All Apps and Add-ons

Splunk App for Windows on *nix indexer/search heads

Engager

It says in "What a Splunk App for Windows deployment looks like" that "You can deploy the Splunk App for Windows on *nix search heads and use *nix indexers to index the data." In "How to deploy the Splunk App for Windows", we are told to install the Windows TA on our indexers. However, the "Windows TA documentation" says that it will not work properly installed on *nix systems. Sure enough, when I try to install the Windows TA on my Red Hat indexer, it does not appear as an app in Splunk Web. I am working with Windows App version 5.0.0 and Windows TA version 4.6.2.

I would like to have our Splunk for Windows App deployment use *nix for both the indexers and search heads; is this possible?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hi,

After further consultation with the engineers who develop the Windows TA, I need to amend my answer to your question. I apologize in advance for the inconvenience and confusion.

It turns out that you do indeed need to install the Splunk TA for Windows onto the *nix indexers in the central Splunk App for Windows instance. While the TA does not collect Windows data on *nix servers, it does perform index-time field extractions on the incoming Windows data from universal forwarders.

You won't see the Windows TA in your *nix indexer's Splunk Web app list because TAs by definition have no user interface.

View solution in original post

Splunk Employee
Splunk Employee

Hi,

After further consultation with the engineers who develop the Windows TA, I need to amend my answer to your question. I apologize in advance for the inconvenience and confusion.

It turns out that you do indeed need to install the Splunk TA for Windows onto the *nix indexers in the central Splunk App for Windows instance. While the TA does not collect Windows data on *nix servers, it does perform index-time field extractions on the incoming Windows data from universal forwarders.

You won't see the Windows TA in your *nix indexer's Splunk Web app list because TAs by definition have no user interface.

View solution in original post