All Apps and Add-ons

Splunk for AD - Disable pop up about Windows TA

msarro
Builder

Greetings. We are working to install the Splunk for AD app in our distributed deployment. However when we enter the app, we receive the following error in a dialog box:

"This instance of Splunk does not have the Splunk_TA_windows app installed."

This is correct; our search head is running linux, it shouldn't have the Splunk_TA_windows app installed. How can I disable this popup? Or is the TA required even on *nix systems? Because if it is, that contradicts the documentation for the deployment of the TA for the windows app.

1 Solution

jbernt_splunk
Splunk Employee
Splunk Employee

Hello,

Yes, the Windows Addon (splunk_ta_windows) is required to be installed, even on *nix search heads, as it adds additional knowledge around searching for Windows-based system data. The Windows addon is also a requirement on the indexing tier, as per the instructions, as it adds additional knowledge at this layer as well.
Hope this helps,
Jeff.

View solution in original post

jbernt_splunk
Splunk Employee
Splunk Employee

Hello,

Yes, the Windows Addon (splunk_ta_windows) is required to be installed, even on *nix search heads, as it adds additional knowledge around searching for Windows-based system data. The Windows addon is also a requirement on the indexing tier, as per the instructions, as it adds additional knowledge at this layer as well.
Hope this helps,
Jeff.

msarro
Builder

I am aware that the apps are different; I just didn't realize that the AD app overrode the requirements of the Windows app. Thank you for the heads up, I'll give it a shot.

0 Karma

jbernt_splunk
Splunk Employee
Splunk Employee

Ah, I see the confusion. The Windows Addon has to be on every search head at the very least (regardless of OS). Only on the Windows-based indexers does it need to be installed to send its own Windows log data into Splunk.

0 Karma

jbernt_splunk
Splunk Employee
Splunk Employee

100%
Splunk App for Windows, is different than the AD app. The AD app requires the Windows Addon (as does the Splunk App for Windows). Both require the Windows addon.

0 Karma

msarro
Builder

Are you sure? The documentation here: http://docs.splunk.com/Documentation/WindowsApp/latest/User/HowtodeploytheSplunkAppforWindows says the opposite. Hence the confusion.

0 Karma

mikelanghorst
Motivator

just be sure to disable the inputs

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...