfmon://DNS]
+object = DNS
+counters = Total Query Received; Total Query Received/sec; UDP Query Received; UDP Query Received/sec; TCP Query Received; TCP Query Received/sec; Total Response Sent; Total Response Sent/sec; UDP Response Sent; UDP Response Sent/sec; TCP Response Sent; TCP Response Sent/sec; Recursive Queries; Recursive Queries/sec; Recursive Send TimeOuts; Recursive TimeOut/sec; Recursive Query Failure; Recursive Query Failure/sec; Notify Sent; Zone Transfer Request Received; Zone Transfer Success; Zone Transfer Failure; AXFR Request Received; AXFR Success Sent; IXFR Request Received; IXFR Success Sent; Notify Received; Zone Transfer SOA Request Sent; AXFR Request Sent; AXFR Response Received; AXFR Success Received; IXFR Request Sent; IXFR Response Received; IXFR Success Received; IXFR UDP Success Received; IXFR TCP Success Received; WINS Lookup Received; WINS Lookup Received/sec; WINS Response Sent; WINS Response Sent/sec; WINS Reverse Lookup Received; WINS Reverse Lookup Received/sec; WINS Reverse Response Sent; WINS Reverse Response Sent/sec; Dynamic Update Received; Dynamic Update Received/sec; Dynamic Update NoOperation; Dynamic Update NoOperation/sec; Dynamic Update Written to Database; Dynamic Update Written to Database/sec; Dynamic Update Rejected; Dynamic Update TimeOuts; Dynamic Update Queued; Secure Update Received; Secure Update Received/sec; Secure Update Failure; Database Node Memory; Record Flow Memory; Caching Memory; UDP Message Memory; TCP Message Memory; Nbstat Memory; Unmatched Responses Received
+interval = 10
+disabled = 1
+mode = multikv
+useEnglishOnly=true
+
+
+[admon://default]
+disabled = 1
+monitorSubtree = 1
+
+
+[WinRegMon://default]
+disabled = 1
+hive = .*
+proc = .*
+type = rename|set|delete|create
+
+[WinRegMon://hkcu_run]
+disabled = 1
+hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
+proc = .*
+type = set|create|delete|rename
+
+[WinRegMon://hklm_run]
+disabled = 1
+hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
+proc = .*
+type = set|create|delete|rename

deployment-apps/Splunk_TA_windows_FW/default/macros.conf

@@ -0,0 +1,38 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+##
+##
+[events-search(6)]
+args = LogName, EventHost, TaskCategory, SourceName, EventCode, Type
+definition = eventtype="wineventlog_windows" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$"
+
+[compute-ingestion-stats]
+# The below post-process can be used to compute generic statistics about event ingestion
+# The search computes event rate (count and size) in 5 minute chunks by assigning each event a weight of 1/300.0 and then computing the sum. This is the best way to get this into a sparkline.
+definition = eval temp=1/300.0, event_size=len(_raw) | eval event_size_temp=len(_raw)/300.0 | stats sparkline(sum(temp), 5m) as "Events per second", sparkline(sum(event_size_temp), 5m) as "Event throughput (kbps)", sum(event_size) as TotalBytes, sum(temp) as tempsum by sourcetype | eval "Total MB"=round(TotalBytes/1024.0/1024.0,2) | addinfo | eval APS=tempsum/(info_max_time-info_min_time) | eval "Average events per second"=round(APS*300.0,2) | fields sourcetype "Events per second" "Event throughput (kbps)" "Average events per second" "Total MB"
+
+[netmon-hosts-search]
+definition = eventtype=netmon_windows | stats count by host | sort +host
+
+[event-hosts-search]
+definition = eventtype=wineventlog_windows | stats count by host | sort +host
+
+[log-names-search]
+definition = eventtype=wineventlog_windows | stats count by LogName | sort +LogName
+
+[source-names-search(1)]
+args = LogName
+definition = eventtype=wineventlog_windows LogName="$LogName$" | stats count by SourceName | sort +SourceName
+
+[task-categories-search(2)]
+args = LogName, SourceName
+definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" | stats count by TaskCategory | sort +TaskCategory
+
+[event-codes-search(3)]
+args = LogName, SourceName, TaskCategory
+definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" | stats count by EventCode | sort +EventCode
+
+[event-types-search(4)]
+args = LogName, SourceName, TaskCategory, EventCode
+definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" EventCode="$EventCode$" | stats count by Type | sort +Type

deployment-apps/Splunk_TA_windows_FW/default/tags.conf

@@ -0,0 +1,674 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+## DO NOT EDIT THIS FILE!
+## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
+## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
+## into ../local and edit there.
+
+###### Global Windows Eventtype ######
+
+[eventtype=windows_event_signature]
+track_event_signatures = enabled
+
+[eventtype=wineventlog_windows]
+os = enabled
+windows = enabled
+
+[eventtype=wineventlog_application]
+os = enabled
+windows = enabled
+
+[eventtype=wineventlog_system]
+os = enabled
+windows = enabled
+
+[eventtype=wineventlog_security]
+os = enabled
+windows = enabled
+
+[eventtype=perfmon_windows]
+os = enabled
+windows = enabled
+
+[eventtype=perfmon_processorinformation]
+process = enabled
+report = enabled
+performance = enabled
+cpu = enabled
+
+[eventtype=hostmon_windows]
+os = enabled
+windows = enabled
+
+[eventtype=hostmon_os]
+os = enabled
+windows = enabled
+memory = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=hostmon_inventory]
+os = enabled
+inventory = enabled
+cpu = enabled
+memory = enabled
+oshost = enabled
+
+[eventtype=hostmon_disk]
+performance = enabled
+inventory = enabled
+storage = enabled
+oshost = enabled
+
+[eventtype=netmon_windows]
+os = enabled
+windows = enabled
+
+[eventtype=printmon_windows]
+os = enabled
+windows = enabled
+
+[eventtype=script_windows]
+os = enabled
+windows = enabled
+
+[eventtype=wmi_windows]
+os = enabled
+windows = enabled
+
+[eventtype=windowsupdatelog_windows]
+os = enabled
+windows = enabled
+
+[eventtype=winregistry_windows]
+os = enabled
+windows = enabled
+endpoint = enabled
+change = enabled
+registry = enabled
+
+[eventtype=winsec]
+security = enabled
+
+
+###### DHCP ######
+[eventtype=msdhcp]
+dhcp    = enabled
+network = enabled
+session = enabled
+windows = enabled
+
+[eventtype=msdhcp_start]
+start = enabled
+
+[eventtype=msdhcp_end]
+end = disabled
+
+[eventtype=DhcpSrvLog]
+windows = enabled
+
+[eventtype=DhcpSrvLog_dhcp]
+dhcp    = enabled
+network = enabled
+session = enabled
+
+[eventtype=DhcpSrvLog_start]
+dhcp    = enabled
+network = enabled
+session = enabled
+start = enabled
+
+[eventtype=DhcpSrvLog_end]
+dhcp    = enabled
+network = enabled
+session = enabled
+end = enabled
+
+
+###### Security: Account Logon ######
+[eventtype=windows_auth_ticket_granted]
+authentication = enabled
+
+[eventtype=windows_service_ticket_granted]
+authentication = enabled
+
+[eventtype=windows_pre_auth_failed]
+authentication = enabled
+
+[eventtype=windows_account_used4logon]
+authentication = enabled
+
+[eventtype=windows_session_disconnected]
+access = enabled
+stop = enabled
+logoff = enabled
+
+
+###### Security: Account Management ######
+[eventtype=windows_account_management]
+account = enabled
+change = enabled
+management = enabled
+
+[eventtype=windows_account_created]
+add = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_enabled]
+enable = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_password_change]
+password = enabled
+modify = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_password_set]
+password = enabled
+modify = enabled
+account = enabled
+change = enabled
+
+[Service_Name=kadmin%2Fchangepw]
+account = enabled
+change = enabled
+password = enabled
+modify = enabled
+
+[eventtype=windows_account_disabled]
+disable = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_deleted]
+delete = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_modified]
+modify = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_lockout]
+lock = enabled
+lockout = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_unlocked]
+modify = enabled
+account = enabled
+change = enabled
+
+###### Security: Audit (Event Log) ######
+[eventtype=windows_audit_log_stopped]
+stop = enabled
+stopped = enabled
+watchlist = enabled
+
+[eventtype=windows_audit_errors]
+audit = enabled
+error = enabled
+
+[eventtype=windows_audit_log_cleared]
+audit = enabled
+change = enabled
+delete = enabled
+cleared = enabled
+watchlist = enabled
+
+[eventtype=windows_audit_backup]
+audit = enabled
+backup = enabled
+change = enabled
+
+[eventtype=windows_audit_log_logon]
+audit = enabled
+change = enabled
+
+[privilege_id=SeAuditPrivilege]
+audit = enabled
+
+[privilege_id=SeSecurityPrivilege]
+audit = enabled
+
+
+###### Security: Logon/Logoff ######
+[eventtype=windows_logoff]
+access = enabled
+stop = enabled
+logoff = enabled
+
+[eventtype=windows_logon_explicit]
+authentication = enabled
+privileged = enabled
+
+[eventtype=windows_logon_failure]
+authentication = enabled
+
+[app=win%3Alocal]
+local = enabled
+
+[app=win%3Aremote]
+remote = enabled
+
+[eventtype=windows_logon_success]
+authentication = enabled
+
+[Logon_Type=8]
+cleartext = enabled
+
+
+###### Security: Object Access ######
+[eventtype=windows_object_open]
+resource = enabled
+file = enabled
+access = enabled
+start = enabled
+
+[eventtype=windows_handle_closed]
+resource = enabled
+file = enabled
+access = enabled
+stop = enabled
+
+
+###### Security: Policy Change ######
+[eventtype=windows_audit_policy_change]
+policy = enabled
+configuration = enabled
+modify = enabled
+audit = enabled
+change = enabled
+
+[eventtype=windows_security_access_granted]
+access = enabled
+authorization = enabled
+add = enabled
+change = enabled
+account = enabled
+
+[eventtype=windows_security_access_removed]
+access = enabled
+authorization = enabled
+delete = enabled
+change = enabled
+account = enabled
+
+[eventtype=windows_audit_policy_changed]
+policy = enabled
+configuration = enabled
+modify = enabled
+audit = enabled
+change = enabled
+
+[eventtype=windows_firewall_policy_active]
+application = enabled
+firewall = enabled
+configuration = enabled
+report = enabled
+
+[eventtype=windows_firewall_policy_change]
+application = enabled
+firewall = enabled
+configuration = enabled
+modify = enabled
+
+[eventtype=windows_firewall_port_listening]
+application = enabled
+firewall = enabled
+port = enabled
+listening = enabled
+report = enabled
+
+
+###### Security: Privilege Use ######
+[eventtype=windows_special_privileges]
+authentication = enabled
+privileged = enabled
+
+[eventtype=windows_privileged_service_call]
+process = enabled
+execute = enabled
+start = enabled
+privileged = enabled
+
+[eventtype=windows_privileged_object_operation]
+resource = enabled
+execute = enabled
+start = enabled
+privileged = enabled
+
+
+###### Security: Process Tracking ######
+[eventtype=windows_process_new]
+process = enabled
+execute = enabled
+start = enabled
+
+[eventtype=windows_process_exit]
+process = enabled
+execute = enabled
+stop = enabled
+
+[eventtype=windows_process_token]
+process = enabled
+execute = enabled
+start = enabled
+privileged = enabled
+
+[Token_Elevation_Type_id=2]
+privileged = enabled
+
+
+###### Security: System ######
+[eventtype=windows_auth_package]
+process = enabled
+execute = enabled
+start = enabled
+
+[eventtype=windows_logon_process]
+process = enabled
+authorization = enabled
+add = enabled
+
+[eventtype=windows_notification_package]
+process = enabled
+execute = enabled
+start = enabled
+
+
+###### Security: Vulnerability ######
+[eventtype=windows_security_misconfiguration_password_minimum_length]
+misconfiguration = enabled
+password = enabled
+policy = enabled
+vulnerability = enabled
+report = enabled
+audit = enabled
+change = enabled
+
+
+###### System: Time ######
+[eventtype=windows_time_sync]
+report = enabled
+time = enabled
+synchronize = enabled
+success = enabled
+performance = enabled
+
+[eventtype=windows_time_failure]
+report = enabled
+time = enabled
+synchronize = enabled
+failure = enabled
+performance = enabled
+
+
+###### System: Update ######
+[eventtype=windows_system_update]
+system = enabled
+update = enabled
+
+[eventtype=windows_system_update_status]
+status = enabled
+
+[eventtype=windows_updatelog]
+system = enabled
+update = enabled
+
+[eventtype=windows_updatelog_status]
+status = enabled
+
+## WMI:Update
+[eventtype=wmi_installed_packages]
+system = enabled
+update = enabled
+status = enabled
+
+
+###### Splunk WMI ######
+
+## ComputerSystem
+[eventtype=wmi_computersystem]
+performance = enabled
+memory = enabled
+
+## CPUTime
+[eventtype=perfmon_cputime]
+cpu = enabled
+report = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=perfmon_cputime_anomalous]
+anomalous = enabled
+
+[eventtype=wmi_cputime]
+cpu = enabled
+report = enabled
+performance = enabled
+
+[eventtype=wmi_cputime_anomalous]
+anomalous = enabled
+
+## System
+[eventtype=perfmon_system]
+cpu = enabled
+report = enabled
+performance = enabled
+oshost = enabled
+
+## Disk
+[eventtype=perfmon_freediskspace]
+disk = enabled
+report = enabled
+performance = enabled
+storage = enabled
+oshost = enabled
+
+[eventtype=perfmon_freediskspace_anomalous]
+anomalous = enabled
+
+[eventtype=wmi_freediskspace]
+disk = enabled
+report = enabled
+performance = enabled
+storage = enabled
+
+[eventtype=wmi_freediskspace_anomalous]
+anomalous = enabled
+
+[eventtype=perfmon_logicaldisk]
+disk = enabled
+performance = enabled
+storage = enabled
+oshost = enabled
+
+[eventtype=wmi_logicaldisk]
+disk = enabled
+performance = enabled
+storage = enabled
+
+## Network
+[eventtype=perfmon_network]
+network = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=perfmon_network_throughput]
+network = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=perfmon_network_bandwidth]
+network = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=wmi_network_throughput]
+network = enabled
+performance = enabled
+
+[eventtype=wmi_network_bandwidth]
+network = enabled
+performance = enabled
+
+## Process
+[eventtype=perfmon_process]
+performance = enabled
+process = enabled
+oshost = enabled
+report = enabled
+
+## Listening Ports
+[eventtype=script_listeningports]
+port = enabled
+listening = enabled
+report = enabled
+
+## Local Processes
+[eventtype=wmi_localprocesses]
+process = enabled
+report = enabled
+
+[eventtype=wmi_localprocesses_anomalous]
+anomalous = enabled
+
+## Memory
+[eventtype=perfmon_memory]
+memory = enabled
+report = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=perfmon_memory_anomalous]
+anomalous = enabled
+
+[eventtype=wmi_memory]
+memory = enabled
+report = enabled
+performance = enabled
+
+[eventtype=wmi_memory_anomalous]
+anomalous = enabled
+
+## Service
+[eventtype=wmi_service]
+service = enabled
+report = enabled
+
+[eventtype=wmi_service_status_anomalous]
+anomalous = enabled
+
+[eventtype=wmi_service_state_anomalous]
+anomalous = enabled
+
+[app=W32Time]
+time = enabled
+synchronize = enabled
+
+[app=wuauserv]
+automatic = enabled
+update = enabled
+
+## Uptime
+[eventtype=wmi_uptime]
+uptime = enabled
+report = enabled
+performance = enabled
+
+[eventtype=wmi_uptime_anomalous]
+anomalous = enabled
+
+## User Accounts
+[eventtype=wmi_useraccounts]
+account = enabled
+report = enabled
+
+inventory = enabled
+user = enabled
+
+## Version
+[eventtype=wmi_version]
+system = enabled
+version = enabled
+report = enabled
+
+inventory = enabled
+
+
+[eventtype=windows_account_mapped]
+authentication = enabled
+
+[eventtype=windows_account_notmapped]
+authentication = enabled
+
+[eventtype=microsoft_windows_hostmon_process]
+process = enabled
+report = enabled
+
+[eventtype=microsoft_windows_hostmon_service]
+service = enabled
+report = enabled
+
+[eventtype=microsoft_windows_hostmon_service_time]
+time = enabled
+synchronize = enabled
+os = enabled
+performance = enabled
+
+## Endpoint.processes Data Model
+[eventtype=windows_endpoint_processes]
+process = enabled
+report = enabled
+
+## Endpoint.services Data Model
+[eventtype=windows_endpoint_services]
+service = enabled
+report = enabled
+
+## Security-CIM Mappings
+
+## Endpoint Registry Data Model
+[eventtype=windows_security_endpoint_registry]
+endpoint = enabled
+registry = enabled
+
+## Endpoint Port Data Model
+[eventtype=windows_security_endpoint_port]
+listening = enabled
+port = enabled
+
+## Change Audit Data Model
+[eventtype=windows_security_change_audit]
+change = enabled
+audit = enabled
+
+## Change Data Model
+[eventtype=windows_security_change]
+change = enabled
+
+# Authentication Data Model
+[eventtype=windows_security_authentication]
+authentication = enabled
+
+[eventtype=windows_security_change_account]
+change = enabled
+account = enabled
+
+# Change Audit DM for Windows System
+[eventtype=windows_system_change_audit]
+change = enabled
+audit = enabled
+
+# Network resolution (dns) DM for DNS events.
+[eventtype=nt6-dns-events]
+network = enabled
+resolution = enabled
+dns = enabled