The out-of-the-box version of Splunk can collect a great deal of data from Windows endpoints. See the Install a Windows universal forwarder from an installer for details. However, the Splunk Add-on for Microsoft Windows amplifies this functionality with three realms of features, additional data collection functionality, a rich set of knowledge objects for all Windows data, and prebuilt panels. This post reviews those features and highlights easily, overlooked best practices for deploying the add-on and searching its data.
Starting with version 6.0.0, the Splunk Add-on for Microsoft Windows introduced new functionality for data collection of Microsoft Active Directory and Microsoft DNS. These were previously provided in separate apps. See the Release notes for the Splunk Add-on for Windows for additional information. Additionally, the Splunk Add-on for Microsoft Windows includes a variety of scripts that introduce functionality for collecting complex data from the Windows system. See Source types for the Splunk Add-on for Windows for a complete list and summary of all data inputs available by adding the Splunk Add-on for Microsoft Windows to a Splunk installation.
The Splunk Add-on for Microsoft Windows contains preconfigured knowledge objects that are Common Information Model compatible. They already have field extractions, lookups, aliases, and more to enable the Windows data to work seamlessly with other Splunk products such as Splunk Enterprise Security, the Splunk App for PCI Compliance, the Splunk ITSI Operating System Module, the Splunk App for Windows Infrastructure, Splunk User Behavior Analytics, and the Splunk App for Microsoft Exchange. See About the Splunk Add-on for Windows for more information. Manually creating the knowledge objects the Splunk Add-on for Microsoft Windows has, would take months of work and rework to get right.
App vs Add-on
The Splunk Add-on for Microsoft Windows contains no dashboards or prebuilt panels. Be sure not to confuse this add-on with the Splunk App for Windows Infrastructure which is all dashboards but does not collect data. Learn more about the Microsoft related apps and add-ons in our post Using the Apps & Addons for Microsoft Technologies
It's often overlooked that the servers in your Splunk deployment don't need to be Windows to search data from the Windows endpoints. Learn more by reading Search Windows data on a non-Windows instance of Splunk Enterprise. In fact, follow the Install this add-on topic to properly install the Splunk Add-on for Windows on Search Heads and Indexers to properly search and index of your Windows data.