Migrate from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports
The Content Pack for Windows Dashboards and Reports replicates the dashboards and reports available in the Splunk App for Windows Infrastructure. Migrate from the legacy app to the content pack to take advantage of a consolidated experience within one app, either ITSI or IT Essentials Work. In addition, you can upgrade all content packs by upgrading the Splunk App for Content Packs.
You can review the dashboards included in the Content Pack for Windows Dashboards and Reports before migrating to that content pack. For a list of the included dashboards, see Dashboard reference for the Content Pack for Windows Dashboards and Reports.
On October 20, 2021, the Splunk App for Windows Infrastructure reached its end of life. Splunk no longer maintains or develops the Splunk App for Windows Infrastructure.
Migration for cloud environments
For migration on the cloud, submit a new case using the Support and Services section of the Splunk Support Portal. Splunk Cloud TechOps personnel will assist with your migration from Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports.
Migration for on-premises standalone or distributed environments
You can perform the migration procedure in an on-prem standalone or distributed environment yourself, if you tend to migration prerequisites first.
Before you migrate
Before migrating to Content Pack for Windows Dashboards and Reports, make sure to follow the steps below to make a backup of your custom configurations and lookups:
- Make a backup of the directories below from the splunk_app_windows_infrastructure package present in
$SPLUNK_HOME/etc/apps
on each search head: /local
directory which contains all the local configurations under conf files./lookups
directory which contains the CSV lookups/metadata/local.meta
which contains the updated permissions for the Knowledge Objects.- Make a backup of the KV Store lookups present in the app.
- Identify the KVstore captain from different Search Heads. (Perform this step if you have multiple search heads in your environment)
$SPLUNK_HOME/bin/splunk show kvstore-status
- Login to the KVStore Captain search head and run the following command:
$SPLUNK_HOME/bin/splunk backup kvstore -archiveName splunk_app_windows_infrastructure_kvstore_backup -appName splunk_app_windows_infrastructure
- Identify the latest backup in
$SPLUNK_HOME/var/lib/splunk/kvstorebackup
and copy splunk_app_windows_infrastructure_kvstore_backup.tar.gz backup file to$SPLUNK_HOME/tmp
. This archive file is required to restore the App lookup data during migration.
If you are currently using the Splunk App for Windows Infrastructure, your deployment setup might resemble the following table:
Data collection node (forwarder) | Indexer | Search head | |
---|---|---|---|
Splunk Add-on for Microsoft Windows | ✓ | ✓ | ✓ |
Splunk App for Windows Infrastructure | ✓ | ||
Splunk Supporting Add-on for Active Directory | ✓ |
Migrate from Splunk App for Windows Infrastructure to Content Pack for Windows Dashboards and Reports
Follow the steps below to migrate from Splunk App for Windows Infrastructure to Content Pack for Windows Dashboards and Reports. Use the instructions in "Before you migrate" to make a backup of your existing lookups and custom configurations before you start the migration procedure.
- Perform the following steps on each Search Head present in your deployment to disable the Splunk App for Windows Infrastructure:
- Navigate to
{SPLUNK_HOME}/etc/apps/splunk_app_windows_infrastructure/local/app.conf
(create app.conf file in local directory if it is not present) and edit the "state" property of the "install" stanza as follows:[install] state = disabled
- Restart the Instance using
$SPLUNK_HOME/bin/splunk restart
. - Install ITSI or IT Essentials Work on the same search head with Windows data according to your type of deployment. Refer to these topics in the Splunk IT Service Intelligence Install and Upgrade Manual:
- Install Splunk IT Service Intelligence on a single instance
- Where to install IT Service Intelligence in a distributed environment
- Install Splunk IT Essentials Work on a single on-premises instance (Note that if you're using a Cloud-only version of IT Essentials Work, Splunk Support does the installation).
- Install the Splunk App for Content Packs according to your type of deployment:
After following the previous steps, the deployment is installed as shown in the following table:
Data collection node (forwarder) | Indexer | Search head | |
---|---|---|---|
Splunk Add-on for Microsoft Windows | ✓ | ✓ | ✓ |
ITSI or IT Essentials Work | ✓ | ✓ | |
Splunk App for Windows Infrastructure | Disabled | ||
Splunk App for Content Packs | ✓ | ||
Splunk Supporting Add On for Active Directory | ✓ |
After you migrate to the Content Pack for Windows Dashboards and Reports
- Restore the backup of the KV store lookup.
- Identify the KVstore captain from different search heads. (Perform this step if the you are using a Search Head Cluster environment). For Single Search Head Deployment, the only search head will be the KVstore captain.
$SPLUNK_HOME/bin/splunk show kvstore-status
- If the KV Store captain has changed, then move the KV Store backup file from old KV Store Captain to current KV Store Captain. Run the following command on the search head where the KVStore backup is taken as part of the "Before you migrate" section (Perform this step if the you are using a Search Head Cluster environment):
scp /path_of_splunk_app_windows_infrastructure_kvstore_backup.tar.gz {SPLUNK_USER}@{$search_head_ip}:/{SPLUNK_HOME}/tmp
- On your current KVStore captain, untar the backup tar file:
tar -xzvf $SPLUNK_HOME/tmp/splunk_app_windows_infrastructure_kvstore_backup.tar.gz
- Rename the folder
mv $SPLUNK_HOME/tmp/splunk_app_windows_infrastructure $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards
- Tar the upgraded folder name
tar -czf $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz DA-ITSI-CP-windows-dashboards
- Move the $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz file in
$SPLUNK_HOME/var/lib/splunk/kvstorebackup
. - Restore the backup.
splunk restore kvstore -archiveName DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz -appName DA-ITSI-CP-windows-dashboards
- Perform the following steps on each Search Head present in your deployment:
- Move the following directories from the App package to the DA-ITSI-CP-windows-dashboards folder that was backed up before you started the migration:
/local
directory collected from the app which contains all the local configurations of the app/lookups
directory/metadata/local.meta
directory- Remove the
app.conf
file from local directory. - Remove the
msftapps_winfra_setup.conf
file from local directory. - Remove the
splunk_msftapp.conf
file from local directory. - Restart the instance using
$SPLUNK_HOME/bin/splunk restart
.
The searches of Splunk App for Windows infrastructure use a macro-based index, whereas searches of Content Pack for Windows Dashboards and Reports contain eventtype-based specifications. Accordingly, you need to configure corresponding eventtype indexes after migrating to Windows Dashboards and Reports Content Pack.
For information about configuring eventtype indexes, see Create custom indexes.
Install and configure the content pack
You can now install and configure the content pack:
- Ensure the Windows data collected using Splunk Add-on for Microsoft Windows is searchable from the search head where you installed the Splunk App for Content Packs.
- Follow the steps in the Install and configure the Content Pack for Windows Dashboards and Reports.
Access the dashboards in the content pack
To access the dashboards from the content pack:
- In Splunk Web, open ITSI or IT Essentials Work.
- From the main navigation bar choose Dashboards > Dashboards.
- In the list of dashboards, those with the App name of DA-ITSI-CP-windows-dashboards are from the Content Pack for Windows Dashboards and Reports. Select the dashboard title you want to open the dashboard.
Configure the Content Pack for Windows Dashboards and Reports in a new environment
If you don't repurpose an existing environment for migrating from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports as described above, you can configure the content pack in a new environment.
To configure the content pack in a new environment, create a test environment and perform the follopwing steps to set up the Content Pack for Windows Dashboards and Reports:
- After installing the Splunk App for Content Packs, install the content pack in your test environment.
- Once you complete testing the content pack in your test environment, install the content pack in your production environment.
To learn how to install the content pack, see, see Install and configure the Content Pack for Windows Dashboards and Reports.
Install and configure the Content Pack for Windows Dashboards and Reports | Get Windows server data |
This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.0.1, 1.1.0
Feedback submitted, thanks!