Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Has anyone tried upgrading Splunk_TA_Windows on the HFW/IDX, but keeping the "old" (4.8.3)?

a212830
Champion
‎01-04-2019 08:13 AM

We want to upgrade the Splunk_TA_Windows to the most recent version, but realized that it's only supported on versions 6.6+, and lots of our clients use 6.5.4. Has anyone tried upgrading the app on the HFW/IDX, but keeping the "old" (4.8.3) on the forwarders? We do not control installing the forwarders on the servers, so upgrading it is going to take some time.

Labels (1)
Labels
0 Karma
Reply

muralikoppula
Communicator
‎01-04-2019 08:47 AM

We recently upgraded Splunk_TA_windows on all enterprise servers and clients to 5.0.1 from 4.8.3 . We've bunch of clients which were running with 6.5.* and 6.6.* versions . So far we're not seeing any issues and also it is updating how source and sourcetypes are assigned to WinEventLog data.

For more details please look here:

http://docs.splunk.com/Documentation/WindowsAddOn/5.0.1/User/Upgrade#WinEventLog_extraction_changes

WinEventLog extraction changes

The Splunk Add-on for Windows v5.0.x updates how source and sourcetypes are assigned to WinEventLog data.

Sourcetype changes for WinEventLog data

All WinEventLogs are assigned to either the WinEventLog or the XmlWinEventLog sourcetype and distinguished by their source.

Version 4.8.4 and earlier source    Version 4.8.4 and earlier sourcetype    Version 5.0.x source    Version 5.0.x sourcetype

WinEventLog:System               WinEventLog:System                   WinEventLog:System                 WinEventLog
WinEventLog:Application         WinEventLog:Application              WinEventLog:Application            WinEventLog
WinEventLog:Security               WinEventLog:Security                 WinEventLog:Security               WinEventLog
WinEventLog:System               XmlWinEventLog:System                 XmlWinEventLog:System              XmlWinEventLog
WinEventLog:Application         XmlWinEventLog:Application            XmlWinEventLog:Application         XmlWinEventLog
WinEventLog:Security               XmlWinEventLog:Security               XmlWinEventLog:Security            XmlWinEventLog

The sourcetypes WinEventLog:System, WinEventLog:Application, and WinEventLog:Security in the Splunk Add-on for Windows version 4.8.4 or earlier will remain the same for already indexed events. For newly indexed events from the Splunk Add-on for Windows version 5.0.x, the sourcetypes will be changed as shown in the table above.

Backwards compatibility for indexed events

Due to this change, events that have already been indexed will not be extracted properly so add the appropriate stanzas to rename already indexed events at search-time in props.conf.

For already indexed events you can modify your searches, alerts, dashboards, etc., by simply changing “sourcetype=WinEventLog:source” to “sourcetype=wineventlog” (case sensitive).

For new searches, alerts, dashboards, etc., use “source=WinEventLog:source” instead.

Hope this helps.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...