Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Download manual as PDF

This documentation does not apply to the most recent version of MSApp. Click here for the latest version.
Download topic as PDF

Upgrade from version 1.2.x

These upgrade instructions help you replace the Splunk App for Windows Infrastructure and the add-ons for Microsoft Active Directory and Windows DNS with the updated versions that are available on Splunkbase. You must download these updated add-ons for the updated Splunk App for Windows Infrastructure to continue to work properly.

Download the updated Splunk App for Windows Infrastructure

  1. Download the Splunk App for Windows Infrastructure from Splunkbase.

Download the Splunk Add-on for Windows

  1. Download the Splunk Add-on for Windows from Splunkbase.

Download the new add-ons for Active Directory and Windows DNS

  1. Download the Splunk Add-on for Microsoft Active Directory from Splunkbase.
  2. Download the Splunk Add-on for Windows DNS from Splunkbase.
  3. Unarchive the add-ons to a location that is accessible from all hosts in your Exchange deployment.

Use a deployment server to make updates to apps and configurations

This upgrade method is more streamlined than attempting to upgrade each host in the environment manually.

Upgrade the search head

The search head is the Splunk Enterprise instance that runs the Splunk App for Windows Infrastructure and shows all of the app data. These upgrade instructions should be performed on any host that has been designated as a search head in your Exchange deployment.

  1. Update the Splunk Add-on for Windows.
  2. Update the Splunk Supporting Add-on for Active Directory.
  3. Install the Splunk Add-on for Microsoft Active Directory.
  4. Install the Splunk Add-on for Windows DNS.
  5. Update the Splunk App for Windows Infrastructure.
  6. Restart Splunk Enterprise.

Upgrade the indexer

The indexer is the Splunk Enterprise instance that holds all of the data that the Splunk App for Windows Infrastructure has collected from Active Directory and Windows hosts. These instructions should be performed on any host that has been designated as an indexer in your Windows deployment. If a host acts as both an indexer and a search head, perform these instructions, then perform the "Upgrade the search head" instructions.

  1. Upgrade the Splunk Add-on for Windows.
  2. Restart Splunk Enterprise.

Upgrade the forwarders

Each Windows Server or Active Directory host must receive the appropriate Active Directory or DNS Add-ons to continue collecting the right data. Additionally, each of these add-ons must be configured to collect the right set of data.

Prepare the new add-ons

  1. Copy the Splunk Add-on for Microsoft Active Directory (TA-Microsoft-AD) to the deployment apps directory on the deployment server.
  2. Copy the Splunk Add-on for Windows DNS (TA-Microsoft-DNS) to the deployment apps directory on the deployment server.
  3. Using a command prompt, PowerShell window, or Explorer window, go to the deployment apps directory on the deployment server.
  4. If you have made any customizations to the old set of add-ons, copy and paste those configurations from the local directory of those add-ons into the local directory of the new add-ons.

Create server classes, push the new add-ons, and delete the old add-ons

  1. On the deployment server, create a server class for the Splunk Add-on for Microsoft Active Directory and the Splunk Add-on for Windows DNS.
  2. Assign the add-ons to the appropriate server class. For example, the TA-Microsoft-AD add-on should be assigned to a "Microsoft Active Directory" server class.
  3. Assign the Windows Server and Active Directory hosts in your Windows deployment to the appropriate server classes. For example, Windows Server hosts that participate in Active Directory should be assigned to the server class that has the TA-Microsoft-AD add-on assigned to it.
  4. Delete all of the old add-ons on the deployment server (for example, TA-DomainController-NT5, TA-DNSServer-*, and so on.)
  5. Use the deployment server to push the new add-ons to all of the hosts in the deployment.
  6. Restart the deployment server.
  7. Restart all forwarders.


Upgrade the Splunk App for Windows Infrastructure without a deployment server

If you do not have a deployment server in your environment, you must perform these instructions manually.

Upgrade the Splunk Add-ons for Microsoft Active Directory and Windows DNS

A deployment server makes this part of the upgrade easier.

  1. Download the Splunk Add-on for Microsoft Active Directory from Splunkbase.
  2. Download the Splunk Add-on for Windows DNS from Splunkbase.
  3. On every domain controller in your environment that has a Splunk universal forwarder and the old TA-DomainController* add-on installed, remove the add-on.
  4. Install the new TA-Microsoft-AD controller onto the domain controllers.
  5. On every DNS server in your environment that has a Splunk universal forwarder the old TA-DNSServer* add-on installed, remove the add-on.
  6. Install the new TA-Microsoft-DNS controller onto the DNS servers.
  7. Restart the universal forwarders on both the domain controllers and DNS servers.

Upgrade Splunk Add-on for Windows

Refer to Upgrade the Splunk Add-on for Windows to upgrade from a previous version of TA_windows to TA_windows 5.0.1.

Add the Splunk Add-ons for Microsoft Active Directory and Windows DNS to indexers and search heads

  1. Install the TA-Microsoft-AD add-on into all Splunk Enterprise indexers and search heads in the deployment.
  2. Install the TA-Microsoft-DNS add-on into all Splunk Enterprise indexers and search heads in the deployment.
  3. Restart Splunk Enterprise on all indexers and search heads in the deployment.

Upgrade the Splunk App for Windows Infrastructure

  1. Download the updated app installation package from Splunkbase and save it to an accessible location.
  2. Unpack the archive.
  3. Copy the splunk_app_windows_infrastructure folder to the %SPLUNK_HOME%\etc\apps folder on the search head(s) in the deployment.
  4. (Optional) If the operating system asks if you want to overwrite the existing folder, answer yes.
  5. Restart Splunk Enterprise on the search heads.
  6. Log back into Splunk Enterprise.
  7. From the Home page, activate the Splunk App for Windows Infrastructure. Choose Splunk App for Windows Infrastructure from the list of apps on the left.
PREVIOUS
Upgrade from version 1.1.x
  NEXT
Log in and get started

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1


Comments

@Benlc,
The search errors on UI occurs when the Splunk App for Windows Infrastructure v1.5.x is installed with Splunk_TA_windows v4.8.4 due to changes in windows_apps.csv. However, if Splunk App for Windows Infrastructure is installed with Splunk_TA_windows v5.0.1, then it is not required to delete windows_apps.csv.

Nicolen splunk, Splunker
December 21, 2018

Upgrade from 1.4.x and 1.5.0 to 1.51 in addition with Splunk TA windows 5.0.1 the lookup windows_apps.csv needs to be deleted.

Benlc
December 20, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters