Hi,
I've been tasked with upgrading the Splunk_TA_windows app, which was installed prior to my employment. After looking at the doc, I'm confused.
For a SH, it says:
"If you want Windows data from a host that acts as a search head, install the add-on there. The host must run a supported version of Windows." Does that mean the SH has to be a Windows server?
For an IDX, it says:
"The host must run a supported version of Windows. The add-on performs index-time extractions that necessitate installation on an indexer." Same question - does that mean the IDX has to be a windows server?
We currently do not have the TA on the indexer, but the doc says that it's required. Is that accurate? When they say "index-time" extractions, does that mean they are creating indexed fields, as opposed to search-time fields?
Thanks!
This is just in the cases where you would want to also collect the logs locally as well (on the indexer or search head). I know the docs are very unclear on this and it causes some confusion. You can use the Windows add-on on a Linux based SH, Indexer as well, just not for collecting data locally, for obvious reasons (no windows logs =D).
@a212830 Is your problem resolved? If so, please accept one of the answers to help future readers.
So I skimmed this so slap me if I'm jumping to conclusion too fast. I think this is a fair confusion that we often have but I'll try to break it down.
The TA is needed on the SH so the sourcetype definitions can be used - as in, so you can enjoy fields and event breaking fun. The TA is needed on the indexers (or a HF if the data goes there first) to make sure that same sourcetype magic can handle the event breaking (timestamp, line breaking, etc...) fun that happens at index time.
In both situations, you might be putting such TA on indexers or search heads that are Linux, not Windows OS. Yup, that seems wrong but it's correct because we're not using the TA there for data collection, but for data definition (sourcetype). So, in that scenario, you prob have the inputs off.
Of course, if you have Windows hosts, you'd want the TA deployed but for data collection purposes, not sourcetype funsies.
Now for the kicker: you shouldn't have a problem putting that same TA, with the inputs configured enabled, in all three of these places (SH, Ind, Forwarders) even if the SH and IDX are not Windows. That's because when the Windows specific inputs try to run on a Linux system, they will fail once and not attempt again until that Splunk instance is restarted. That's a nice safety net to help situations just like this.
I've since posted Is it a best practice to use the Splunk Add-on for Microsoft Windows? which also touches on the answer.
I run it on a CentOS search head without issue - as kmorris said the restriction seems to be if one wants to collect the local windows logs ( assumes WIndows search head )
This is just in the cases where you would want to also collect the logs locally as well (on the indexer or search head). I know the docs are very unclear on this and it causes some confusion. You can use the Windows add-on on a Linux based SH, Indexer as well, just not for collecting data locally, for obvious reasons (no windows logs =D).