All Apps and Add-ons

Splunk Add-on for Windows in Version 5.0.0

amielke
Communicator

In the Add-On for Windows, the index declaration has been removed in version 5.0.0 , do the inputs have to send to certain indices?
In the inputs.conf is no key-value entry for the index.

The Splunk Add-on for Microsoft Active Directory still has an indexes.conf file and in the inputs.conf are also at each Stanza indexes = * entries. Is the MS -AD Add-on not yet updated or is there an error in the add-on for Windows?

amielke
Communicator

@bhargavnariyani: Yes the documentation read fine and is clear, but if I start to setup the Splunk App for windows infrastructure, the app expected version 4.8.4. This is not accept in my eyes 😞

That means for me I cannot use the Splunk Add-On for Windows in version 5.0.0, because the Splunk App for Windows infrastructure in version 1.4.4 does not accept the new version.

alt text

0 Karma

neerajshah81
Path Finder

@ amielke , i have recently installed the Splunk App for Windows Infrastructure and i encountered the same red X mark during the pre-requisites check. I had to install the TA_for_Windows v4.8.4 as required by this app.
The v5.0.0 is not compatible with the APP for Win Infrastructure.

0 Karma

bhargavnariyani
Path Finder

@amielke Agree that's an blocker as of now, that Windows 5.0.0 can't be used with Winfra 1.4.4. But I guess It will be short term. As Windows 5.0.0 is released now, soon a compatible Winfra version should be released. Hope that helps.

0 Karma

bhargavnariyani
Path Finder

@amielke The Windows Addon 5.0.0 document stats that indexes.conf and its related configurations in inputs.conf/wmi.conf etc have been removed and thus it's not an error. http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Configuration#Configure_indexes.conf

The upgrade steps are clearly mentioned in http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Upgrade#Upgrade_from_a_previous_version... .

While for active directory addon,we can see on splunkbase, https://splunkbase.splunk.com/app/3207/ that it was released in 2016 and hence looks like it is not yet updated.

I followed the upgrade steps for index configuration for Windows 5.0.0 Addon. Everything worked fine for me.

Please revert back if you have any questions. Will be happy to help.

woodcock
Esteemed Legend

Yes, I missed the upgrade section and still believe that a shout-out to that section in the Release Notes is warranted, something like There are significant changes to the plumbing that may cause breakage when upgrading to older releases, see the upgrade section for details.

0 Karma

woodcock
Esteemed Legend

There is a H*U*G*E risk with v5.0 of this app that is highly likely to cause breakage of your non-TA field extractions. There is something different about how it handles source and sourcetypes but unfortunately I did not take enough time to diagnose it. It caused a ton of our custom field extractions not to work so we downgraded. The app's documentation page does not indicate anything that would have caused us concern about upgrading, which is also a concern. Hopefully the docs page will get an update with an appropriate explanation and warning.

0 Karma

bhargavnariyani
Path Finder

@woodcock Can you please explain in detail like with an example which kind of custom extractions broke for you?
As mentioned by @martin_mueller, the documentation is available which explains the changes to WinEventLog source and sourcetypes in v5.0.0.
Just pasting the link again.
http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Upgrade#WinEventLog_extraction_changes

I would suggest you to have a look at it again, if you face any issues after that I would be happy to help. Please have a look at documentation and revert back if you face any issues related to extractions that doesn't work for you.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust
0 Karma

gjanders
SplunkTrust
SplunkTrust

And no mention in the release notes as per your discussion on the documentation page!

Since the documentation pages don't have a "show differences" button between versions it should really be on the release notes.
That said, if I could show differences between documentation versions it would be incredibly useful 🙂

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!