Upgrade the Splunk Add-on for Windows
If you are a Splunk Cloud customer, file a Support ticket for assistance.
Upgrade from Windows 5.0.0 to Windows to 5.0.1
In previous versions of the Splunk Add-on for Windows, the sourcetypes
WMI:CPUTime extracted the
cpu_load_percent fields only for
instance_Total. Version 5.0.1 of the Splunk Add-on for Windows extracts the
cpu_load_percent fields for all instances.
To continue collecting data for
wmi events with older behavior, complete the following steps:
- Paste the following stanza for
[WMI:CPUTime] interval = 3 wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total" disabled = 0
- Paste the following stanzas for
local/props.conffile for data you want to collect with either single mode or multikv:
[Perfmon:CPU] EVAL-cpu_user_percent = if(counter=="% User Time" AND instance=="_Total",Value,null()) EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null()) ## The following eval command avoids a known issue with tag expansion: EVAL-windows_cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null()) [PerfmonMk:CPU] EVAL-cpu_user_percent = if(instance=="_Total", '%_User_Time', null()) EVAL-cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null()) ## The following eval command avoids a known issue with tag expansion: EVAL-windows_cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null())
Upgrade from version 4.8.4 to version 5.0.1
To upgrade from the Splunk Add-on for Windows version 4.8.4 or another version before 5.0.0, complete the following steps to upgrade first to 5.0.0. Then, follow the instructions on this page for upgrading from 5.0.0 to 5.0.1.
indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.x along with the
index=* parameter from all stanzas in
If you miss the following steps, your Splunk platform will not have index configurations. This can result in data loss.
If you were using
indexes.conf or any custom index to store your data in an earlier version of the Splunk Add-on for Windows, copy or create the windows, wineventlog, and perfmon stanzas from the
eventgen.conf files in your existing Splunk Add-on for Windows v4.8.4
/Splunk_TA_Windows/default/ folder to the
/Splunk_TA_Windows/local/ folder. Otherwise, any data collected will go to the default main index.
When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. Install the add-on onto the indexer, and create a new
indexes.conf file in the
/Splunk_TA_Windows/local/ directory. After creating the indexes, specify these indexes in inputs.conf in the
Configure users and roles
authorize.conf file was removed in the Splunk Add-on for Windows v5.0.0. If you want other users in your organization to search through the data stored, copy the
windows_admin role from
authorize.conf in your existing Splunk Add-on for Windows v4.8.4
/Splunk_TA_Windows/default/ folder to
/Splunk_TA_Windows/local/ folder for the user you would like to give search access to. Adding this role to any user will allow that user to search the following indexes.
- windows: For DHCP, Windows Update logs, Windows network, host, printer, and Registry monitoring.
- wineventlog: For all Windows Event Log channels.
- perfmon: For all Windows Performance Monitoring events.
Upgrade saved searches
Due to source and sourcetype changes for WinEventLog data, saved searches that are still using old soucetype names do not work. You can search by "source=" instead:
|Event type||Sourcetype it replaces||Search|
Configuration file changelog for 5.0.0
The Splunk Add-on for Windows 5.0.0 removes several legacy configurations, including ones from third-party tools NTSyslog, Snare, and Monitorware and ES 2.0.2 legacy field extractions. If you are using any configurations that were removed in the Splunk Add-on for Windows 5.0.0, copy the relevant configuration stanzas from your existing Splunk Add-on for Windows v4.8.4
/default/ folder to the
Removed configuration file stanzas
The following stanzas have been removed from configuration files. Before upgrading to the Splunk Add-on for Windows v5.0.0, copy the configuration stanzas below from your existing Splunk Add-on for Windows v4.8.4
/default/ folder to
|Configuration file name||Name of stanza removed|
Third-party files removed
Manually remove the following extra third-party configurations.
List of sample files to delete:
Lookup files to delete:
Removed global stanza configurations in inputs.conf for WinEventLog
The global stanza below has been removed from
inputs.conf in the Splunk Add-on for Windows v5.0.x.
[default] evt_dc_name = evt_dns_name =
If you were using these configurations, the addon no longer defines them in
inputs.conf. Before upgrading the addon, copy this stanza from
local/inputs.conf in the Windows addon folder before upgrading the addon to 5.0.x.
Changed default Perfmon data collection mode to multikv from single
Multikv mode of Perfmon data collection has benefits over single mode. Refer here for more information.
Multikv mode has a different event format than single mode. If you want to use multikv mode, set mode = multikv for all required stanzas:
- Create a local copy of all the existing [perfmon://*] stanzas in
- For each stanza add the line "mode = multikv"
If you want to collect Perfmon data inputs in single mode event format after upgrading the Splunk Add-on for Windows to 5.0.x, follow these steps:
- Create a local copy of all the existing [perfmon://*] stanzas in
- For each stanza add the line "mode = single"
- The following is an example stanza for perfmon CPU inputs stanza to continue collecting CPU related perfmon data in single mode.
[perfmon://CPU] counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec disabled = 0 instances = * interval = 10 mode = single object = Processor useEnglishOnly=true index = perfmon
You cannot change Perfmon mode in Splunk Web.
WinEventLog extraction changes
The Splunk Add-on for Windows v5.0.x updates how source and sourcetypes are assigned to
Sourcetype changes for WinEventLog data
All WinEventLogs are now assigned to either the WinEventLog or the XmlWinEventLog sourcetype and distinguished by their source.
|Version 4.8.4 and earlier source||Version 4.8.4 and earlier sourcetype||Version 5.0.x source||Version 5.0.x sourcetype|
WinEventLog:Security in the Splunk Add-on for Windows version 4.8.4 or earlier will remain the same for already indexed events. For newly indexed events from the Splunk Add-on for Windows version 5.0.x, the sourcetypes will be changed as shown in the table above.
Backwards compatibility for indexed events
Due to this change, events that have already been indexed will not be extracted properly. Add the appropriate stanza to rename your already indexed events at search-time if it is not present in the ###### Backward Compatibility ###### section in
[WinEventLog:Security] rename = wineventlog [WinEventLog:Application] rename = wineventlog [WinEventLog:System] rename = wineventlog [XmlWinEventLog:Security] rename = xmlwineventlog [XmlWinEventLog:Application] rename = xmlwineventlog [XmlWinEventLog:System] rename = xmlwineventlog
Renamed sourcetypes are case-sensitive and will not show up in results if your search is not case-sensitive.
Change sourcetype-based extractions to source-based
If you were collecting data for WinEventLog for any custom data inputs that were not provided in the Splunk Add-on for Windows and have added custom extractions in its sourcetype-based stanzas, convert the sourcetype-based configurations for your custom data inputs to source-based extractions.
This example uses the following custom data input in
# Legacy PowerShell pipeline execution details (800) [WinEventLog://Windows PowerShell] whitelist = 800 disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = epintel renderXml=true
This custom data input has the sourcetype-based stanza
[WinEventLog:Windows PowerShell] to be extracted in the
local/props.conf folder. For the Splunk Add-on for Windows v5.0.x, rename the sourcetype-based stanza to the source-based stanza
[source::WinEventLog:Windows PowerShell] in
props.conf to extract the fields.
Do not merge sourcetype-based stanzas containing custom extractions to the stanzas containing
rename=wineventlog. You must convert the sourcetype-based stanzas containing custom extractions to source-based stanzas as mentioned above or your field extractions will not work.
Events that have already been indexed will not be extracted properly due to this change. Convert the sourcetype-based configurations for your custom data inputs to source-based extractions.
Install the Splunk Add-on for Windows with Forwarder Management
Upgrade the Splunk Add-on for Windows in a distributed deployment
This documentation applies to the following versions of Splunk® Add-on for Windows: 5.0.1