Installation

Has anyone tried upgrading Splunk_TA_Windows on the HFW/IDX, but keeping the "old" (4.8.3)?

Champion

We want to upgrade the Splunk_TA_Windows to the most recent version, but realized that it's only supported on versions 6.6+, and lots of our clients use 6.5.4. Has anyone tried upgrading the app on the HFW/IDX, but keeping the "old" (4.8.3) on the forwarders? We do not control installing the forwarders on the servers, so upgrading it is going to take some time.

Labels (1)
0 Karma

Communicator

We recently upgraded Splunk_TA_windows on all enterprise servers and clients to 5.0.1 from 4.8.3 . We've bunch of clients which were running with 6.5.* and 6.6.* versions . So far we're not seeing any issues and also it is updating how source and sourcetypes are assigned to WinEventLog data.

For more details please look here:

http://docs.splunk.com/Documentation/WindowsAddOn/5.0.1/User/Upgrade#WinEventLog_extraction_changes

WinEventLog extraction changes

The Splunk Add-on for Windows v5.0.x updates how source and sourcetypes are assigned to WinEventLog data.

Sourcetype changes for WinEventLog data

All WinEventLogs are assigned to either the WinEventLog or the XmlWinEventLog sourcetype and distinguished by their source.

Version 4.8.4 and earlier source    Version 4.8.4 and earlier sourcetype    Version 5.0.x source    Version 5.0.x sourcetype

WinEventLog:System               WinEventLog:System                   WinEventLog:System                 WinEventLog
WinEventLog:Application         WinEventLog:Application              WinEventLog:Application            WinEventLog
WinEventLog:Security               WinEventLog:Security                 WinEventLog:Security               WinEventLog
WinEventLog:System               XmlWinEventLog:System                 XmlWinEventLog:System              XmlWinEventLog
WinEventLog:Application         XmlWinEventLog:Application            XmlWinEventLog:Application         XmlWinEventLog
WinEventLog:Security               XmlWinEventLog:Security               XmlWinEventLog:Security            XmlWinEventLog

The sourcetypes WinEventLog:System, WinEventLog:Application, and WinEventLog:Security in the Splunk Add-on for Windows version 4.8.4 or earlier will remain the same for already indexed events. For newly indexed events from the Splunk Add-on for Windows version 5.0.x, the sourcetypes will be changed as shown in the table above.

Backwards compatibility for indexed events

Due to this change, events that have already been indexed will not be extracted properly so add the appropriate stanzas to rename already indexed events at search-time in props.conf.

For already indexed events you can modify your searches, alerts, dashboards, etc., by simply changing “sourcetype=WinEventLog:source” to “sourcetype=wineventlog” (case sensitive).

For new searches, alerts, dashboards, etc., use “source=WinEventLog:source” instead.

Hope this helps.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!