Solved: Re: Windows add-on v6 indexes

msaz · ‎04-10-2019

What index = should be provided for the Windows_TA v6 ? The instructions only say to set disabled = 0 in inputs.conf. All of the incoming data is going to main. I feel like I've missed a step, but am not seeing the solution.

https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration

whrg · ‎04-11-2019

Hello @msaz,

In older version of the Windows_TA, every input in inputs.conf had the index parameter. For example:

[WinEventLog://Security]
disabled = 1
index = wineventlog
...

It also came with the file default/indexes.conf which consisted of the indexes windows, wineventlog and perfmon.

Now with newer version of Windows_TA, you can read in the link you provided that "the indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.0". Also, the index parameter for all inputs in inputs.conf was removed.

If an input in inputs.conf does not explicitly set an index, then its logs will go to the main/default index.

If you do not want to use the main index (which you should not) then you must define the index yourself. Then add "index = YOURINDEX" to all inputs where you set "disabled = 0".

Perhaps the instructions should be improved.

View solution in original post

whrg · ‎04-11-2019

Hello @msaz,

In older version of the Windows_TA, every input in inputs.conf had the index parameter. For example:

[WinEventLog://Security]
disabled = 1
index = wineventlog
...

It also came with the file default/indexes.conf which consisted of the indexes windows, wineventlog and perfmon.

Now with newer version of Windows_TA, you can read in the link you provided that "the indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.0". Also, the index parameter for all inputs in inputs.conf was removed.

If an input in inputs.conf does not explicitly set an index, then its logs will go to the main/default index.

If you do not want to use the main index (which you should not) then you must define the index yourself. Then add "index = YOURINDEX" to all inputs where you set "disabled = 0".

Perhaps the instructions should be improved.

msaz · ‎04-11-2019

Right, I read the information about no indexes.conf and no index= for inputs.conf. The Splunk App for Windows Infrastructure specifies indexes for the stanzas in Table A (link below). Do these still apply for Windows TA v6 ?

https://docs.splunk.com/Documentation/MSApp/1.5.1/MSInfra/DownloadandconfiguretheSplunkAdd-onforWind...

msaz · ‎04-11-2019

I'll go with settings in Table A.

whrg · ‎04-11-2019

If I understand correctly, you have the following options:

1) Use the indexes from Table A. You will need to set "index = wineventlog" and so on in Windows_TA's inputs.conf according to Table A. The MSApp should now work out of the box, because it will automatically use the indexes from table A. However, I believe you still need to create the indexes (Settings / Indexes or indexes.conf) because neither MSApp nor Windows_TA comes with indexes.conf.

2) Use your custom indexes. You will need to set "index = YOURINDEX" in Windows_TA. Also you will need to edit the macros (see the section "Update macros.conf" in the link you provided) for MSApp.

3) Use the main index. Again, I do not recommened that. The approach is the same as for 2)

Personally, I only use the Windows_TA without the MSApp. (I prefer to create the dashboards myself in a custom app.) Similar to 2) I have one custom index for all Windows logs.

Windows add-on v6 indexes

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk