Content Pack for Windows Dashboards and Reports

Content Pack for Windows Dashboards and Reports

This documentation does not apply to the most recent version of Content Pack for Windows Dashboards and Reports. For documentation on the most recent version, go to the latest release.

Migrate from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports

The Content Pack for Windows Dashboards and Reports replicates the dashboards and reports available in the Splunk App for Windows Infrastructure. Migrate from the legacy app to the content pack to take advantage of a consolidated experience within one app, either ITSI or IT Essentials Work. In addition, you can upgrade all content packs by upgrading the Splunk App for Content Packs.

You can review the dashboards included in the Content Pack for Windows Dashboards and Reports before migrating to that content pack. For a list of the included dashboards, see Dashboard reference for the Content Pack for Windows Dashboards and Reports.

On October 20, 2021, the Splunk App for Windows Infrastructure reached its end of life. Splunk no longer maintains or develops the Splunk App for Windows Infrastructure.

Migration for cloud environments

For migration on the cloud, submit a new case using the Support and Services section of the Splunk Support Portal. Splunk Cloud TechOps personnel will assist with your migration from Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports. After the migration is completed, perform the post-migration steps if data is ingested in the custom indexes.

Update configuration and access the dashboards

If you are ingesting Windows data in custom indexes other than the default indexes used by Splunk App for Microsoft Windows, then perform the following steps after your stack is migrated from Splunk App for Windows Infrastructure to Splunk App for Content Packs with the Content Pack for Windows Dashboards and Reports:

  1. Open Splunk IT Essentials Work or Splunk IT Service Intelligence.
  2. Navigate to Settings > Event types.
  3. Search for the Event type in the Search bar as mentioned in the RHS column of the table.
  4. Click on Event type.
  5. Update the definition with the custom index value.

After you've performed the steps above, you can use the knowledge objects included in Windows Dashboards and Reports content pack. For a list of the included dashboards, see Dashboard reference for the Content Pack for Windows Dashboards and Reports.

Type of data ingested from Splunk Add-on for Microsoft Windows in custom index Corresponding Eventtype to be configured in Windows Dashboards and Reports Content Pack for custom indexes Example value for Eventtype
Wineventlog data wineventlog_index_windows index = custom_index1 AND index = custom_index2
Perfmon data perfmon_index_windows index = custom_index1 AND index = custom_index2
MSAD data msad_index_windows index = custom_index1 AND index = custom_index2
Windows data windows_index_windows index = custom_index1 AND index = custom_index2

Migration for on-premises standalone or distributed environments

You can perform the migration procedure in an on-prem standalone or distributed environment yourself, if you perform migration prerequisites first.

Before you migrate

Before migrating to Content Pack for Windows Dashboards and Reports, follow the steps below to make the backup of your custom configurations and lookups.

  1. Make a backup of the splunk_app_windows_infrastructure package present in $SPLUNK_HOME/etc/apps on each search head, to include at least the following directories:
    1. /local directory which contains all the local configurations under conf files.
    2. /lookups directory which contains the CSV lookups
    3. /metadata/local.meta which contains the updated permissions for the Knowledge Objects.
  2. Make a backup of the KV Store lookups present in the app.
    1. Identify the KVstore captain from different search heads. (Perform this step if you have multiple search heads in your environment)
      $SPLUNK_HOME/bin/splunk show kvstore-status
      
    2. Login to the KVStore Captain search head and run the following command:
      $SPLUNK_HOME/bin/splunk backup kvstore -archiveName splunk_app_windows_infrastructure_kvstore_backup -appName splunk_app_windows_infrastructure
      
    3. Identify the latest backup in $SPLUNK_HOME/var/lib/splunk/kvstorebackup and copy the splunk_app_windows_infrastructure_kvstore_backup.tar.gz backup file to $SPLUNK_HOME/tmp. This archive file is required to restore the App lookup data during migration.
  3. Perform the following steps on each role present in the instance.
    1. Navigate to Settings > Roles
    2. Click on Edit > Edit
    3. Deselect the winfra-admin role from the Inheritance tab if selected.
    4. Click on Save.
  4. Perform the following steps on each user inheriting the winfra-admin role.
    1. Navigate to Settings > Users
    2. Click on Edit > Edit
    3. Navigate to Assign Roles
    4. From Selected item(s) > Remove winfra-admin role
    5. Click on Save.
  5. After performing steps 3 and 4, verify that there are no other occurrences of the winfra-admin role present in the $SPLUNK_HOME/etc/ directory except $SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure by using following command: grep -nr winfra-admin
  6. If you find any occurrences of the role winfra-admin in step 5, remove them.

If you are currently using the Splunk App for Windows Infrastructure, your deployment setup might resemble the following table:

Data collection node (forwarder) Indexer Search head
Splunk Add-on for Microsoft Windows
Splunk App for Windows Infrastructure
Splunk Supporting Add-on for Active Directory

Migrate from Splunk App for Windows Infrastructure to Content Pack for Windows Dashboards and Reports

Follow the steps below to migrate from Splunk App for Windows Infrastructure to Content Pack for Windows Dashboards and Reports. Use the instructions in "Before you migrate" to make a backup of your existing lookups and custom configurations before you start the migration procedure.

  1. Perform the following steps on each Search Head present in your deployment to disable the Splunk App for Windows Infrastructure:
    1. Navigate to {SPLUNK_HOME}/etc/apps/splunk_app_windows_infrastructure/local/app.conf (create app.conf file in local directory if it is not present) and edit the "state" property of the "install" stanza as follows:
      [install]
      state = disabled
      
    2. Restart the Instance using $SPLUNK_HOME/bin/splunk restart .
  2. Install ITSI or IT Essentials Work on the same search head with Windows data according to your type of deployment. Refer to these topics in the Splunk IT Service Intelligence Install and Upgrade Manual:
    1. Install Splunk IT Service Intelligence on a single instance
    2. Where to install IT Service Intelligence in a distributed environment
    3. Install Splunk IT Essentials Work on a single on-premises instance (Note that if you're using a Cloud-only version of IT Essentials Work, Splunk Support does the installation).
  3. Install the Splunk App for Content Packs according to your type of deployment:
    1. Install the Splunk App for Content Packs on a single on-premises environment
    2. Install the Splunk App for Content Packs on a distributed environment

After following the previous steps, the deployment is installed as shown in the following table:

Data collection node (forwarder) Indexer Search head
Splunk Add-on for Microsoft Windows
ITSI or IT Essentials Work
Splunk App for Windows Infrastructure Disabled
Splunk App for Content Packs
Splunk Supporting Add On for Active Directory

After you install the Content Pack for Windows Dashboards and Reports

  1. Restore the backup of the KV store lookup.
    1. Identify the KVstore captain from different search heads. (Perform this step if the you are using a Search Head Cluster environment). For Single Search Head Deployment, the only search head will be the KVstore captain.
      $SPLUNK_HOME/bin/splunk show kvstore-status
      
    2. If the KV Store captain has changed, then move the KV Store backup file from old KV Store Captain to current KV Store Captain. Run the following command on the search head where the KVStore backup is taken as part of the "Before you migrate" section (Perform this step if the you are using a Search Head Cluster environment):
      scp /path_of_splunk_app_windows_infrastructure_kvstore_backup.tar.gz {SPLUNK_USER}@{$search_head_ip}:/{SPLUNK_HOME}/tmp
      
    3. On your current KVStore captain, untar the backup tar file:
      tar -xzvf $SPLUNK_HOME/tmp/splunk_app_windows_infrastructure_kvstore_backup.tar.gz
      
    4. Rename the folder
      mv $SPLUNK_HOME/tmp/splunk_app_windows_infrastructure $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards
      
    5. Tar the upgraded folder name
      tar -czf $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz DA-ITSI-CP-windows-dashboards
      
    6. Move the $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz file in $SPLUNK_HOME/var/lib/splunk/kvstorebackup .
    7. Restore the backup.
      $SPLUNK_HOME/bin/splunk restore kvstore -archiveName DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz -appName DA-ITSI-CP-windows-dashboards
      
  2. Perform the following steps on each Search Head present in your deployment:
    1. Move the following directories from the App package to the DA-ITSI-CP-windows-dashboards folder that was backed up before you started the migration:
      1. /local directory collected from the app which contains all the local configurations of the app
      2. /lookups directory
      3. /metadata/local.meta directory
    2. Remove the app.conf file from local directory.
    3. Remove the msftapps_winfra_setup.conf file from local directory of DA-ITSI-CP-windows-dashboards.
    4. Remove the splunk_msftapp.conf file from local directory.
    5. Restart the instance using $SPLUNK_HOME/bin/splunk restart.
  3. If you are ingesting Windows Data in custom indexes other than the default indexes used by Splunk App for Microsoft Windows, then perform the following steps after your stack is migrated from Splunk App for Windows Infrastructure to Splunk App for Content Packs with the Content Pack for Windows Dashboards and Reports.
    1. Open the Splunk IT Essentials Work or Splunk IT Service Intelligence App.
    2. Navigate to Settings > Event types.
    3. Search for each Event type in Search bar mentioned in the RHS column of the table.
    4. Click on the Event type.
    5. Update the Event type definition with the custom index value.
Type of data ingested from Splunk Add-on for Microsoft Windows in custom index Corresponding Eventtype to be configured in Windows Dashboards and Reports Content Pack for custom indexes Example value for Eventtype
Wineventlog data wineventlog_index_windows index = custom_index1 AND index = custom_index2
Perfmon data perfmon_index_windows index = custom_index1 AND index = custom_index2
MSAD data msad_index_windows index = custom_index1 AND index = custom_index2
Windows data windows_index_windows index = custom_index1 AND index = custom_index2

The searches of Splunk App for Windows infrastructure use a macro-based index, whereas searches of Content Pack for Windows Dashboards and Reports contain eventtype-based specifications. Accordingly, you need to configure corresponding eventtype indexes after migrating to Windows Dashboards and Reports Content Pack.

For information about configuring eventtype indexes, see Create custom indexes.

Install and configure the content pack

Dashboards present in the Splunk App for Windows Infrastructure are installed by default in Content Pack for Windows Dashboards and Reports. Follow the steps below to enable the Savedsearches used by Content Pack Dashboards and ITSI objects, and install additional ITSI objects provided by the content pack.

  1. Ensure the Windows data collected using Splunk Add-on for Microsoft Windows is searchable from the search head where you installed the Splunk App for Content Packs.
  2. Follow the steps in the Install and configure the Content Pack for Windows Dashboards and Reports.

Access the dashboards in the content pack

To access the dashboards from the content pack:

  1. In Splunk Web, open ITSI or IT Essentials Work.
  2. From the main navigation bar choose Dashboards > Dashboards.
  3. In the list of dashboards, those with the App name of DA-ITSI-CP-windows-dashboards are from the Content Pack for Windows Dashboards and Reports. Select the name of the dashboard that you want to open.

Configure the Content Pack for Windows Dashboards and Reports in a new environment

If you don't repurpose an existing environment for migrating from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports as described above, you can configure the content pack in a new environment.

To configure the content pack in a new environment, create a test environment and perform the follopwing steps to set up the Content Pack for Windows Dashboards and Reports:

  1. After installing the Splunk App for Content Packs, install the content pack in your test environment.
  2. Once you complete testing the content pack in your test environment, install the content pack in your production environment.

To learn how to install the content pack, see, see Install and configure the Content Pack for Windows Dashboards and Reports.

Last modified on 10 October, 2023
Install and configure the Content Pack for Windows Dashboards and Reports   Get Windows server data

This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.2.0, 1.2.1, 1.2.2, 1.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters