Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

This documentation does not apply to the most recent version of Splunk® Add-on for Windows. For documentation on the most recent version, go to the latest release.

Upgrade the Splunk Add-on for Windows from versions earlier than 5.0.1

If you are using a version of the Splunk Add-on for Windows earlier than 5.0.1, first upgrade to Windows 5.0.1. Then, see Upgrade the Splunk Add-on for Windows to upgrade to version 6.0.0.

Upgrade from version 4.8.4 to version 5.0.1

The indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.x along with the index=* parameter from all stanzas in inputs.conf, wmi.conf, and eventgen.conf.

If you miss the following steps, your Splunk platform will not have index configurations. This can result in data loss.

If you were using indexes.conf or any custom index to store your data in an earlier version of the Splunk Add-on for Windows, copy or create the windows, wineventlog, and perfmon stanzas from the indexes.conf, inputs.conf, wmi.conf, and eventgen.conf files in your existing Splunk Add-on for Windows v4.8.4 /Splunk_TA_Windows/default/ folder to the /Splunk_TA_Windows/local/ folder. Otherwise, any data collected will go to the default main index.

When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. Install the add-on onto the indexer, and create a new indexes.conf file in the /Splunk_TA_Windows/local/ directory. After creating the indexes, specify these indexes in inputs.conf in the /Splunk_TA_Windows/local/ directory.

Configure users and roles

The authorize.conf file was removed in the Splunk Add-on for Windows v5.0.0. If you want other users in your organization to search through the data stored, copy the windows_admin role from authorize.conf in your existing Splunk Add-on for Windows v4.8.4 /Splunk_TA_Windows/default/ folder to /Splunk_TA_Windows/local/ folder for the user you would like to give search access to. Adding this role to any user will allow that user to search the following indexes.

  • windows: For DHCP, Windows Update logs, Windows network, host, printer, and Registry monitoring.
  • wineventlog: For all Windows Event Log channels.
  • perfmon: For all Windows Performance Monitoring events.

Upgrade saved searches

Due to source and sourcetype changes for WinEventLog data, saved searches that are still using old sourcetype names do not work. You can search by "source=" instead:

Event type Sourcetype it replaces Search
wineventlog_windows wineventlog:*, XMLeventlog:*

eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security

wineventlog_application wineventlog:application, XMLeventlog:application

source=WinEventLog:Application OR source=WMI:WinEventLog:Application OR source=XmlWinEventLog:Application

wineventlog_system wineventlog:System, XMLeventlog:System

source=WinEventLog:System OR source=WMI:WinEventLog:System OR source=XmlWinEventLog:System

wineventlog_security wineventlog:Security, XMLeventlog:Security

source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security

Last modified on 06 January, 2021
Install the Splunk Add-on for Windows with Forwarder Management   Upgrade the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Add-on for Windows: 8.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters