I want to create a custom Windows index to organize events from remote Windows machines. (I'll be using the Universal Forwarder.) If I create an index, say WinEvt, will Splunk for Windows break? If yes, how difficult is it to modify SfW to read my custom index? What other issues will I encounter?
I'd like the Windows index to improve performance. My other searches won't have to search through Windows related events to find UNIX or Cisco events. If I'm an idiot for doing this, please tell me.
I believe this would break the app. The last time I had a look at this, it was pretty clear that the windows app assumes index default (have a look at wmi.conf). I think you'd need to rewrite some or all of it. Others may know better, or it could have evolved past this when I wasn't looking, but I have checked the release notes for versions since 4.2.0 (which I use), and I see no changes in this area.
My 0.02 is that this is a poor design choice, and it should do what the unix app does and set up at least one custom index anyway, maybe more to separate the sometimes verbose and not very useful stuff that windows sends forth. This is very relevant to multi-platform shops where the unix and windows teams are usually distinct (and warring) fiefdoms, er, cost centres, and would make access control and storage management, among other things, a whole bunch easier.
However at this stage I'm not volunteering to do the rewrite 🙂
I believe this would break the app. The last time I had a look at this, it was pretty clear that the windows app assumes index default (have a look at wmi.conf). I think you'd need to rewrite some or all of it. Others may know better, or it could have evolved past this when I wasn't looking, but I have checked the release notes for versions since 4.2.0 (which I use), and I see no changes in this area.
My 0.02 is that this is a poor design choice, and it should do what the unix app does and set up at least one custom index anyway, maybe more to separate the sometimes verbose and not very useful stuff that windows sends forth. This is very relevant to multi-platform shops where the unix and windows teams are usually distinct (and warring) fiefdoms, er, cost centres, and would make access control and storage management, among other things, a whole bunch easier.
However at this stage I'm not volunteering to do the rewrite 🙂
Its called the "Splunk Enterprise Security App".
Well devs, what happened? This app needs a rework.
It doesn't look like this was ever done; over 1 year later in 5.0.2 and there is not a single macro in the Windows app. Is this still on the roadmap? It's a pretty big annoyance for those of us in complex deployments who try very hard to limit usage of the main index.
Now, all the apps we put out use macros and eventtypes so that this thing doesn't happen. I will add this as an requirement for the next major release of the app.