Skip to content

Instantly share code, notes, and snippets.

@automine

automine/README.md

Created Jan 29, 2019
Embed
What would you like to do?
Windows TA 5 Changes

Windows TA 5 Changes

Overview

There were changes made in the Splunk Add-on for Windows in version 5.0 which are very different from past versions. With this change, some apps may have issues, such as the Exchange App, Windows Infrastructure app (certain versions), and possibly others. Consultants should be aware of these changes when deciding which version to use with a customer. Below are the Splunk Add-on For Microsoft Windows 5.0.0 changes related to WinEventLog Sourcetypes that may impact Winfra/Exchange/ITSI apps.

Why these changes were made

  1. Enhancing code robustness: clean up existing bugs, simplify maintainability, prepare add-on for further enhancements
  2. Improve performance
  3. Follow knowledge management best practices
  4. Remove any unsupported functionality, such as wildcard sourcetyping
  5. Produce well-structured code with a dedicated stanza per log format, instead of the previous mix

Changes to look out for

Indexes

Index definitions were removed from the TA for 5.0. If your customer was depending on those configurations, be aware.

Sourcetypes

The Sourcetypes WinEventLog:Application,WinEventLog:System,WinEventLog:Security will be defunct and all the WinEventLog data will be populating in a common WinEventLog Sourcetype. Similarly the sourcetypes XMLWinEventLog:Application,XMLWinEventLog:System,XMLWinEventLog:Application will be defunct and all WinEventLog Data in XML Format will be populated in a common XmlWinEventLog sourcetype. The log names (Security,System, Application, etc.) can be distinguished by the source field value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.