All Apps and Add-ons

Windows add-on v6 indexes

msaz
Path Finder

What index = should be provided for the Windows_TA v6 ? The instructions only say to set disabled = 0 in inputs.conf. All of the incoming data is going to main. I feel like I've missed a step, but am not seeing the solution.

https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration

0 Karma
1 Solution

whrg
Motivator

Hello @msaz,

In older version of the Windows_TA, every input in inputs.conf had the index parameter. For example:

[WinEventLog://Security]
disabled = 1
index = wineventlog
...

It also came with the file default/indexes.conf which consisted of the indexes windows, wineventlog and perfmon.

Now with newer version of Windows_TA, you can read in the link you provided that "the indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.0". Also, the index parameter for all inputs in inputs.conf was removed.

If an input in inputs.conf does not explicitly set an index, then its logs will go to the main/default index.

If you do not want to use the main index (which you should not) then you must define the index yourself. Then add "index = YOURINDEX" to all inputs where you set "disabled = 0".

Perhaps the instructions should be improved.

View solution in original post

0 Karma

whrg
Motivator

Hello @msaz,

In older version of the Windows_TA, every input in inputs.conf had the index parameter. For example:

[WinEventLog://Security]
disabled = 1
index = wineventlog
...

It also came with the file default/indexes.conf which consisted of the indexes windows, wineventlog and perfmon.

Now with newer version of Windows_TA, you can read in the link you provided that "the indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.0". Also, the index parameter for all inputs in inputs.conf was removed.

If an input in inputs.conf does not explicitly set an index, then its logs will go to the main/default index.

If you do not want to use the main index (which you should not) then you must define the index yourself. Then add "index = YOURINDEX" to all inputs where you set "disabled = 0".

Perhaps the instructions should be improved.

0 Karma

msaz
Path Finder

Right, I read the information about no indexes.conf and no index= for inputs.conf. The Splunk App for Windows Infrastructure specifies indexes for the stanzas in Table A (link below). Do these still apply for Windows TA v6 ?

https://docs.splunk.com/Documentation/MSApp/1.5.1/MSInfra/DownloadandconfiguretheSplunkAdd-onforWind...

0 Karma

msaz
Path Finder

I'll go with settings in Table A.

0 Karma

whrg
Motivator

If I understand correctly, you have the following options:

1) Use the indexes from Table A. You will need to set "index = wineventlog" and so on in Windows_TA's inputs.conf according to Table A. The MSApp should now work out of the box, because it will automatically use the indexes from table A. However, I believe you still need to create the indexes (Settings / Indexes or indexes.conf) because neither MSApp nor Windows_TA comes with indexes.conf.

2) Use your custom indexes. You will need to set "index = YOURINDEX" in Windows_TA. Also you will need to edit the macros (see the section "Update macros.conf" in the link you provided) for MSApp.

3) Use the main index. Again, I do not recommened that. The approach is the same as for 2)

Personally, I only use the Windows_TA without the MSApp. (I prefer to create the dashboards myself in a custom app.) Similar to 2) I have one custom index for all Windows logs.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...