All Apps and Add-ons

Questions about Splunk_TA_windows

a212830
Champion

Hi,

I've been tasked with upgrading the Splunk_TA_windows app, which was installed prior to my employment. After looking at the doc, I'm confused.

For a SH, it says:

"If you want Windows data from a host that acts as a search head, install the add-on there. The host must run a supported version of Windows." Does that mean the SH has to be a Windows server?

For an IDX, it says:

"The host must run a supported version of Windows. The add-on performs index-time extractions that necessitate installation on an indexer." Same question - does that mean the IDX has to be a windows server?

We currently do not have the TA on the indexer, but the doc says that it's required. Is that accurate? When they say "index-time" extractions, does that mean they are creating indexed fields, as opposed to search-time fields?

Thanks!

0 Karma
1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

This is just in the cases where you would want to also collect the logs locally as well (on the indexer or search head). I know the docs are very unclear on this and it causes some confusion. You can use the Windows add-on on a Linux based SH, Indexer as well, just not for collecting data locally, for obvious reasons (no windows logs =D).

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

@a212830 Is your problem resolved? If so, please accept one of the answers to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sloshburch
Splunk Employee
Splunk Employee

So I skimmed this so slap me if I'm jumping to conclusion too fast. I think this is a fair confusion that we often have but I'll try to break it down.

The TA is needed on the SH so the sourcetype definitions can be used - as in, so you can enjoy fields and event breaking fun. The TA is needed on the indexers (or a HF if the data goes there first) to make sure that same sourcetype magic can handle the event breaking (timestamp, line breaking, etc...) fun that happens at index time.

In both situations, you might be putting such TA on indexers or search heads that are Linux, not Windows OS. Yup, that seems wrong but it's correct because we're not using the TA there for data collection, but for data definition (sourcetype). So, in that scenario, you prob have the inputs off.

Of course, if you have Windows hosts, you'd want the TA deployed but for data collection purposes, not sourcetype funsies.

Now for the kicker: you shouldn't have a problem putting that same TA, with the inputs configured enabled, in all three of these places (SH, Ind, Forwarders) even if the SH and IDX are not Windows. That's because when the Windows specific inputs try to run on a Linux system, they will fail once and not attempt again until that Splunk instance is restarted. That's a nice safety net to help situations just like this.

sloshburch
Splunk Employee
Splunk Employee

I've since posted Is it a best practice to use the Splunk Add-on for Microsoft Windows? which also touches on the answer.

0 Karma

klaxdal
Contributor

I run it on a CentOS search head without issue - as kmorris said the restriction seems to be if one wants to collect the local windows logs ( assumes WIndows search head )

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

This is just in the cases where you would want to also collect the logs locally as well (on the indexer or search head). I know the docs are very unclear on this and it causes some confusion. You can use the Windows add-on on a Linux based SH, Indexer as well, just not for collecting data locally, for obvious reasons (no windows logs =D).

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...