Upgrade the Splunk Add-on for Windows from versions earlier than 5.0.1
If you are using a version of the Splunk Add-on for Windows earlier than 5.0.1, first upgrade to Windows 5.0.1. Then, see Upgrade the Splunk Add-on for Windows to upgrade to version 6.0.0.
Upgrade from version 4.8.4 to version 5.0.1
The indexes.conf
file was removed in the Splunk Add-on for Windows version 5.0.x along with the index=*
parameter from all stanzas in inputs.conf
, wmi.conf
, and eventgen.conf
.
If you miss the following steps, your Splunk platform will not have index configurations. This can result in data loss.
If you were using indexes.conf
or any custom index to store your data in an earlier version of the Splunk Add-on for Windows, copy or create the windows
, wineventlog
, and perfmon
stanzas from the indexes.conf
, inputs.conf
, wmi.conf
, and eventgen.conf
files in your existing Splunk Add-on for Windows v4.8.4 /Splunk_TA_Windows/default/
folder to the /Splunk_TA_Windows/local/
folder. Otherwise, any data collected will go to the default main index.
When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. Install the add-on onto the indexer, and create a new indexes.conf
file in the /Splunk_TA_Windows/local/
directory. After creating the indexes, specify these indexes in inputs.conf in the /Splunk_TA_Windows/local/
directory.
Configure users and roles
The authorize.conf
file was removed in the Splunk Add-on for Windows v5.0.0. If you want other users in your organization to search through the data stored, copy the windows_admin
role from authorize.conf
in your existing Splunk Add-on for Windows v4.8.4 /Splunk_TA_Windows/default/
folder to /Splunk_TA_Windows/local/
folder for the user you would like to give search access to. Adding this role to any user will allow that user to search the following indexes.
- windows: For DHCP, Windows Update logs, Windows network, host, printer, and Registry monitoring.
- wineventlog: For all Windows Event Log channels.
- perfmon: For all Windows Performance Monitoring events.
Upgrade saved searches
Due to source and sourcetype changes for WinEventLog data, saved searches that are still using old sourcetype names do not work. You can search by "source=" instead:
Event type | Sourcetype it replaces | Search |
---|---|---|
wineventlog_windows
|
wineventlog:* , XMLeventlog:*
|
|
wineventlog_application
|
wineventlog:application , XMLeventlog:application
|
|
wineventlog_system
|
wineventlog:System , XMLeventlog:System
|
|
wineventlog_security
|
wineventlog:Security , XMLeventlog:Security
|
|
Install the Splunk Add-on for Windows with Forwarder Management | Upgrade the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® Add-on for Windows: 8.1.2
Feedback submitted, thanks!