Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for Windows

Version 8.1.2 of the Splunk Add-on for Windows was released on April 18, 2021.

The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is earlier than 5.0.0, you must follow the steps outlined in Upgrade the Splunk Add-on for Windows. Failure to do so can result in data loss.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and above. The Splunk Add-on for Windows versions 6.0.0 and above includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.

Compatibility

Version 8.1.2 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.3.x, 8.0.x, 8.1.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.1.2 of the Splunk Add-on for Windows has the following new or changed features:

  • Updated Common Information Model (CIM) field mapping for Windows Event ID 4688
  • Fixed the version value in app.conf

The latest version of the Splunk Add-on for Microsoft Windows introduced Common Information Model (CIM) and field mapping changes to its sourcetypes. See the Common Information Model and Field Mapping Changes for the Splunk Add-on for Microsoft Windows topic in the Reference chapter in this manual for information on changes to the mapping of this information.

Field Changes

Version 8.1.2 of the Splunk Add-on for Windows introduces field changes to the WinEventLog:Security and XmlWinEventLog:Security sourcetypes. See the following table for information in field changes:

Sourcetype EventCode Fields added Fields removed Fields modified
WinEventLog:Security 4688 new_process_name

parent_process_id
parent_process_path
process_command_line_arguments
process_command_line_process
process_exec
process_path

N/A action

process
process_name
user

XmlWinEventLog:Security 4688 Process_Command_Line

new_process
new_process_id
new_process_name
parent_process_id
parent_process_path
process_command_line_arguments
process_command_line_process
process_exec
process_path

N/A action

process
process_id
process_name
user


Sample values for modified sourcetypes

The following tables display the field changes for the WinEventLog:Security and XmlWinEventLog:Security sourcetypes.


WinEventLog:Security sourcetype field changes

Field changes for the WinEventLog:Security sourcetype.

Field modified Sample Value for Modified fields in 8.1.1 Sample Value for Modified fields in 8.1.2
action
success
allowed
process
splunk-powershell.exe --ps2
C:\opt\splunk\bin\splunk-powershell.exe --ps2
process_name
C:\opt\splunk\bin\splunk-optimize.exe
splunk-optimize.exe
user
-
WIN-7K2KTN5JGVD$

XmlWinEventLog:Security sourcetype field changes

Field changes for the XmlWinEventLog:Security sourcetype.


Field modified Sample Value for Modified fields in 8.1.1 Sample Value for Modified fields in 8.1.2
action
success
allowed
process
splunk-powershell.exe --ps2
C:\opt\splunk\bin\splunk-powershell.exe --ps2
process_id
-
0x15b8
process_name
C:\opt\splunk\bin\splunk-optimize.exe
splunk-optimize.exe
user
-
WIN-7K2KTN5JGVD$

Fixed Issues

Version 8.1.2 of the Splunk Add-on for Windows fixes the following issues:


Date resolved Issue number Description
2021-04-12 ADDON-33024 Version 8.1.1 of the Splunk Add-on for Windows bad version value in app.conf
2021-03-23 ADDON-34637 Fix Common Information Model (CIM) field mapping for Windows Event ID 4688

Known Issues

Version 8.1.2 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-03-04 ADDON-34640 Windows TA: eventtype endpoint_services_processes is too broad.
Last modified on 29 April, 2021
PREVIOUS
Sourcetypes for the Splunk Add-on for Windows
  NEXT
Hardware and software requirements for the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Add-on for Windows: 8.1.2


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters