All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Windows add-on v6 indexes

msaz
Path Finder
‎04-10-2019 03:03 PM

What index = should be provided for the Windows_TA v6 ? The instructions only say to set disabled = 0 in inputs.conf. All of the incoming data is going to main. I feel like I've missed a step, but am not seeing the solution.

https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Configuration

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

whrg
Motivator
‎04-11-2019 12:09 AM

Hello @msaz,

In older version of the Windows_TA, every input in inputs.conf had the index parameter. For example:

[WinEventLog://Security]
disabled = 1
index = wineventlog
...

It also came with the file default/indexes.conf which consisted of the indexes windows, wineventlog and perfmon.

Now with newer version of Windows_TA, you can read in the link you provided that "the indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.0". Also, the index parameter for all inputs in inputs.conf was removed.

If an input in inputs.conf does not explicitly set an index, then its logs will go to the main/default index.

If you do not want to use the main index (which you should not) then you must define the index yourself. Then add "index = YOURINDEX" to all inputs where you set "disabled = 0".

Perhaps the instructions should be improved.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

whrg
Motivator
‎04-11-2019 12:09 AM

Hello @msaz,

In older version of the Windows_TA, every input in inputs.conf had the index parameter. For example:

[WinEventLog://Security]
disabled = 1
index = wineventlog
...

It also came with the file default/indexes.conf which consisted of the indexes windows, wineventlog and perfmon.

Now with newer version of Windows_TA, you can read in the link you provided that "the indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.0". Also, the index parameter for all inputs in inputs.conf was removed.

If an input in inputs.conf does not explicitly set an index, then its logs will go to the main/default index.

If you do not want to use the main index (which you should not) then you must define the index yourself. Then add "index = YOURINDEX" to all inputs where you set "disabled = 0".

Perhaps the instructions should be improved.

0 Karma
Reply
Solved! Jump to solution

msaz
Path Finder
‎04-11-2019 07:04 AM

Right, I read the information about no indexes.conf and no index= for inputs.conf. The Splunk App for Windows Infrastructure specifies indexes for the stanzas in Table A (link below). Do these still apply for Windows TA v6 ?

https://docs.splunk.com/Documentation/MSApp/1.5.1/MSInfra/DownloadandconfiguretheSplunkAdd-onforWind...

0 Karma
Reply
Solved! Jump to solution

msaz
Path Finder
‎04-11-2019 08:35 PM

I'll go with settings in Table A.

0 Karma
Reply
Solved! Jump to solution

whrg
Motivator
‎04-11-2019 07:30 AM

If I understand correctly, you have the following options:

1) Use the indexes from Table A. You will need to set "index = wineventlog" and so on in Windows_TA's inputs.conf according to Table A. The MSApp should now work out of the box, because it will automatically use the indexes from table A. However, I believe you still need to create the indexes (Settings / Indexes or indexes.conf) because neither MSApp nor Windows_TA comes with indexes.conf.

2) Use your custom indexes. You will need to set "index = YOURINDEX" in Windows_TA. Also you will need to edit the macros (see the section "Update macros.conf" in the link you provided) for MSApp.

3) Use the main index. Again, I do not recommened that. The approach is the same as for 2)

Personally, I only use the Windows_TA without the MSApp. (I prefer to create the dashboards myself in a custom app.) Similar to 2) I have one custom index for all Windows logs.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...