All Apps and Add-ons

Can we collect Windows event logs with the Splunk Add-on for Microsoft Windows, and forward that data to Linux indexers?

mghocke
Path Finder

Hi everybody,

Is it possible to use the Splunk Add-On for Microsoft Windows when the indexers and search heads are all running on Linux? We have a group of people who want to collect Windows logs and throw them into Splunk, but they are also asking if we can install the Windows add-on. I guess my first questions would be, do we need to install anything on the search heads and indexers to support the functionality offered by this add-on? Or would it be sufficient to install a universal forwarder on a Windows host and put the add-on there?

Any input on how to approach this would be great!

Thanks!

--- Michael

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

There is no problem having a Windows host forward data to a Linux indexer. The Splunk Add-on for Microsoft Windows just collects data (perfmon, Windows event logs, scripted output, etc.) from Windows hosts. The Splunk App for Windows Infrastructure visualizes the data that is sent by the add-on (meaning the app does not collect data). Therefore, the Splunk App for Windows Infrastructure can be installed on Linux indexers and Search Heads as the app is platform independent.

View solution in original post

jconger
Splunk Employee
Splunk Employee

There is no problem having a Windows host forward data to a Linux indexer. The Splunk Add-on for Microsoft Windows just collects data (perfmon, Windows event logs, scripted output, etc.) from Windows hosts. The Splunk App for Windows Infrastructure visualizes the data that is sent by the add-on (meaning the app does not collect data). Therefore, the Splunk App for Windows Infrastructure can be installed on Linux indexers and Search Heads as the app is platform independent.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...