Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

This documentation does not apply to the most recent version of Splunk® Add-on for Windows. For documentation on the most recent version, go to the latest release.

Release notes

This topic contains information on new features, known issues, and updates as we version the Splunk Add-on for Windows.

The latest version of the Splunk Add-on for Windows was released on Monday, February 29, 2016.

What's new

Here's what's new in the latest version of the Splunk Add-on for Windows:

Publication date Defect number Description
2016-02-29 - Bug fixes.
2016-02-29 TAG-10607 Event type definitions have been updated to improve search performance.

Current known issues

The Splunk Add-on for Windows has the following known issues:

Publication date Defect number Description
2015-12-15 TAG-9912 The add-on sometimes parses the wrong value for Windows Event Code 4740 (User lockout).
Before 2015-9-18 TAG-9554 The Account_Domain_as_dest_nt_domain field transformation incorrectly parses the "Account Domain" field. Additionally, the Login_ID_as_session_id transformation incorrectly parses the "Logon_ID" field. Both field transformations produce multi-value fields. This prevents the Splunk Apps for Microsoft Exchange and Windows Infrastructure from displaying correct results in the "Account Lockout - User" panels and any ad-hoc searches that reference these fields.

Change log (what's been fixed)

Publication date Defect number Description
2016-02-29 TAG-10607 Event type definitions have been updated to improve search performance.
2016-02-29 TAG-10540 When you enable the rendering of Event Log events in XML, the add-on now extracts the SubStatus field and maps it to the Sub_Status field that a lookup expects. This improves event type classification for Windows Security Event Code 4625, which details why a user failed to log in to a Windows host.
2016-02-29 TAG-10491 The windows_signatures_substatus.csv lookup, which contains information on status and substatus codes for Windows Security Event Code 4625 (among others) is now compatible with Windows Server 2012 R2.
2016-02-29 TAG-10249 (TAG-9748) The add-on no longer tags events that do not have anything to do with authentication as "Authentication" events. It also no longer maps these events to the CIM Authentication data model.
2016-02-29 TAG-9069 The field transformations in the add-on no longer generate WARN SearchOperator:kv - Missing FORMAT error messages.
2016-02-29 TAG-8663 The add-on naming convention is now consistent in all of its user interface elements.
Last modified on 25 February, 2016
Source types and CIM data model info  

This documentation applies to the following versions of Splunk® Add-on for Windows: 4.8.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters