All Apps and Add-ons

Splunk App for Windows on *nix indexer/search heads

luo4
Engager

It says in "What a Splunk App for Windows deployment looks like" that "You can deploy the Splunk App for Windows on *nix search heads and use *nix indexers to index the data." In "How to deploy the Splunk App for Windows", we are told to install the Windows TA on our indexers. However, the "Windows TA documentation" says that it will not work properly installed on *nix systems. Sure enough, when I try to install the Windows TA on my Red Hat indexer, it does not appear as an app in Splunk Web. I am working with Windows App version 5.0.0 and Windows TA version 4.6.2.

I would like to have our Splunk for Windows App deployment use *nix for both the indexers and search heads; is this possible?

0 Karma
1 Solution

malmoore
Splunk Employee
Splunk Employee

Hi,

After further consultation with the engineers who develop the Windows TA, I need to amend my answer to your question. I apologize in advance for the inconvenience and confusion.

It turns out that you do indeed need to install the Splunk TA for Windows onto the *nix indexers in the central Splunk App for Windows instance. While the TA does not collect Windows data on *nix servers, it does perform index-time field extractions on the incoming Windows data from universal forwarders.

You won't see the Windows TA in your *nix indexer's Splunk Web app list because TAs by definition have no user interface.

View solution in original post

malmoore
Splunk Employee
Splunk Employee

Hi,

After further consultation with the engineers who develop the Windows TA, I need to amend my answer to your question. I apologize in advance for the inconvenience and confusion.

It turns out that you do indeed need to install the Splunk TA for Windows onto the *nix indexers in the central Splunk App for Windows instance. While the TA does not collect Windows data on *nix servers, it does perform index-time field extractions on the incoming Windows data from universal forwarders.

You won't see the Windows TA in your *nix indexer's Splunk Web app list because TAs by definition have no user interface.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...