Upgrade the Splunk Add-on for Windows from versions earlier than 5.0.1
If you are using a version of the Splunk Add-on for Windows earlier than 5.0.1, first upgrade to Windows 5.0.1. Then, see Upgrade the Splunk Add-on for Windows to upgrade to version 6.0.0.
Upgrade from version 4.8.4 to version 5.0.1
indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.x along with the
index=* parameter from all stanzas in
If you miss the following steps, your Splunk platform will not have index configurations. This can result in data loss.
If you were using
indexes.conf or any custom index to store your data in an earlier version of the Splunk Add-on for Windows, copy or create the
perfmon stanzas from the
eventgen.conf files in your existing Splunk Add-on for Windows v4.8.4
/Splunk_TA_Windows/default/ folder to the
/Splunk_TA_Windows/local/ folder. Otherwise, any data collected will go to the default main index.
When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. Install the add-on onto the indexer, and create a new
indexes.conf file in the
/Splunk_TA_Windows/local/ directory. After creating the indexes, specify these indexes in inputs.conf in the
Configure users and roles
authorize.conf file was removed in the Splunk Add-on for Windows v5.0.0. If you want other users in your organization to search through the data stored, copy the
windows_admin role from
authorize.conf in your existing Splunk Add-on for Windows v4.8.4
/Splunk_TA_Windows/default/ folder to
/Splunk_TA_Windows/local/ folder for the user you would like to give search access to. Adding this role to any user will allow that user to search the following indexes.
- windows: For DHCP, Windows Update logs, Windows network, host, printer, and Registry monitoring.
- wineventlog: For all Windows Event Log channels.
- perfmon: For all Windows Performance Monitoring events.
Upgrade saved searches
Due to source and sourcetype changes for WinEventLog data, saved searches that are still using old sourcetype names do not work. You can search by "source=" instead:
|Event type||Sourcetype it replaces||Search|
Install the Splunk Add-on for Windows with Forwarder Management
Upgrade the Splunk Add-on for Windows
This documentation applies to the following versions of Splunk® Add-on for Windows: 8.1.1