Windows TA 5 Changes
There were changes made in the Splunk Add-on for Windows in version 5.0 which are very different from past versions. With this change, some apps may have issues, such as the Exchange App, Windows Infrastructure app (certain versions), and possibly others. Consultants should be aware of these changes when deciding which version to use with a customer. Below are the Splunk Add-on For Microsoft Windows 5.0.0 changes related to WinEventLog Sourcetypes that may impact Winfra/Exchange/ITSI apps.
Why these changes were made
- Enhancing code robustness: clean up existing bugs, simplify maintainability, prepare add-on for further enhancements
- Improve performance
- Follow knowledge management best practices
- Remove any unsupported functionality, such as wildcard sourcetyping
- Produce well-structured code with a dedicated stanza per log format, instead of the previous mix
Changes to look out for
Index definitions were removed from the TA for 5.0. If your customer was depending on those configurations, be aware.
WinEventLog:Security will be defunct and all the
WinEventLog data will be populating in a common
Similarly the sourcetypes
XMLWinEventLog:Application will be defunct and all WinEventLog Data in XML Format will be populated in a common
The log names (
Application, etc.) can be distinguished by the
source field value.