All Apps and Add-ons

Splunk Add-on for Windows in Version 5.0.0

amielke
Communicator

In the Add-On for Windows, the index declaration has been removed in version 5.0.0 , do the inputs have to send to certain indices?
In the inputs.conf is no key-value entry for the index.

The Splunk Add-on for Microsoft Active Directory still has an indexes.conf file and in the inputs.conf are also at each Stanza indexes = * entries. Is the MS -AD Add-on not yet updated or is there an error in the add-on for Windows?

amielke
Communicator

@bhargavnariyani: Yes the documentation read fine and is clear, but if I start to setup the Splunk App for windows infrastructure, the app expected version 4.8.4. This is not accept in my eyes 😞

That means for me I cannot use the Splunk Add-On for Windows in version 5.0.0, because the Splunk App for Windows infrastructure in version 1.4.4 does not accept the new version.

alt text

0 Karma

neerajshah81
Path Finder

@ amielke , i have recently installed the Splunk App for Windows Infrastructure and i encountered the same red X mark during the pre-requisites check. I had to install the TA_for_Windows v4.8.4 as required by this app.
The v5.0.0 is not compatible with the APP for Win Infrastructure.

0 Karma

bhargavnariyani
Path Finder

@amielke Agree that's an blocker as of now, that Windows 5.0.0 can't be used with Winfra 1.4.4. But I guess It will be short term. As Windows 5.0.0 is released now, soon a compatible Winfra version should be released. Hope that helps.

0 Karma

bhargavnariyani
Path Finder

@amielke The Windows Addon 5.0.0 document stats that indexes.conf and its related configurations in inputs.conf/wmi.conf etc have been removed and thus it's not an error. http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Configuration#Configure_indexes.conf

The upgrade steps are clearly mentioned in http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Upgrade#Upgrade_from_a_previous_version... .

While for active directory addon,we can see on splunkbase, https://splunkbase.splunk.com/app/3207/ that it was released in 2016 and hence looks like it is not yet updated.

I followed the upgrade steps for index configuration for Windows 5.0.0 Addon. Everything worked fine for me.

Please revert back if you have any questions. Will be happy to help.

woodcock
Esteemed Legend

Yes, I missed the upgrade section and still believe that a shout-out to that section in the Release Notes is warranted, something like There are significant changes to the plumbing that may cause breakage when upgrading to older releases, see the upgrade section for details.

0 Karma

woodcock
Esteemed Legend

There is a H*U*G*E risk with v5.0 of this app that is highly likely to cause breakage of your non-TA field extractions. There is something different about how it handles source and sourcetypes but unfortunately I did not take enough time to diagnose it. It caused a ton of our custom field extractions not to work so we downgraded. The app's documentation page does not indicate anything that would have caused us concern about upgrading, which is also a concern. Hopefully the docs page will get an update with an appropriate explanation and warning.

0 Karma

bhargavnariyani
Path Finder

@woodcock Can you please explain in detail like with an example which kind of custom extractions broke for you?
As mentioned by @martin_mueller, the documentation is available which explains the changes to WinEventLog source and sourcetypes in v5.0.0.
Just pasting the link again.
http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Upgrade#WinEventLog_extraction_changes

I would suggest you to have a look at it again, if you face any issues after that I would be happy to help. Please have a look at documentation and revert back if you face any issues related to extractions that doesn't work for you.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust
0 Karma

gjanders
SplunkTrust
SplunkTrust

And no mention in the release notes as per your discussion on the documentation page!

Since the documentation pages don't have a "show differences" button between versions it should really be on the release notes.
That said, if I could show differences between documentation versions it would be incredibly useful 🙂

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...