Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Has anyone tried upgrading Splunk_TA_Windows on the HFW/IDX, but keeping the "old" (4.8.3)?

a212830
Champion
‎01-04-2019 08:13 AM

We want to upgrade the Splunk_TA_Windows to the most recent version, but realized that it's only supported on versions 6.6+, and lots of our clients use 6.5.4. Has anyone tried upgrading the app on the HFW/IDX, but keeping the "old" (4.8.3) on the forwarders? We do not control installing the forwarders on the servers, so upgrading it is going to take some time.

Labels (1)
Labels
0 Karma
Reply

muralikoppula
Communicator
‎01-04-2019 08:47 AM

We recently upgraded Splunk_TA_windows on all enterprise servers and clients to 5.0.1 from 4.8.3 . We've bunch of clients which were running with 6.5.* and 6.6.* versions . So far we're not seeing any issues and also it is updating how source and sourcetypes are assigned to WinEventLog data.

For more details please look here:

http://docs.splunk.com/Documentation/WindowsAddOn/5.0.1/User/Upgrade#WinEventLog_extraction_changes

WinEventLog extraction changes

The Splunk Add-on for Windows v5.0.x updates how source and sourcetypes are assigned to WinEventLog data.

Sourcetype changes for WinEventLog data

All WinEventLogs are assigned to either the WinEventLog or the XmlWinEventLog sourcetype and distinguished by their source.

Version 4.8.4 and earlier source    Version 4.8.4 and earlier sourcetype    Version 5.0.x source    Version 5.0.x sourcetype

WinEventLog:System               WinEventLog:System                   WinEventLog:System                 WinEventLog
WinEventLog:Application         WinEventLog:Application              WinEventLog:Application            WinEventLog
WinEventLog:Security               WinEventLog:Security                 WinEventLog:Security               WinEventLog
WinEventLog:System               XmlWinEventLog:System                 XmlWinEventLog:System              XmlWinEventLog
WinEventLog:Application         XmlWinEventLog:Application            XmlWinEventLog:Application         XmlWinEventLog
WinEventLog:Security               XmlWinEventLog:Security               XmlWinEventLog:Security            XmlWinEventLog

The sourcetypes WinEventLog:System, WinEventLog:Application, and WinEventLog:Security in the Splunk Add-on for Windows version 4.8.4 or earlier will remain the same for already indexed events. For newly indexed events from the Splunk Add-on for Windows version 5.0.x, the sourcetypes will be changed as shown in the table above.

Backwards compatibility for indexed events

Due to this change, events that have already been indexed will not be extracted properly so add the appropriate stanzas to rename already indexed events at search-time in props.conf.

For already indexed events you can modify your searches, alerts, dashboards, etc., by simply changing “sourcetype=WinEventLog:source” to “sourcetype=wineventlog” (case sensitive).

For new searches, alerts, dashboards, etc., use “source=WinEventLog:source” instead.

Hope this helps.

Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...