Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Windows v6 - Transition Experiences Requested

dstaulcu
Builder
‎08-02-2019 03:47 AM

Our team just transitioned from Splunk Add-on for windows v4 to v5. Changing references to sourcetypes among knowledge objects (KOs) (savedsearches, dashboards, data models, and notables) was a hassle but we got through it with a little bit of automation. The idea of moving to Splunk app for windows v6 is daunting due to requirements to change references to field names among those same KO types where field names to replace are far less predictable. Our search heads have over 1000 KOs which reference the xmlWinEventLog sourcetype.

Has anyone made the transition to Splunk Add-on for Windows v6? If so:
- What are some benefits of the change to get excited about?

- Approximately how many knowledge objects did you have to adjust to support the new schema?
- What was your strategy to prepare knowledge objects for the change?
- Did you experience search time performance degradation due to increased number of lookups and XML-based search time field extraction?

Aside from the transition headache, i'm excited that search results for XML-based windows security logs will have less ambiguous field names. For example, instead of "Account_Name" being a multi-value field, the XML-based output will have field names with improved context such as SubjectUserName and TargetUserName. Having consistency in field name extraction for such important events/fields will enable more innovation in modeling and monitoring and in turn improve incident response and overall security.

0 Karma
Reply

richardphung
Communicator
‎08-02-2019 05:41 AM

I am in the process of planning a v5 to v6 upgrade and have similar questions.
The key differences (and main sticking point) is that v6 has the MSAD v1 inputs built-in. So you essentially combine any input stanzas into your local and shut-down one TA in favor of a bundled TA. A good friend from the Splunk team also recommended disabling XML rendering due to performance degradation, but that this may change in the future.
*Following this thread.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...