Skip to content

Instantly share code, notes, and snippets.

@automine
Created January 29, 2019 00:54
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save automine/6d62e00ee8fa9dd2974f992d9b3179e2 to your computer and use it in GitHub Desktop.
Windows TA 5 Changes

Windows TA 5 Changes

Overview

There were changes made in the Splunk Add-on for Windows in version 5.0 which are very different from past versions. With this change, some apps may have issues, such as the Exchange App, Windows Infrastructure app (certain versions), and possibly others. Consultants should be aware of these changes when deciding which version to use with a customer. Below are the Splunk Add-on For Microsoft Windows 5.0.0 changes related to WinEventLog Sourcetypes that may impact Winfra/Exchange/ITSI apps.

Why these changes were made

  1. Enhancing code robustness: clean up existing bugs, simplify maintainability, prepare add-on for further enhancements
  2. Improve performance
  3. Follow knowledge management best practices
  4. Remove any unsupported functionality, such as wildcard sourcetyping
  5. Produce well-structured code with a dedicated stanza per log format, instead of the previous mix

Changes to look out for

Indexes

Index definitions were removed from the TA for 5.0. If your customer was depending on those configurations, be aware.

Sourcetypes

The Sourcetypes WinEventLog:Application,WinEventLog:System,WinEventLog:Security will be defunct and all the WinEventLog data will be populating in a common WinEventLog Sourcetype. Similarly the sourcetypes XMLWinEventLog:Application,XMLWinEventLog:System,XMLWinEventLog:Application will be defunct and all WinEventLog Data in XML Format will be populated in a common XmlWinEventLog sourcetype. The log names (Security,System, Application, etc.) can be distinguished by the source field value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment