Has anyone tried upgrading Splunk_TA_Windows on the HFW/IDX, but keeping the "old" (4.8.3)?


We want to upgrade the Splunk_TA_Windows to the most recent version, but realized that it's only supported on versions 6.6+, and lots of our clients use 6.5.4. Has anyone tried upgrading the app on the HFW/IDX, but keeping the "old" (4.8.3) on the forwarders? We do not control installing the forwarders on the servers, so upgrading it is going to take some time.

Labels (1)
0 Karma


We recently upgraded Splunk_TA_windows on all enterprise servers and clients to 5.0.1 from 4.8.3 . We've bunch of clients which were running with 6.5.* and 6.6.* versions . So far we're not seeing any issues and also it is updating how source and sourcetypes are assigned to WinEventLog data.

For more details please look here:

WinEventLog extraction changes

The Splunk Add-on for Windows v5.0.x updates how source and sourcetypes are assigned to WinEventLog data.

Sourcetype changes for WinEventLog data

All WinEventLogs are assigned to either the WinEventLog or the XmlWinEventLog sourcetype and distinguished by their source.

Version 4.8.4 and earlier source    Version 4.8.4 and earlier sourcetype    Version 5.0.x source    Version 5.0.x sourcetype

WinEventLog:System               WinEventLog:System                   WinEventLog:System                 WinEventLog
WinEventLog:Application         WinEventLog:Application              WinEventLog:Application            WinEventLog
WinEventLog:Security               WinEventLog:Security                 WinEventLog:Security               WinEventLog
WinEventLog:System               XmlWinEventLog:System                 XmlWinEventLog:System              XmlWinEventLog
WinEventLog:Application         XmlWinEventLog:Application            XmlWinEventLog:Application         XmlWinEventLog
WinEventLog:Security               XmlWinEventLog:Security               XmlWinEventLog:Security            XmlWinEventLog

The sourcetypes WinEventLog:System, WinEventLog:Application, and WinEventLog:Security in the Splunk Add-on for Windows version 4.8.4 or earlier will remain the same for already indexed events. For newly indexed events from the Splunk Add-on for Windows version 5.0.x, the sourcetypes will be changed as shown in the table above.

Backwards compatibility for indexed events

Due to this change, events that have already been indexed will not be extracted properly so add the appropriate stanzas to rename already indexed events at search-time in props.conf.

For already indexed events you can modify your searches, alerts, dashboards, etc., by simply changing “sourcetype=WinEventLog:source” to “sourcetype=wineventlog” (case sensitive).

For new searches, alerts, dashboards, etc., use “source=WinEventLog:source” instead.

Hope this helps.

Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...