topic Re: Windows add-on v6 indexes in All Apps and Add-ons

Windows add-on v6 indexes

msaz — Wed, 10 Apr 2019 22:03:34 GMT

What index = should be provided for the Windows_TA v6 ? The instructions only say to set disabled = 0 in inputs.conf. All of the incoming data is going to main. I feel like I've missed a step, but am not seeing the solution.

https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration

Re: Windows add-on v6 indexes

whrg — Thu, 11 Apr 2019 07:09:29 GMT

Hello @msaz,

In older version of the Windows_TA, every input in inputs.conf had the index parameter. For example:

[WinEventLog://Security]
disabled = 1
index = wineventlog
...

It also came with the file default/indexes.conf which consisted of the indexes windows, wineventlog and perfmon.

Now with newer version of Windows_TA, you can read in the link you provided that "the indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.0". Also, the index parameter for all inputs in inputs.conf was removed.

If an input in inputs.conf does not explicitly set an index, then its logs will go to the main/default index.

If you do not want to use the main index (which you should not) then you must define the index yourself. Then add "index = YOURINDEX" to all inputs where you set "disabled = 0".

Perhaps the instructions should be improved.

Re: Windows add-on v6 indexes

msaz — Thu, 11 Apr 2019 14:04:34 GMT

Right, I read the information about no indexes.conf and no index= for inputs.conf. The Splunk App for Windows Infrastructure specifies indexes for the stanzas in Table A (link below). Do these still apply for Windows TA v6 ?

https://docs.splunk.com/Documentation/MSApp/1.5.1/MSInfra/DownloadandconfiguretheSplunkAdd-onforWindows

Re: Windows add-on v6 indexes

whrg — Wed, 30 Sep 2020 00:08:24 GMT

If I understand correctly, you have the following options:

1) Use the indexes from Table A. You will need to set "index = wineventlog" and so on in Windows_TA's inputs.conf according to Table A. The MSApp should now work out of the box, because it will automatically use the indexes from table A. However, I believe you still need to create the indexes (Settings / Indexes or indexes.conf) because neither MSApp nor Windows_TA comes with indexes.conf.

2) Use your custom indexes. You will need to set "index = YOURINDEX" in Windows_TA. Also you will need to edit the macros (see the section "Update macros.conf" in the link you provided) for MSApp.

3) Use the main index. Again, I do not recommened that. The approach is the same as for 2)

Personally, I only use the Windows_TA without the MSApp. (I prefer to create the dashboards myself in a custom app.) Similar to 2) I have one custom index for all Windows logs.

Re: Windows add-on v6 indexes

msaz — Fri, 12 Apr 2019 03:35:54 GMT

I'll go with settings in Table A.