Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

Download manual as PDF

This documentation does not apply to the most recent version of WindowsAddOn. Click here for the latest version.
Download topic as PDF

Release notes for the Splunk Add-on for Windows

Version 5.0.1 of the Splunk Add-on for Windows was released on August 29, 2018.

The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is earlier than 5.0.0, you must follow the steps outlined in Upgrade the Splunk Add-on for Windows. Failure to do so can result in data loss.


Version 5.0.1 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x
CIM 4.11
Platform Windows
Vendor Products Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012/2012 R2, Windows Server 2016

The Splunk Add-on for Windows 5.0.1 is not compatible with the Splunk App for Windows Infrastructure version 1.4.4 and the Splunk App for Microsoft Exchange version 3.4.4. Use the Splunk Add-on for Windows 4.8.4 if you want to use either of these apps.

New or changed features

Version 5.0.1 of the Splunk Add-on for Windows has the following new or changed features:

  • Improved load balancing on the universal forwarder
  • Decoding of User Account Control values for Microsoft Active Directory
  • Functionality to normalize inappropriate values in WinEventLog events using the sed command
  • A scripted input for collecting local IP configurations

Fixed Issues

Version 5.0.1 of the Splunk Add-on for Windows fixes the following issues:

Date resolved Issue number Description
2018-08-06 ADDON-18850 TA-Windows is sending Wineventlog data with a different host format

Known Issues

Version 5.0.1 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:

Date filed Issue number Description
2019-06-10 ADDON-22175 Splunk_TA_windows: Windows TA not extracting user_group field correctly

create a calculated field 


[source::XmlWinEventLog:Security : EVAL-user_group|]


2019-05-27 ADDON-22052, ADDON-23900 Conflicting extraction written for "dest" field in source "WinEventLog:Application" and for "body" field in source "XmlWinEventLog:System"
2018-09-06 ADDON-19338 Data duplication issue in WindowsUpdate.Log
2016-04-19 ADDON-9162 Field extraction for Account Domain extracts multiple values
Source types for the Splunk Add-on for Windows
Hardware and software requirements for the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Add-on for Windows: 5.0.1


The "Instance" data collected in collection="Processor Information" object="Processor Information" counter="% Processor Time" is incorrectly parsing instance values, resulting in no ability to differentiate between CPU Cores. The data is ingested however truncates at the comma in the key value extraction component.

November 5, 2018

It would be helpful if dependencies were more clearly listed in release notes and under the first topic of the deploy & install documents. As an off-line user, it's maddening to download an app or add-on, transfer it to an air-gapped network (sometimes an hours-long process thanks to IA), and start installing only to find out 6 pages into the documentation that it also requires another app or add-on. Wash-Rinse-Repeat.
Also, as a new user, it's easy to confuse whether the Splunk App for Windows Infrastructure 1.4.4 is incompatible with the Splunk Add-on for Windows version 5.0.1 or the Splunk 5.x App for Windows. A compatibility matrix in BOLD on the first page of deployment documentation would have been nice.

October 12, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters