Content Pack for Windows Dashboards and Reports

Content Pack for Windows Dashboards and Reports

This documentation does not apply to the most recent version of Content Pack for Windows Dashboards and Reports. For documentation on the most recent version, go to the latest release.

Migrate from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports

The Content Pack for Windows Dashboards and Reports replicates the dashboards and reports available in the Splunk App for Windows Infrastructure. Migrate from the legacy app to the content pack to take advantage of a consolidated experience within one app, either ITSI or IT Essentials Work. In addition, you can upgrade all content packs by upgrading the Splunk App for Content Packs.

You can review the dashboards included in the Content Pack for Windows Dashboards and Reports before migrating to that content pack. For a list of the included dashboards, see Dashboard reference for the Content Pack for Windows Dashboards and Reports.

On October 20, 2021, the Splunk App for Windows Infrastructure reached its end of life. Splunk no longer maintains or develops the Splunk App for Windows Infrastructure.

Migration for cloud environments

For migration on the cloud, submit a new case using the Support and Services section of the Splunk Support Portal. Splunk Cloud TechOps personnel will assist with your migration from Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports.

Migration for on-premises standalone or distributed environments

You can perform the migration procedure in an on-prem standalone or distributed environment yourself, if you tend to migration prerequisites first.

Before you migrate

Before migrating to Content Pack for Windows Dashboards and Reports, make sure to follow the steps below to make a backup of your custom configurations and lookups:

  1. Make a backup of the directories below from the splunk_app_windows_infrastructure package present in $SPLUNK_HOME/etc/apps on each search head:
    1. /local directory which contains all the local configurations under conf files.
    2. /lookups directory which contains the CSV lookups
    3. /metadata/local.meta which contains the updated permissions for the Knowledge Objects.
  2. Make a backup of the KV Store lookups present in the app.
    1. Identify the KVstore captain from different Search Heads. (Perform this step if you have multiple search heads in your environment)
      
      $SPLUNK_HOME/bin/splunk show kvstore-status
      
      
    2. Login to the KVStore Captain search head and run the following command:
      
      $SPLUNK_HOME/bin/splunk backup kvstore -archiveName splunk_app_windows_infrastructure_kvstore_backup -appName splunk_app_windows_infrastructure
      
      
    3. Identify the latest backup in $SPLUNK_HOME/var/lib/splunk/kvstorebackup and copy splunk_app_windows_infrastructure_kvstore_backup.tar.gz backup file to $SPLUNK_HOME/tmp. This archive file is required to restore the App lookup data during migration.

If you are currently using the Splunk App for Windows Infrastructure, your deployment setup might resemble the following table:

Data collection node (forwarder) Indexer Search head
Splunk Add-on for Microsoft Windows
Splunk App for Windows Infrastructure
Splunk Supporting Add-on for Active Directory

Migrate from Splunk App for Windows Infrastructure to Content Pack for Windows Dashboards and Reports

Follow the steps below to migrate from Splunk App for Windows Infrastructure to Content Pack for Windows Dashboards and Reports. Use the instructions in "Before you migrate" to make a backup of your existing lookups and custom configurations before you start the migration procedure.

  1. Perform the following steps on each Search Head present in your deployment to disable the Splunk App for Windows Infrastructure:
    1. Navigate to {SPLUNK_HOME}/etc/apps/splunk_app_windows_infrastructure/local/app.conf (create app.conf file in local directory if it is not present) and edit the "state" property of the "install" stanza as follows:
      [install]
      state = disabled
      
    2. Restart the Instance using $SPLUNK_HOME/bin/splunk restart .
  2. Install ITSI or IT Essentials Work on the same search head with Windows data according to your type of deployment. Refer to these topics in the Splunk IT Service Intelligence Install and Upgrade Manual:
    1. Install Splunk IT Service Intelligence on a single instance
    2. Where to install IT Service Intelligence in a distributed environment
    3. Install Splunk IT Essentials Work on a single on-premises instance (Note that if you're using a Cloud-only version of IT Essentials Work, Splunk Support does the installation).
  3. Install the Splunk App for Content Packs according to your type of deployment:
    1. Install the Splunk App for Content Packs on a single on-premises environment
    2. Install the Splunk App for Content Packs on a distributed environment

After following the previous steps, the deployment is installed as shown in the following table:

Data collection node (forwarder) Indexer Search head
Splunk Add-on for Microsoft Windows
ITSI or IT Essentials Work
Splunk App for Windows Infrastructure Disabled
Splunk App for Content Packs
Splunk Supporting Add On for Active Directory

After you migrate to the Content Pack for Windows Dashboards and Reports

  1. Restore the backup of the KV store lookup.
    1. Identify the KVstore captain from different search heads. (Perform this step if the you are using a Search Head Cluster environment). For Single Search Head Deployment, the only search head will be the KVstore captain.
      
      $SPLUNK_HOME/bin/splunk show kvstore-status
      
      
    2. If the KV Store captain has changed, then move the KV Store backup file from old KV Store Captain to current KV Store Captain. Run the following command on the search head where the KVStore backup is taken as part of the "Before you migrate" section (Perform this step if the you are using a Search Head Cluster environment):
      
      scp /path_of_splunk_app_windows_infrastructure_kvstore_backup.tar.gz {SPLUNK_USER}@{$search_head_ip}:/{SPLUNK_HOME}/tmp
      
      
    3. On your current KVStore captain, untar the backup tar file:
      
      tar -xzvf $SPLUNK_HOME/tmp/splunk_app_windows_infrastructure_kvstore_backup.tar.gz
      
      
    4. Rename the folder
      
      mv $SPLUNK_HOME/tmp/splunk_app_windows_infrastructure $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards
      
      
    5. Tar the upgraded folder name
      
      tar -czf $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz DA-ITSI-CP-windows-dashboards
      
    6. Move the $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz file in $SPLUNK_HOME/var/lib/splunk/kvstorebackup .
    7. Restore the backup.
      
      splunk restore kvstore -archiveName DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz -appName DA-ITSI-CP-windows-dashboards
      
  2. Perform the following steps on each Search Head present in your deployment:
    1. Move the following directories from the App package to the DA-ITSI-CP-windows-dashboards folder that was backed up before you started the migration:
      1. /local directory collected from the app which contains all the local configurations of the app
      2. /lookups directory
      3. /metadata/local.meta directory
    2. Remove the app.conf file from local directory.
    3. Remove the msftapps_winfra_setup.conf file from local directory.
    4. Remove the splunk_msftapp.conf file from local directory.
    5. Restart the instance using $SPLUNK_HOME/bin/splunk restart.

The searches of Splunk App for Windows infrastructure use a macro-based index, whereas searches of Content Pack for Windows Dashboards and Reports contain eventtype-based specifications. Accordingly, you need to configure corresponding eventtype indexes after migrating to Windows Dashboards and Reports Content Pack.

For information about configuring eventtype indexes, see Create custom indexes.

Install and configure the content pack

You can now install and configure the content pack:

  1. Ensure the Windows data collected using Splunk Add-on for Microsoft Windows is searchable from the search head where you installed the Splunk App for Content Packs.
  2. Follow the steps in the Install and configure the Content Pack for Windows Dashboards and Reports.

Access the dashboards in the content pack

To access the dashboards from the content pack:

  1. In Splunk Web, open ITSI or IT Essentials Work.
  2. From the main navigation bar choose Dashboards > Dashboards.
  3. In the list of dashboards, those with the App name of DA-ITSI-CP-windows-dashboards are from the Content Pack for Windows Dashboards and Reports. Select the dashboard title you want to open the dashboard.

Configure the Content Pack for Windows Dashboards and Reports in a new environment

If you don't repurpose an existing environment for migrating from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports as described above, you can configure the content pack in a new environment.

To configure the content pack in a new environment, create a test environment and perform the follopwing steps to set up the Content Pack for Windows Dashboards and Reports:

  1. After installing the Splunk App for Content Packs, install the content pack in your test environment.
  2. Once you complete testing the content pack in your test environment, install the content pack in your production environment.

To learn how to install the content pack, see, see Install and configure the Content Pack for Windows Dashboards and Reports.

Last modified on 10 February, 2023
Upgrade the Content Pack for Windows Dashboards and Reports   Get Windows server data

This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.0.1, 1.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters