In the Add-On for Windows, the index declaration has been removed in version 5.0.0 , do the inputs have to send to certain indices?
In the inputs.conf is no key-value entry for the index.
The Splunk Add-on for Microsoft Active Directory still has an indexes.conf file and in the inputs.conf are also at each Stanza indexes = * entries. Is the MS -AD Add-on not yet updated or is there an error in the add-on for Windows?
@bhargavnariyani: Yes the documentation read fine and is clear, but if I start to setup the Splunk App for windows infrastructure, the app expected version 4.8.4. This is not accept in my eyes 😞
That means for me I cannot use the Splunk Add-On for Windows in version 5.0.0, because the Splunk App for Windows infrastructure in version 1.4.4 does not accept the new version.
@ amielke , i have recently installed the Splunk App for Windows Infrastructure and i encountered the same red X mark during the pre-requisites check. I had to install the TA_for_Windows v4.8.4 as required by this app.
The v5.0.0 is not compatible with the APP for Win Infrastructure.
@amielke Agree that's an blocker as of now, that Windows 5.0.0 can't be used with Winfra 1.4.4. But I guess It will be short term. As Windows 5.0.0 is released now, soon a compatible Winfra version should be released. Hope that helps.
@amielke The Windows Addon 5.0.0 document stats that indexes.conf and its related configurations in inputs.conf/wmi.conf etc have been removed and thus it's not an error. http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Configuration#Configure_indexes.conf
The upgrade steps are clearly mentioned in http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Upgrade#Upgrade_from_a_previous_version... .
While for active directory addon,we can see on splunkbase, https://splunkbase.splunk.com/app/3207/ that it was released in 2016 and hence looks like it is not yet updated.
I followed the upgrade steps for index configuration for Windows 5.0.0 Addon. Everything worked fine for me.
Please revert back if you have any questions. Will be happy to help.
Yes, I missed the upgrade section and still believe that a shout-out to that section in the Release Notes is warranted, something like There are significant changes to the plumbing that may cause breakage when upgrading to older releases, see the upgrade section for details.
There is a H*U*G*E risk with v5.0 of this app that is highly likely to cause breakage of your non-TA field extractions. There is something different about how it handles source
and sourcetypes
but unfortunately I did not take enough time to diagnose it. It caused a ton of our custom field extractions not to work so we downgraded. The app's documentation page does not indicate anything that would have caused us concern about upgrading, which is also a concern. Hopefully the docs page will get an update with an appropriate explanation and warning.
@woodcock Can you please explain in detail like with an example which kind of custom extractions broke for you?
As mentioned by @martin_mueller, the documentation is available which explains the changes to WinEventLog source and sourcetypes in v5.0.0.
Just pasting the link again.
http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Upgrade#WinEventLog_extraction_changes
I would suggest you to have a look at it again, if you face any issues after that I would be happy to help. Please have a look at documentation and revert back if you face any issues related to extractions that doesn't work for you.
It's right here in the docs: http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Upgrade#Source_and_sourcetype_changes_f...
And no mention in the release notes as per your discussion on the documentation page!
Since the documentation pages don't have a "show differences" button between versions it should really be on the release notes.
That said, if I could show differences between documentation versions it would be incredibly useful 🙂