By Splunk July 30, 2014
If you are a Windows admin and use Splunk then you’ve likely deployed Splunk_TA_windows on your endpoints. It’s a central method for handling Windows data and has all the extractions you need to handle Windows event logs. We’ve just released version 4.7.0. So what’s new and should you upgrade?
The first thing we did was we organized the data. The well considered best practice is to not put data in the default index. Yet here we were putting data in the default index. That has now changed. By default, we create three indices for you:
- perfmon is used for performance data
- wineventlog is used for event logs
- windows is used for everything else
This change will not affect you if you’ve been using a local inputs.conf file (as you should). However, new installations beware – this change requires that the indices be available on your indexing tier or you will get messages about indices missing.
The second thing we did was we turned off all the inputs. That’s right – Splunk_TA_windows no longer gathers data by default. There are many reasons for this, but the primary reason is that we license by data volume so we didn’t want you to be blowing out your license because we turned something on by default. Make the conscious decision on what to gather based on what you want to show off.
The third thing we did was make the data more CIM compliant. CIM compliance has always been a part of the Splunk_TA_windows for use with Enterprise Security. If you’ve looked at the Common Information Model recently you will have noticed that the CIM now encompasses more than just security – it adds many data models for IT/Operations usage. We’ve embraced this and as a result, the Windows data now will automagically appear in Enterprise Security and the data models that are implemented in the Common Information Model app. You can now use the Windows data in standardized data models like this:
Finally, we incorporated a lot of customer feedback. We can’t test on every Windows variant out there (although we do try to get as many common variants as we can), so sometimes we miss something and you tell us about it.
There is one thing to take note of going forward. Microsoft is marking Windows Server 2003, Vista and before as end of life on July 14th, 2015. As a result, we will also be de-supporting the field extractions for 3-digit windows security event logs, and we are deprecating them with this release. What does this mean? We will be separating the 3-digit field extractions into another app – we’ll call it TA-legacywindows or something like that. If you install the TA-legacywindows then everything happens as before – the extractions are just in a different app. We will remove the field extractions affected from Splunk_TA_windows some time after the end-of-life notice and after TA-legacywindows has been released. We will also bump that second digit again so you know something major has happened.
Needless to say, future versions of the Windows Infrastructure app, Exchange app and other apps for Microsoft technologies will rely on the updated TA.
Got requests, comments, or bugs with the Splunk_TA_windows – drop us an email at microsoft@splunk.com.