Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

This documentation does not apply to the most recent version of Splunk® Add-on for Windows. For documentation on the most recent version, go to the latest release.

Release notes

This topic contains information on new features, known issues, and updates as we version the Splunk Add-on for Windows.

The latest version of the Splunk Add-on for Windows was released on Friday, September 18, 2015.

What's new

Here's what's new in the latest version of the Splunk Add-on for Windows:

Publication date Defect number Description
2015-9-18 N/A Bug fixes.
2015-9-18 N/A The add-on has been updated to be compatible with Splunk Enterprise version 6.3.
2015-9-18 TAG-9674 Some unnecessary configuration files that did not impact operation were removed.

Current known issues

The Splunk Add-on for Windows has the following known issues:

Publication date Defect number Description
Before 2015-9-18 TAG-9554 The Account_Domain_as_dest_nt_domain field transformation incorrectly parses the "Account Domain" field. Additionally, the Login_ID_as_session_id transformation incorrectly parses the "Logon_ID" field. Both field transformations produce multi-value fields. This prevents the Splunk Apps for Microsoft Exchange and Windows Infrastructure from displaying correct results in the "Account Lockout - User" panels and any ad-hoc searches that reference these fields.
Before 2015-9-18 TAG-9173 The WinHostMon inputs in the add-on are not compliant with Common Information Model.
Before 2015-9-18 SPL-91311, TAG-9069 A problem with how Splunk Enterprise parses configuration files causes several transforms in the Splunk Add-on for Windows to generate WARN SearchOperator:kv - Missing FORMAT error messages. This results in the generation of an incorrect regular expression for the affected field transformations. Those transformations are:
  • Security_ID_as_dest_nt_domain
  • Target_Account_ID_as_dest_nt_domain
  • User_ID_as_dest_nt_domain

Change log (what's been fixed)

Publication date Defect number Description
2015-9-18 TAG-9696 The add-on now extracts the proper field for the src_nt_host extraction for Windows Event Code 4740 in the Event Log Security channel when it has been installed on Windows Server 2008 R2 Active Directory domain controllers. Instead of extracting the nonexistent "Caller Machine Name" field, it now extracts the "Caller Computer Name" field.
2015-9-18 TAG-9388 The add-on now maps user account statuses that have been collected through Windows Management Instrumentation (WMI) to the "Computer_Inventory" data model. This fixes a problem in the Splunk App for Enterprise Security (ES) where that app flags default Windows accounts even if they have been previously disabled by an administrator.
2015-9-18 TAG-9347 The input [Perfmon:CPU], which the perfmon_cputime event type referenced as [Perfmon:CPUtime], has been renamed. The input is now called [Perfmon:CPUTime].
2015-9-18 TAG-9338 The add-on now extracts XML Windows Event Log fields correctly. This fixes problems with compliance for Common Information Model.
Last modified on 21 September, 2015
Source types and CIM data model info  

This documentation applies to the following versions of Splunk® Add-on for Windows: 4.8.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters