Migrate from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports
The Content Pack for Windows Dashboards and Reports replicates the dashboards and reports available in the Splunk App for Windows Infrastructure. Migrate from the legacy app to the content pack to take advantage of a consolidated experience within one app, either ITSI or IT Essentials Work. In addition, you can upgrade all content packs by upgrading the Splunk App for Content Packs.
You can review the dashboards included in the Content Pack for Windows Dashboards and Reports before migrating to that content pack. For a list of the included dashboards, see Dashboard reference for the Content Pack for Windows Dashboards and Reports.
On October 20, 2021, the Splunk App for Windows Infrastructure reached its end of life. Splunk no longer maintains or develops the Splunk App for Windows Infrastructure.
Migration for cloud environments
For migration on the cloud, submit a new case using the Support and Services section of the Splunk Support Portal. Splunk Cloud TechOps personnel will assist with your migration from Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports. After the migration is completed, perform the post-migration steps if data is ingested in the custom indexes.
Update configuration and access the dashboards
If you are ingesting Windows data in custom indexes other than the default indexes used by Splunk App for Microsoft Windows, then perform the following steps after your stack is migrated from Splunk App for Windows Infrastructure to Splunk App for Content Packs with the Content Pack for Windows Dashboards and Reports:
- Open Splunk IT Essentials Work or Splunk IT Service Intelligence.
- Navigate to Settings > Event types.
- Search for the Event type in the Search bar as mentioned in the RHS column of the table.
- Click on Event type.
- Update the definition with the custom index value.
After you've performed the steps above, you can use the knowledge objects included in Windows Dashboards and Reports content pack. For a list of the included dashboards, see Dashboard reference for the Content Pack for Windows Dashboards and Reports.
Type of data ingested from Splunk Add-on for Microsoft Windows in custom index | Corresponding Eventtype to be configured in Windows Dashboards and Reports Content Pack for custom indexes | Example value for Eventtype |
---|---|---|
Wineventlog data | wineventlog_index_windows | index = custom_index1 AND index = custom_index2 |
Perfmon data | perfmon_index_windows | index = custom_index1 AND index = custom_index2 |
MSAD data | msad_index_windows | index = custom_index1 AND index = custom_index2 |
Windows data | windows_index_windows | index = custom_index1 AND index = custom_index2 |
Migration for on-premises standalone or distributed environments
You can perform the migration procedure in an on-prem standalone or distributed environment yourself, if you perform migration prerequisites first.
Before you migrate
Before migrating to Content Pack for Windows Dashboards and Reports, follow the steps below to make the backup of your custom configurations and lookups.
- Make a backup of the splunk_app_windows_infrastructure package present in
$SPLUNK_HOME/etc/apps
on each search head, to include at least the following directories: /local
directory which contains all the local configurations under conf files./lookups
directory which contains the CSV lookups/metadata/local.meta
which contains the updated permissions for the Knowledge Objects.- Make a backup of the KV Store lookups present in the app.
- Identify the KVstore captain from different search heads. (Perform this step if you have multiple search heads in your environment)
$SPLUNK_HOME/bin/splunk show kvstore-status
- Login to the KVStore Captain search head and run the following command:
$SPLUNK_HOME/bin/splunk backup kvstore -archiveName splunk_app_windows_infrastructure_kvstore_backup -appName splunk_app_windows_infrastructure
- Identify the latest backup in
$SPLUNK_HOME/var/lib/splunk/kvstorebackup
and copy the splunk_app_windows_infrastructure_kvstore_backup.tar.gz backup file to$SPLUNK_HOME/tmp
. This archive file is required to restore the App lookup data during migration. - Perform the following steps on each role present in the instance.
- Navigate to Settings > Roles
- Click on Edit > Edit
- Deselect the
winfra-admin
role from the Inheritance tab if selected. - Click on Save.
- Perform the following steps on each user inheriting the
winfra-admin
role. - Navigate to Settings > Users
- Click on Edit > Edit
- Navigate to Assign Roles
- From Selected item(s) > Remove
winfra-admin
role - Click on Save.
- After performing steps 3 and 4, verify that there are no other occurrences of the
winfra-admin
role present in the$SPLUNK_HOME/etc/
directory except$SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure
by using following command:grep -nr winfra-admin
- If you find any occurrences of the role
winfra-admin
in step 5, remove them.
If you are currently using the Splunk App for Windows Infrastructure, your deployment setup might resemble the following table:
Data collection node (forwarder) | Indexer | Search head | |
---|---|---|---|
Splunk Add-on for Microsoft Windows | ✓ | ✓ | ✓ |
Splunk App for Windows Infrastructure | ✓ | ||
Splunk Supporting Add-on for Active Directory | ✓ |
Migrate from Splunk App for Windows Infrastructure to Content Pack for Windows Dashboards and Reports
Follow the steps below to migrate from Splunk App for Windows Infrastructure to Content Pack for Windows Dashboards and Reports. Use the instructions in "Before you migrate" to make a backup of your existing lookups and custom configurations before you start the migration procedure.
- Perform the following steps on each Search Head present in your deployment to disable the Splunk App for Windows Infrastructure:
- Navigate to
{SPLUNK_HOME}/etc/apps/splunk_app_windows_infrastructure/local/app.conf
(create app.conf file in local directory if it is not present) and edit the "state" property of the "install" stanza as follows:[install] state = disabled
- Restart the Instance using
$SPLUNK_HOME/bin/splunk restart
. - Install ITSI or IT Essentials Work on the same search head with Windows data according to your type of deployment. Refer to these topics in the Splunk IT Service Intelligence Install and Upgrade Manual:
- Install Splunk IT Service Intelligence on a single instance
- Where to install IT Service Intelligence in a distributed environment
- Install Splunk IT Essentials Work on a single on-premises instance (Note that if you're using a Cloud-only version of IT Essentials Work, Splunk Support does the installation).
- Install the Splunk App for Content Packs according to your type of deployment:
After following the previous steps, the deployment is installed as shown in the following table:
Data collection node (forwarder) | Indexer | Search head | |
---|---|---|---|
Splunk Add-on for Microsoft Windows | ✓ | ✓ | ✓ |
ITSI or IT Essentials Work | ✓ | ✓ | |
Splunk App for Windows Infrastructure | Disabled | ||
Splunk App for Content Packs | ✓ | ||
Splunk Supporting Add On for Active Directory | ✓ |
After you install the Content Pack for Windows Dashboards and Reports
- Restore the backup of the KV store lookup.
- Identify the KVstore captain from different search heads. (Perform this step if the you are using a Search Head Cluster environment). For Single Search Head Deployment, the only search head will be the KVstore captain.
$SPLUNK_HOME/bin/splunk show kvstore-status
- If the KV Store captain has changed, then move the KV Store backup file from old KV Store Captain to current KV Store Captain. Run the following command on the search head where the KVStore backup is taken as part of the "Before you migrate" section (Perform this step if the you are using a Search Head Cluster environment):
scp /path_of_splunk_app_windows_infrastructure_kvstore_backup.tar.gz {SPLUNK_USER}@{$search_head_ip}:/{SPLUNK_HOME}/tmp
- On your current KVStore captain, untar the backup tar file:
tar -xzvf $SPLUNK_HOME/tmp/splunk_app_windows_infrastructure_kvstore_backup.tar.gz
- Rename the folder
mv $SPLUNK_HOME/tmp/splunk_app_windows_infrastructure $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards
- Tar the upgraded folder name
tar -czf $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz DA-ITSI-CP-windows-dashboards
- Move the $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz file in
$SPLUNK_HOME/var/lib/splunk/kvstorebackup
. - Restore the backup.
$SPLUNK_HOME/bin/splunk restore kvstore -archiveName DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz -appName DA-ITSI-CP-windows-dashboards
- Perform the following steps on each Search Head present in your deployment:
- Move the following directories from the App package to the DA-ITSI-CP-windows-dashboards folder that was backed up before you started the migration:
/local
directory collected from the app which contains all the local configurations of the app/lookups
directory/metadata/local.meta
directory- Remove the
app.conf
file from local directory. - Remove the
msftapps_winfra_setup.conf
file from local directory of DA-ITSI-CP-windows-dashboards. - Remove the
splunk_msftapp.conf
file from local directory. - Restart the instance using
$SPLUNK_HOME/bin/splunk restart
. - If you are ingesting Windows Data in custom indexes other than the default indexes used by Splunk App for Microsoft Windows, then perform the following steps after your stack is migrated from Splunk App for Windows Infrastructure to Splunk App for Content Packs with the Content Pack for Windows Dashboards and Reports.
- Open the Splunk IT Essentials Work or Splunk IT Service Intelligence App.
- Navigate to Settings > Event types.
- Search for each Event type in Search bar mentioned in the RHS column of the table.
- Click on the Event type.
- Update the Event type definition with the custom index value.
Type of data ingested from Splunk Add-on for Microsoft Windows in custom index | Corresponding Eventtype to be configured in Windows Dashboards and Reports Content Pack for custom indexes | Example value for Eventtype |
---|---|---|
Wineventlog data | wineventlog_index_windows | index = custom_index1 AND index = custom_index2 |
Perfmon data | perfmon_index_windows | index = custom_index1 AND index = custom_index2 |
MSAD data | msad_index_windows | index = custom_index1 AND index = custom_index2 |
Windows data | windows_index_windows | index = custom_index1 AND index = custom_index2 |
The searches of Splunk App for Windows infrastructure use a macro-based index, whereas searches of Content Pack for Windows Dashboards and Reports contain eventtype-based specifications. Accordingly, you need to configure corresponding eventtype indexes after migrating to Windows Dashboards and Reports Content Pack.
For information about configuring eventtype indexes, see Create custom indexes.
Install and configure the content pack
Dashboards present in the Splunk App for Windows Infrastructure are installed by default in Content Pack for Windows Dashboards and Reports. Follow the steps below to enable the Savedsearches used by Content Pack Dashboards and ITSI objects, and install additional ITSI objects provided by the content pack.
- Ensure the Windows data collected using Splunk Add-on for Microsoft Windows is searchable from the search head where you installed the Splunk App for Content Packs.
- Follow the steps in the Install and configure the Content Pack for Windows Dashboards and Reports.
Access the dashboards in the content pack
To access the dashboards from the content pack:
- In Splunk Web, open ITSI or IT Essentials Work.
- From the main navigation bar choose Dashboards > Dashboards.
- In the list of dashboards, those with the App name of DA-ITSI-CP-windows-dashboards are from the Content Pack for Windows Dashboards and Reports. Select the name of the dashboard that you want to open.
Configure the Content Pack for Windows Dashboards and Reports in a new environment
If you don't repurpose an existing environment for migrating from the Splunk App for Windows Infrastructure to the Content Pack for Windows Dashboards and Reports as described above, you can configure the content pack in a new environment.
To configure the content pack in a new environment, create a test environment and perform the follopwing steps to set up the Content Pack for Windows Dashboards and Reports:
- After installing the Splunk App for Content Packs, install the content pack in your test environment.
- Once you complete testing the content pack in your test environment, install the content pack in your production environment.
To learn how to install the content pack, see, see Install and configure the Content Pack for Windows Dashboards and Reports.
Install and configure the Content Pack for Windows Dashboards and Reports | Get Windows server data |
This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.2.0, 1.2.1, 1.2.2, 1.3.0
Feedback submitted, thanks!