Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

This documentation does not apply to the most recent version of Splunk® Add-on for Windows. For documentation on the most recent version, go to the latest release.

Upgrade the Splunk Add-on for Windows from version 5.0.1

If you are a Splunk Cloud customer, file a Support ticket for assistance.

Upgrade from Windows 5.0.0 to Windows to 5.0.1

In previous versions of the Splunk Add-on for Windows, the sourcetypes Perfmon:CPU and WMI:CPUTime extracted the cpu_user_percent and cpu_load_percent fields only for instance_Total. Version 5.0.1 of the Splunk Add-on for Windows extracts the cpu_user_percent and cpu_load_percent fields for all instances.

To continue collecting data for perfmon and wmi events with older behavior, complete the following steps:

  1. Paste the following stanza for wmi:CPUTime in your local/wmi.conf file:
    [WMI:CPUTime]
    interval = 3
    wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
    disabled = 0
  2. Paste the following stanzas for Perfmon:CPU and PerfmonMk:CPU into your local/props.conf file for data you want to collect with either single mode or multikv:
    [Perfmon:CPU]
    EVAL-cpu_user_percent = if(counter=="% User Time" AND instance=="_Total",Value,null())
    EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null())
    
    ## The following eval command avoids a known issue with tag expansion:
    EVAL-windows_cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null())
     
    [PerfmonMk:CPU]
    EVAL-cpu_user_percent = if(instance=="_Total", '%_User_Time', null())
    EVAL-cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null())
     
    ## The following eval command avoids a known issue with tag expansion:
    EVAL-windows_cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null())

Upgrade from version 4.8.4 to version 5.0.1

To upgrade from the Splunk Add-on for Windows version 4.8.4 or another version before 5.0.x, complete the following steps.

The indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.x along with the index=* parameter from all stanzas in inputs.conf, wmi.conf, and eventgen.conf.

If you miss the following steps, your Splunk platform will not have index configurations. This can result in data loss.

If you were using indexes.conf or any custom index to store your data in an earlier version of the Splunk Add-on for Windows, copy or create the windows, wineventlog, and perfmon stanzas from the indexes.conf, inputs.conf, wmi.conf, and eventgen.conf files in your existing Splunk Add-on for Windows v4.8.4 /Splunk_TA_Windows/default/ folder to the /Splunk_TA_Windows/local/ folder. Otherwise, any data collected will go to the default main index.

When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. Install the add-on onto the indexer, and create a new indexes.conf file in the /Splunk_TA_Windows/local/ directory. After creating the indexes, specify these indexes in inputs.conf in the /Splunk_TA_Windows/local/ directory.

Configure users and roles

The authorize.conf file was removed in the Splunk Add-on for Windows v5.0.0. If you want other users in your organization to search through the data stored, copy the windows_admin role from authorize.conf in your existing Splunk Add-on for Windows v4.8.4 /Splunk_TA_Windows/default/ folder to /Splunk_TA_Windows/local/ folder for the user you would like to give search access to. Adding this role to any user will allow that user to search the following indexes.

  • windows: For DHCP, Windows Update logs, Windows network, host, printer, and Registry monitoring.
  • wineventlog: For all Windows Event Log channels.
  • perfmon: For all Windows Performance Monitoring events.

Upgrade saved searches

Due to source and sourcetype changes for WinEventLog data, saved searches that are still using old soucetype names do not work. You can search by "source=" instead:

Event type Sourcetype it replaces Search
wineventlog_windows wineventlog:*, XMLeventlog:*

eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security

wineventlog_application wineventlog:application, XMLeventlog:application

source=WinEventLog:Application OR source=WMI:WinEventLog:Application OR source=XmlWinEventLog:Application

wineventlog_system wineventlog:System, XMLeventlog:System

source=WinEventLog:System OR source=WMI:WinEventLog:System OR source=XmlWinEventLog:System

wineventlog_security wineventlog:Security, XMLeventlog:Security

source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security

Configuration file changelog for 5.0.0

The Splunk Add-on for Windows 5.0.0 removes several legacy configurations, including ones from third-party tools NTSyslog, Snare, and Monitorware and ES 2.0.2 legacy field extractions. If you are using any configurations that were removed in the Splunk Add-on for Windows 5.0.0, copy the relevant configuration stanzas from your existing Splunk Add-on for Windows v4.8.4 /default/ folder to the /local/ folder.

Removed configuration file stanzas

The following stanzas have been removed from configuration files. Before upgrading to the Splunk Add-on for Windows v5.0.x, copy the configuration stanzas below from your existing Splunk Add-on for Windows v4.8.4 /default/ folder to /local/ folder:

Configuration file name Name of stanza removed
authorize.conf
distsearch.conf
eventtypes.conf [ntsyslog_windows]

[snare_windows]
[monitorware_windows]

eventgen.conf [.*\.monitorware]

[Security.(4624|4648).monitorware]
[Security.4624.monitorware]
[.*\.ntsyslog]
[Security.(540|529).angle.ntsyslog]
[.*\.snare]

indexes.conf
inputs.conf [default]

evt_dc_name =
evt_dns_name =

props.conf [source::....monitorware]

[source::MonitorWare...]
[source::....ntsyslog]
[source::....snare]
[source::Snare...]
[source::NTSyslog:Security]
[source::(MonitorWare|Snare)...]
[MonitorWare:Application]
[NTSyslog:Application]
[Snare:Application]

transforms.conf [force_sourcetype_for_monitorware]

[force_host_for_monitorware]
[force_source_for_monitorware]
[raw_kv_for_tab_monitorware]
[Message_kv_for_tab_monitorware]
[Failure_Reason_for_monitorware]
[User_for_monitorware]
[force_sourcetype_for_ntsyslog_security]
[force_host_for_ntsyslog]
[force_source_for_ntsyslog_security]
[raw_kv_for_ntsyslog_square]
[raw_kv_for_ntsyslog_angle]
[message_kv_for_message_for_ntsyslog]
[ntsyslog_mappings]
[force_sourcetype_for_snare]
[force_host_for_snare]
[force_source_for_snare]
[raw_kv_for_tab_snare]
[Message_kv_for_tab_snare]
[raw_kv_for_comma_snare]
[Message_kv_for_comma_snare]

tags.conf [eventtype=ntsyslog_windows]

[eventtype=monitorware_windows]
[eventtype=snare_windows]

Third-party files removed

Manually remove the following extra third-party configurations.

List of sample files to delete:
samples\Security.4624.monitorware
samples\Security.4648.monitorware
samples\Security.528.monitorware
samples\Security.528.snare
samples\Security.529.angle.ntsyslog
samples\Security.529.monitorware
samples\Security.529.snare
samples\Security.539.snare
samples\Security.540.angle.ntsyslog
samples\Security.540.monitorware
samples\Security.540.snare
samples\Security.540.square.ntsyslog
samples\Security.552.monitorware

Lookup files to delete:
lookups\ntsyslog_mappings.csv

Removed global stanza configurations in inputs.conf for WinEventLog

The global stanza below has been removed from inputs.conf in the Splunk Add-on for Windows v5.0.x.

[default]
evt_dc_name =
evt_dns_name =

If you were using these configurations, the addon no longer defines them in inputs.conf. Before upgrading the addon, copy this stanza from default/inputs.conf to local/inputs.conf in the Windows addon folder before upgrading the addon to 5.0.x.

Changed default Perfmon data collection mode to multikv from single

Multikv mode of Perfmon data collection has benefits over single mode. Refer here for more information.

Multikv mode has a different event format than single mode. If you want to use multikv mode, set mode = multikv for all required stanzas:

  1. Create a local copy of all the existing [perfmon://*] stanzas in local/inputs.conf
  2. For each stanza add the line "mode = multikv"

If you want to collect Perfmon data inputs in single mode event format after upgrading the Splunk Add-on for Windows to 5.0.x, follow these steps:

  1. Create a local copy of all the existing [perfmon://*] stanzas in local/inputs.conf
  2. For each stanza add the line "mode = single"
  3. The following is an example stanza for perfmon CPU inputs stanza to continue collecting CPU related perfmon data in single mode.
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = perfmon

You cannot change Perfmon mode in Splunk Web.

WinEventLog extraction changes

The Splunk Add-on for Windows v5.0.x updates how source and sourcetypes are assigned to WinEventLog data.

Sourcetype changes for WinEventLog data

All WinEventLogs are now assigned to either the WinEventLog or the XmlWinEventLog sourcetype and distinguished by their source.

Version 4.8.4 and earlier source Version 4.8.4 and earlier sourcetype Version 5.0.x source Version 5.0.x sourcetype
WinEventLog:System WinEventLog:System WinEventLog:System WinEventLog
WinEventLog:Application WinEventLog:Application WinEventLog:Application WinEventLog
WinEventLog:Security WinEventLog:Security WinEventLog:Security WinEventLog
WinEventLog:System XmlWinEventLog:System XmlWinEventLog:System XmlWinEventLog
WinEventLog:Application XmlWinEventLog:Application XmlWinEventLog:Application XmlWinEventLog
WinEventLog:Security XmlWinEventLog:Security XmlWinEventLog:Security XmlWinEventLog

The sourcetypes WinEventLog:System, WinEventLog:Application, and WinEventLog:Security in the Splunk Add-on for Windows version 4.8.4 or earlier will remain the same for already indexed events. For newly indexed events from the Splunk Add-on for Windows version 5.0.x, the sourcetypes will be changed as shown in the table above.

Backwards compatibility for indexed events

Due to this change, events that have already been indexed will not be extracted properly. Add the appropriate stanza to rename your already indexed events at search time if it is not in the Backward Compatibility section in props.conf.

[WinEventLog:Security]
rename = wineventlog

[WinEventLog:Application]
rename = wineventlog

[WinEventLog:System]
rename = wineventlog

[XmlWinEventLog:Security]
rename = xmlwineventlog

[XmlWinEventLog:Application]
rename = xmlwineventlog

[XmlWinEventLog:System]
rename = xmlwineventlog

Renamed sourcetypes are case-sensitive.

Change sourcetype-based extractions to source-based

If you collected WinEventLog data for any custom data input in previous versions of the Splunk Add-on for Windows and you added one or more custom extractions in its sourcetype-based stanzas, you must convert the sourcetype-based configurations for your custom data inputs to source-based extractions.

Custom WinEventLog Input (Classic)

This example uses the following custom data input in /local/inputs.conf.

[WinEventLog://Windows PowerShell]
disabled = 0
index = main
renderXml=false 

This custom data input has the following sourcetype-based stanza, [WinEventLog:Windows PowerShell] for extraction in the local/props.conf folder:

[WinEventLog:Windows PowerShell]
EVAL-custom_extraction = "Custom_Value" 

In the Splunk Add-on for Windows version 5.0.x, you must rename the sourcetype-based stanza to its source-based stanza. In this case, the source is [source::WinEventLog:Windows PowerShell] in local/props.conf to extract fields:

[source::WinEventLog:Windows PowerShell]
EVAL-custom_extraction = "Custom_Value"  

Custom WinEventLog Input (XML)

This example uses the following custom data input in /local/inputs.conf.

[WinEventLog://Windows PowerShell]
disabled = 0
index = main
renderXml=true 

This custom data input has the following sourcetype-based stanza [XmlWinEventLog:Windows PowerShell] for extraction in the local/props.conf folder:

[XmlWinEventLog:Windows PowerShell]
EVAL-custom_extraction = "Custom_Value" 

In the Splunk Add-on for Windows version 5.0.x, you must rename the sourcetype-based stanza to its source-based stanza. In this case, the source-based stanza is [source::WinEventLog:Windows PowerShell] in props.conf to extract fields:

[source::WinEventLog:Windows PowerShell]
EVAL-custom_extraction = "Custom_Value" 

Additionally, for events indexed after upgrading to the Splunk Add-on for Windows version 5.0.x, the source changes for XML mode events. Therefore, you must add the same extraction in the new source-based stanza. In this case, the source-based stanza is [source::XmlWinEventLog:Windows PowerShell] in local/props.conf for the extractions to work on events indexed after upgrading to the Splunk Add-on for Windows version 5.0.x:

[source::XmlWinEventLog:Windows PowerShell]
EVAL-custom_extraction = "Custom_Value" 

Do not merge sourcetype-based stanzas containing custom extractions to the stanzas containing rename=wineventlog. You must convert the sourcetype-based stanzas containing custom extractions to source-based stanzas as mentioned above or your field extractions will not work.

Events that have already been indexed will not be extracted properly due to this change. Convert the sourcetype-based configurations for your custom data inputs to source-based extractions.

Change Perfmon:CPU and WMI:CPUTime event collection configurations

In previous versions of the Splunk Add-on for Windows, the sourcetypes Perfmon:CPU and WMI:CPUTime extracted the cpu_user_percent and cpu_load_percent fields only for instance_Total. Version 5.0.1 of the Splunk Add-on for Windows extracts the cpu_user_percent and cpu_load_percent fields for all instances.

To continue collecting data for perfmon and wmi events with older behavior, complete the following steps:

  1. Paste the following stanza for wmi:CPUTime in your local/wmi.conf file:
    [WMI:CPUTime]
    interval = 3
    wql = SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"
    disabled = 0
  2. Paste the following stanzas for Perfmon:CPU and PerfmonMk:CPU into your local/props.conf file for data you want to collect with either single mode or multikv:
    [Perfmon:CPU]
    EVAL-cpu_user_percent = if(counter=="% User Time" AND instance=="_Total",Value,null())
    EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null())
    
    ## The following eval command avoids a known issue with tag expansion:
    EVAL-windows_cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null())
     
    [PerfmonMk:CPU]
    EVAL-cpu_user_percent = if(instance=="_Total", '%_User_Time', null())
    EVAL-cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null())
     
    ## The following eval command avoids a known issue with tag expansion:
    EVAL-windows_cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null())
Last modified on 23 July, 2019
Upgrade the Splunk Add-on for Windows from versions earlier than 5.0.1   Upgrade the Splunk Add-on for Windows in a distributed deployment

This documentation applies to the following versions of Splunk® Add-on for Windows: 5.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters