There were changes made in the Splunk Add-on for Windows in version 5.0 which are very different from past versions. With this change, some apps may have issues, such as the Exchange App, Windows Infrastructure app (certain versions), and possibly others. Consultants should be aware of these changes when deciding which version to use with a customer. Below are the Splunk Add-on For Microsoft Windows 5.0.0 changes related to WinEventLog Sourcetypes that may impact Winfra/Exchange/ITSI apps.
- Enhancing code robustness: clean up existing bugs, simplify maintainability, prepare add-on for further enhancements
- Improve performance
- Follow knowledge management best practices
- Remove any unsupported functionality, such as wildcard sourcetyping
- Produce well-structured code with a dedicated stanza per log format, instead of the previous mix
Index definitions were removed from the TA for 5.0. If your customer was depending on those configurations, be aware.
The Sourcetypes WinEventLog:Application
,WinEventLog:System
,WinEventLog:Security
will be defunct and all the WinEventLog
data will be populating in a common WinEventLog
Sourcetype.
Similarly the sourcetypes XMLWinEventLog:Application
,XMLWinEventLog:System
,XMLWinEventLog:Application
will be defunct and all WinEventLog Data in XML Format will be populated in a common XmlWinEventLog
sourcetype.
The log names (Security
,System
, Application
, etc.) can be distinguished by the source
field value.