Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk_TA_Windows to be installed on Linux machines

amulay26
Path Finder
‎09-26-2018 08:40 PM

I am trying to get the windows events logs on Windows hosts by installing a forwarder and Splunk_TA_windows on windows machines.

  1. Do I need to install the the TA on the indexer which is a Linux host?
  2. Will the linux host be able to collect data?

Any help will be appreciated.

Thank you.

Tags (1)
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎09-27-2018 07:31 AM

Hello @amulay26,
You need to install TA_Windows on forwarder, indexer and search head all three layer.

  • Forwarder - You need to configure inputs.conf file for the data collection (
  • Indexer and Search Head - It is required for different purpose then the data collection. You must require TA_Windows on search head and indexer for the purpose of index time and search field extraction, index creation and lot more. On indexer data collection won't start so that will not be dependent on OS.

http://docs.splunk.com/Documentation/Splunk/7.1.3/Indexer/Indextimeversussearchtime (Field extraction)

0 Karma
Reply

deepashri_123
Motivator
‎09-26-2018 11:26 PM

Hey@amulay26,

Yes you need to install Splunk_TA_Windows on your indexer . It doesn't depend on the OS of the indexer.
Refer this link:
http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Install

Let me know if this helps!!

Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎09-27-2018 07:20 AM

@deepashri_123 is correct. I think the docs make it a bit confusing on this. The only reason the indexers would need to be Windows, is if you were also ingesting locally on the indexers as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...