Our team just transitioned from Splunk Add-on for windows v4 to v5. Changing references to sourcetypes among knowledge objects (KOs) (savedsearches, dashboards, data models, and notables) was a hassle but we got through it with a little bit of automation. The idea of moving to Splunk app for windows v6 is daunting due to requirements to change references to field names among those same KO types where field names to replace are far less predictable. Our search heads have over 1000 KOs which reference the xmlWinEventLog sourcetype.
Has anyone made the transition to Splunk Add-on for Windows v6? If so:
- What are some benefits of the change to get excited about?
- Approximately how many knowledge objects did you have to adjust to support the new schema?
- What was your strategy to prepare knowledge objects for the change?
- Did you experience search time performance degradation due to increased number of lookups and XML-based search time field extraction?
Aside from the transition headache, i'm excited that search results for XML-based windows security logs will have less ambiguous field names. For example, instead of "Account_Name" being a multi-value field, the XML-based output will have field names with improved context such as SubjectUserName and TargetUserName. Having consistency in field name extraction for such important events/fields will enable more innovation in modeling and monitoring and in turn improve incident response and overall security.
I am in the process of planning a v5 to v6 upgrade and have similar questions.
The key differences (and main sticking point) is that v6 has the MSAD v1 inputs built-in. So you essentially combine any input stanzas into your local and shut-down one TA in favor of a bundled TA. A good friend from the Splunk team also recommended disabling XML rendering due to performance degradation, but that this may change in the future.
*Following this thread.