Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is Splunk Windows TA needed to forward Windows Event Logs?

morethanyell
Builder
‎10-02-2020 08:36 AM

Hi,

Is the entire "Splunk Add-on for Microsoft Windows" needed to be pushed to forwarders in order to enable forwarding of WinEventLogs?

While in Linux, I'm sure that the "Splunk Add-on for Unix and Linux" is needed because all inputs are scripted and the scripts come with the TA, I am not sure about Windows.

Would it be possible to just push a app that houses a simplistic `inputs.conf` that enables forwarding of selected/whitelisted EventCodes? Or does the `inputs.conf` need to come with the entire Splunk Windows TA?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-02-2020 08:43 AM

Hi @morethanyell,

no it isn't needed but very advisable because there's no reason to invent hot water every time: in any case you can disable the inputs that don't interest you.

Anyway, there are many scripted inputs also in Windows_TA!

Then Windows_TA gives you the correct parsing of all events, infact it's usually installed also on Indexers and Search Heads even if they are Linux servers because it contains all the parsing configurations.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-02-2020 08:43 AM

Hi @morethanyell,

no it isn't needed but very advisable because there's no reason to invent hot water every time: in any case you can disable the inputs that don't interest you.

Anyway, there are many scripted inputs also in Windows_TA!

Then Windows_TA gives you the correct parsing of all events, infact it's usually installed also on Indexers and Search Heads even if they are Linux servers because it contains all the parsing configurations.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

morethanyell
Builder
‎10-02-2020 08:51 AM

Thank you. Pushing into a UF tho. So, parsing is not mind. Also, the TA is the index cluster of SplunkCloud where we index the events, so it's gonna be taken care of there, I believe.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-02-2020 09:01 AM

Hi @morethanyell,

as I said there are two level of use of TA_Windows:

  • to ingest logs on Forwarders,
  • to parse the logs on Indexers and Search Heads,

it's possible to upload TAs also on Splunk Cloud.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...