Our environment consists of a multi-site indexer cluster, two search head clusters, and several thousand Windows hosts. Our current implementation of the Splunk_TA_windows app is a bit of a mess, with different versions on the search heads, indexers, and UF's.
I'd like to get everything standardized by upgrading to the latest version, as well as testing out XML format for WinEventLogs, however many of these hosts do not meet the minimum requirements for the Splunk_TA_windows v6 (Windows 2003 and 2008 servers, as well as some pre-6.6 Splunk UF's although we can get these upgraded).
I was considering a separate server class for the UF's that are supported,including a renamed version of the app, however I'm not sure how to handle the indexers and search heads. If we leave the current version (4.8.3) on the indexers, then the index-time extractions will be applied to both v6 and pre-6 hosts, which I imagine would cause problems. The same hold true if we upgrade the app on the indexers - the servers running the older version of the app will have the props/transforms settings from the new version applied.
One thought I've been toying around with is sending the servers that support v6 through our heavy forwarders and installing the newer version of the app there. The legacy servers would keep v4 or 5 as would the indexers, newer servers would get v6 as would the HF's. Even if that works though we still have the search-time extractions to deal with on the two search head clusters, and I'm not certain that either version is compatible with the other.
Has anyone else run into this? Is there a solution where I can support both the latest version of the Windows app on newer servers as well as the older version, or am I stuck waiting for all of our legacy servers to be phased out?