Migrate your Windows saved searches to 3.3.x and later

Migrate your Windows saved searches to 3.3.x and later

Use the information in this topic if you are upgrading from a version of Splunk for Windows that is older than 3.3.

Some Splunk terminology for Windows-specific field names has changed or been added starting in version 3.3. These changes were made to better reflect commonly-used Windows terminology. As a result, you must migrate any existing saved searches you created in 3.2.x to use the new terminology. Splunk provides a script for you to do this.

The script backs up any saved searches that appear to contain the deprecated terms, and converts them to use the new terminology.

• You have the option of seeing a preview of what the script will change when you run it.
• If you are deploying to multiple servers, perhaps using automation of some kind, you can also skip the 5 second pause Splunk introduces by default to let you read the informational text that is displayed when you run the script by hand.

Run the migration script

To run the migration script without seeing a preview and with the 5 second pause, from $SPLUNK_HOME, run:

./splunk migrate win-searches

Optional parameters:

• To see a preview of the changes Splunk will make, use -dry-run true (the default is false).
• To skip the 5 second pause, use -no-wait true (the default is false).

What has changed

The following field names are new:

• Category
• EventType
• Message

The following field names have changed:

• evtlog_category -> CategoryString
• evtlog_id -> EventCode
• evtlog_severity -> Type
• evtlog_account -> User
• evtlog_domain -> ComputerName
• evtlog_sid -> Sid
• evtlog_sid_type -> SidType