Solved: Will a Custom Windows Index Break the Windows App?

I_am_Jeff · ‎12-21-2011

I want to create a custom Windows index to organize events from remote Windows machines. (I'll be using the Universal Forwarder.) If I create an index, say WinEvt, will Splunk for Windows break? If yes, how difficult is it to modify SfW to read my custom index? What other issues will I encounter?

I'd like the Windows index to improve performance. My other searches won't have to search through Windows related events to find UNIX or Cisco events. If I'm an idiot for doing this, please tell me.

cmeo · ‎05-10-2012

I believe this would break the app. The last time I had a look at this, it was pretty clear that the windows app assumes index default (have a look at wmi.conf). I think you'd need to rewrite some or all of it. Others may know better, or it could have evolved past this when I wasn't looking, but I have checked the release notes for versions since 4.2.0 (which I use), and I see no changes in this area.
My 0.02 is that this is a poor design choice, and it should do what the unix app does and set up at least one custom index anyway, maybe more to separate the sometimes verbose and not very useful stuff that windows sends forth. This is very relevant to multi-platform shops where the unix and windows teams are usually distinct (and warring) fiefdoms, er, cost centres, and would make access control and storage management, among other things, a whole bunch easier.

However at this stage I'm not volunteering to do the rewrite 🙂

View solution in original post

cmeo · ‎05-10-2012

I believe this would break the app. The last time I had a look at this, it was pretty clear that the windows app assumes index default (have a look at wmi.conf). I think you'd need to rewrite some or all of it. Others may know better, or it could have evolved past this when I wasn't looking, but I have checked the release notes for versions since 4.2.0 (which I use), and I see no changes in this area.
My 0.02 is that this is a poor design choice, and it should do what the unix app does and set up at least one custom index anyway, maybe more to separate the sometimes verbose and not very useful stuff that windows sends forth. This is very relevant to multi-platform shops where the unix and windows teams are usually distinct (and warring) fiefdoms, er, cost centres, and would make access control and storage management, among other things, a whole bunch easier.

However at this stage I'm not volunteering to do the rewrite 🙂

sjscott · ‎08-14-2014

Its called the "Splunk Enterprise Security App".

cmeo · ‎11-20-2013

Well devs, what happened? This app needs a rework.

msarro · ‎11-20-2013

It doesn't look like this was ever done; over 1 year later in 5.0.2 and there is not a single macro in the Windows app. Is this still on the roadmap? It's a pretty big annoyance for those of us in complex deployments who try very hard to limit usage of the main index.

araitz · ‎05-11-2012

Now, all the apps we put out use macros and eventtypes so that this thing doesn't happen. I will add this as an requirement for the next major release of the app.

Will a Custom Windows Index Break the Windows App?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk