Skip to content

Legacy upgrade procedures

(Legacy) WinEventLog extraction changes

The Splunk Add-on for Windows v5.0.x updates how source and sourcetypes are assigned to WinEventLog data.

Sourcetype changes for WinEventLog data

All WinEventLogs are now assigned to either the WinEventLog or the XmlWinEventLog sourcetype and distinguished by their source.

Version 4.8.4 and earlier source Version 4.8.4 and earlier sourcetype Version 5.0.x source Version 5.0.x sourcetype
WinEventLog:System WinEventLog:System WinEventLog:System WinEventLog
WinEventLog:Application WinEventLog:Application WinEventLog:Application WinEventLog
WinEventLog:Security WinEventLog:Security WinEventLog:Security WinEventLog
WinEventLog:System XmlWinEventLog:System XmlWinEventLog:System XmlWinEventLog
WinEventLog:Application XmlWinEventLog:Application XmlWinEventLog:Application XmlWinEventLog
WinEventLog:Security XmlWinEventLog:Security XmlWinEventLog:Security XmlWinEventLog

Note

The sourcetypes WinEventLog:System, WinEventLog:Application, and WinEventLog:Security in the Splunk Add-on for Windows version 4.8.4 or earlier will remain the same for already indexed events. For newly indexed events from the Splunk Add-on for Windows version 5.0.x, the sourcetypes will be changed as shown in the table on this page.

Backwards compatibility for indexed events

Due to this change, events that have already been indexed will not be extracted properly. Add the appropriate stanza to rename your already indexed events at search time if it is not in the Backward Compatibility section in props.conf.

[WinEventLog:Security]
rename = wineventlog

[WinEventLog:Application]
rename = wineventlog

[WinEventLog:System]
rename = wineventlog

[XmlWinEventLog:Security]
rename = xmlwineventlog

[XmlWinEventLog:Application]
rename = xmlwineventlog

[XmlWinEventLog:System]
rename = xmlwineventlog

Note

Renamed sourcetypes are case-sensitive.

Change sourcetype-based extractions to source-based

If you collected WinEventLog data for any custom data input in previous versions of the Splunk Add-on for Windows and you added one or more custom extractions in its sourcetype-based stanzas, you must convert the sourcetype-based configurations for your custom data inputs to source-based extractions.

Custom WinEventLog Input (Classic)

This example uses the following custom data input in /local/inputs.conf.

[WinEventLog://Windows PowerShell]
disabled = 0
index = main
renderXml=false

This custom data input has the following sourcetype-based stanza, [WinEventLog:Windows PowerShell] for extraction in the local/props.conf folder:

[WinEventLog:Windows PowerShell]
EVAL-custom_extraction = "Custom_Value"

In the Splunk Add-on for Windows version 5.0.x, you must rename the sourcetype-based stanza to its source-based stanza. In this case, the source is [source::WinEventLog:Windows PowerShell] in local/props.conf to extract fields:

[source::WinEventLog:Windows PowerShell]
EVAL-custom_extraction = "Custom_Value"

Custom WinEventLog Input (XML)

This example uses the following custom data input in /local/inputs.conf.

[WinEventLog://Windows PowerShell]
disabled = 0
index = main
renderXml=true

This custom data input has the following sourcetype-based stanza [XmlWinEventLog:Windows PowerShell] for extraction in the local/props.conf folder:

[XmlWinEventLog:Windows PowerShell]
EVAL-custom_extraction = "Custom_Value"

In the Splunk Add-on for Windows version 5.0.x, you must rename the sourcetype-based stanza to its source-based stanza. In this case, the source-based stanza is [source::WinEventLog:Windows PowerShell] in props.conf to extract fields:

[source::WinEventLog:Windows PowerShell]
EVAL-custom_extraction = "Custom_Value"

Additionally, for events indexed after upgrading to the Splunk Add-on for Windows version 5.0.x, the source changes for XML mode events. Therefore, you must add the same extraction in the new source-based stanza. In this case, the source-based stanza is [source::XmlWinEventLog:Windows PowerShell] in local/props.conf for the extractions to work on events indexed after upgrading to the Splunk Add-on for Windows version 5.0.x:

[source::XmlWinEventLog:Windows PowerShell]
EVAL-custom_extraction = "Custom_Value"

Note

Do not merge sourcetype-based stanzas containing custom extractions to the stanzas containing rename=wineventlog. You must convert the sourcetype-based stanzas containing custom extractions to source-based stanzas as mentioned on this page or your field extractions will not work.

Note

Events that have already been indexed will not be extracted properly due to this change. Convert the sourcetype-based configurations for your custom data inputs to source-based extractions.

(Legacy) Upgrade the Splunk Add-on for Windows from versions earlier than 5.0.1

If you are using a version of the Splunk Add-on for Windows earlier than 5.0.1, first upgrade to Windows 5.0.1. Then, see Upgrade the Splunk Add-on for Windows to upgrade to version 6.0.0.

Upgrade from version 4.8.4 to version 5.0.1

The indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.x along with the index=* parameter from all stanzas in inputs.conf, wmi.conf, and eventgen.conf.

Caution

If you miss the following steps, your Splunk platform will not have index configurations. This can result in data loss.

If you were using indexes.conf or any custom index to store your data in an earlier version of the Splunk Add-on for Windows, copy or create the windows, wineventlog, and perfmon stanzas from the indexes.conf, inputs.conf, wmi.conf, and eventgen.conf files in your existing Splunk Add-on for Windows v4.8.4 /Splunk_TA_Windows/default/ folder to the /Splunk_TA_Windows/local/ folder. Otherwise, any data collected will go to the default main index.

When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. Install the add-on onto the indexer, and create a new indexes.conf file in the /Splunk_TA_Windows/local/ directory. After creating the indexes, specify these indexes in inputs.conf in the /Splunk_TA_Windows/local/ directory.

Configure users and roles

The authorize.conf file was removed in the Splunk Add-on for Windows v5.0.0. If you want other users in your organization to search through the data stored, copy the windows_admin role from authorize.conf in your existing Splunk Add-on for Windows v4.8.4 /Splunk_TA_Windows/default/ folder to /Splunk_TA_Windows/local/ folder for the user you would like to give search access to. Adding this role to any user will allow that user to search the following indexes.

  • windows: For DHCP, Windows Update logs, Windows network, host, printer, and Registry monitoring.
  • wineventlog: For all Windows Event Log channels.
  • perfmon: For all Windows Performance Monitoring events.

Upgrade saved searches

Due to source and sourcetype changes for WinEventLog data, saved searches that are still using old soucetype names do not work. You can search by “source=” instead:

Event type Sourcetype it replaces Search
wineventlog_windows wineventlog:*, XMLeventlog:* \<search>eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security\</search>
wineventlog_application wineventlog:application, XMLeventlog:application \<search>source=WinEventLog:Application OR source=WMI:WinEventLog:Application OR source=XmlWinEventLog:Application\</search>
wineventlog_system wineventlog:System, XMLeventlog:System \<search> source=WinEventLog:System OR source=WMI:WinEventLog:System OR source=XmlWinEventLog:System\</search>
wineventlog_security wineventlog:Security, XMLeventlog:Security \<search>source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security\</search>

(Legacy) Upgrade the Splunk Add-on for Windows version 6.0.0

Caution

Version 6.0.0 of the Splunk Add-on for Windows integrates the Splunk Add-on for Microsoft AD version 1.0.0 and the Splunk Add-on for Microsoft DNS version 1.0.1. If you are using these other add-ons, disable the add-ons before upgrading to version 6.0.0 of the Splunk Add-on for Windows.

Upgrade from version 5.0.1 to 6.0.0

Caution

If you are using versions of the Splunk Add-on for Windows earlier than version 5.0.1, first upgrade to Windows 5.0.1. See the previous topic Upgrade. Then, complete the following steps to upgrade to version 6.0.0.

Note

See the corresponding sections that follow if you are migrating from the Splunk Add-on for Microsoft Active Directory or the Splunk Add-on for Microsoft Windows DNS to the Splunk Add-on for Microsoft Windows 6.0.0.

WindowsUpdate.log changes for Windows 10 and Windows Server 2016

In previous versions of the Splunk Add-on for Windows, users must manually run the Get-WindowsUpdateLog Powershell command at regular intervals to convert ETW traces into a readable WindowsUpdate.log file, as well as manually update the path to index data.

Version 6.0.0 of the Splunk Add-on for Microsoft Windows automates this process:

  1. (Only on Windows 10 or Windows Server 2016) Disable the current WindowsUpdateLog input.

  2. Copy the following stanza from default/inputs.conf to local/inputs.conf to automatically generate daily WindowsUpdate.log files in $SPLUNK_HOME\var\log\Splunk_TA_windows:

    [powershell://generate_windows_update_logs]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 1

  3. Copy the following stanza from default/inputs.conf to local/inputs.conf to monitor the generated WindowsUpdate.log in Windows 10 and Server 2016:

    [monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
disabled = 1
sourcetype = WindowsUpdateLog

  4. Enable both inputs by setting disabled = 0.

Note

The WindowsUpdate.Log file is generated in $SPLUNK_HOME\var\log\Splunk_TA_windows.

Change WinEventLog collection mode

Previous versions of the Splunk Add-on for Windows collected WinEventLog data collection inputs in Classic mode. By default, version 6.0.0 of the Splunk Add-on for Windows collects all WinEventLog data collection inputs in XML mode.

To continue data collection of WinEventLog data inputs in Classic mode after upgrading to version 6.0.0 of the Splunk Add-on for Windows, follow these steps:

  1. Create a local copy of existing [WinEventLog://*] stanzas in local/inputs.conf.
  2. For each stanza, add renderXml = false.

Here is an example stanza for the WinEventLog Application inputs stanza to continue collecting data in Classic mode:

[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml = false

If you want to stop data collection of WinEventLog data inputs in Classic mode and start using XML mode, change the existing WinEventLog stanzas in local/inputs.conf to renderXml = true.

Migrate from the Splunk Add-on for Microsoft Windows Active Directory (AD) version 1.0.0 to the Splunk Add-on for Windows version 6.0.0

Migrate from the Splunk Add-on for Microsoft Windows Active Directory:

Configure Active Directory Inputs

  1. Make sure all the inputs of the Splunk Add-on for Microsoft Windows AD are disabled in inputs.conf, admon.conf, and perfmon.conf, since these inputs are also in the Splunk Add-on for Windows version 6.0.0.
  2. Disable the Splunk Add-on for Microsoft Windows AD.
  3. Move the Splunk_TA_microsoft_ad from $Splunk_Home/etc/apps to $SPLUNK_HOME/etc/disabled-apps.
  4. Copy the following input stanzas from Splunk_TA_Windows/default/inputs.conf to Splunk_TA_Windows/local/inputs.conf:
  • [WinEventLog://DFS Replication]
  • [WinEventLog://Directory Service]
  • [WinEventLog://File Replication Service]
  • [WinEventLog://Key Management Service]
  • [monitor://$WINDIR\debug\netlogon.log]
  • [script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
  • [powershell://Replication-Stats]
  • [script://.\bin\runpowershell.cmd nt6-health.ps1]
  • [powershell://AD-Health]
  • [script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
  • [powershell://Siteinfo]
  • [perfmon://Memory]
  • [perfmon://Processor]
  • [perfmon://Network_Interface]
  • [perfmon://DFS_Replicated_Folders]
  • [perfmon://NTDS]
  • [admon://default]
  1. Make sure there are no duplicate stanzas in inputs.conf after migration.
  2. Update index configurations as described in Configure Active Directory Indexes.
  3. To continue to collect perfmon data in single mode, see Changed default Perfmon data collection mode to multikv from single for AD Perfmon inputs.
  4. To continue to collect wineventlog data in classic format, see Changed default WinEventLog data collection mode to XML from classic for AD Inputs.
  5. Enable the Active Directory inputs in Splunk_TA_Windows/local/inputs.conf.

Configure Active Directory Indexes

The indexes.conf file in the Splunk Add-on for Microsoft Windows AD 1.0.0 is not in the Splunk Add-on for Windows version 6.0.0, nor is the index=* setting from all stanzas in inputs.conf.

Caution

Missing the following steps means your Splunk platform deployment will not have index configurations. This can result in data loss.

  1. If you were using indexes.conf or any custom index to store your data in an earlier version of the Splunk Add-on for Microsoft AD 1.0.0, copy or create the msad, wineventlog, perfmon, winevents, and windows stanzas from the indexes.conf and inputs.conf files in your existing Splunk Add-on for Microsoft Windows AD version 1.0.0 in the /Splunk_TA_microsoft_ad/default/ folder to the Splunk Add-on for Windows version v6.0.0 /Splunk_TA_Windows/local/ folder. Update the index configurations for these Active Directory inputs based on your existing configurations. Otherwise, any data collected goes to the default main index.
  2. When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send events to must also have these indexes present. Install the add-on onto the indexer, and create a new indexes.conf file in the /Splunk_TA_Windows/local/ directory. After creating the indexes, specify these indexes in inputs.conf in the /Splunk_TA_Windows/local/ directory.
  3. Make sure there are no duplicate stanzas in indexes.conf.

Changed default Perfmon data collection mode to multikv from single for AD Perfmon inputs

The Splunk Add-on for Windows collects Perfmon data in Multikv mode by default. Multikv data collection has benefits over single mode.

Multikv mode has a different event format than single mode. If you want to use multikv mode, set mode = multikv for all required stanzas:

  1. Create a local copy of all the existing [perfmon://*] stanzas in local/inputs.conf.
  2. For each stanza add the line mode = multikv.

If you want to collect Perfmon data inputs in single mode event format after migrating to the Splunk Add-on for Windows to 6.0.0, follow these steps:

  1. Create a local copy of all the existing AD [perfmon://*] stanzas from Splunk_TA_Windows/default/inputs.conf to Splunk_TA_Windows/local/inputs.conf.
  2. For each stanza add the line "mode = single".

The following is an example stanza for perfmon Processor inputs stanza to continue collecting Processor related perfmon data in single mode:

[perfmon://Processor]
object = Processor
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
instances = *
interval = 10
disabled = 1
mode = single
useEnglishOnly=true

Changed default WinEventLog data collection mode to XML from classic for AD inputs

All WinEventLog data collection inputs in the Splunk Add-on for Windows version 6.0.0 are in XML mode by default.

If you want to continue data collection of WinEventLog data inputs in existing Classic mode after upgrading the Splunk Add-on for Windows to 6.0.0, follow these steps:

  1. Create a local copy of all the existing AD [WinEventLog://*] stanzas from Splunk_TA_Windows/default/inputs.conf to Splunk_TA_Windows/local/inputs.conf.
  2. For each stanza, add the line "renderXml = false"

Here is an example stanza for WinEventLog Application inputs stanza to continue collecting data in classic mode:

[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false

If you want to stop data collection of WinEventLog data inputs in existing classic mode and to use XML mode, change the existing WinEventLog stanzas in local/inputs.conf to "renderXml = true".

Configuration file changelog for Windows 6.0.0 and AD 1.0.0

Here is a changelog for Microsoft Active Directory 1.0.0 after migrating to Windows 6.0.0:

Configuration File Name Name of stanza removed
perfmon.conf all
admon.conf all
indexes.conf all
inputs.conf [admon://NearestDC]

WinEventLog extraction changes for Active Directory sources

The Splunk Add-on for Windows v6.0.0 updates how source and sourcetypes are assigned to WinEventLog data for AD collection. All WinEventLogs are now assigned to either the WinEventLog or the XmlWinEventLog sourcetype and are distinguished by their source.

WinEventLog format Source in AD 1.0.0 Sourcetype in AD 1.0.0 Source in Windows 6.0.0 Sourcetype in Windows 6.0.0
Classic WinEventLog:DFS Replication WinEventLog:DFS-Replication WinEventLog:DFS Replication WinEventLog
Classic WinEventLog:Directory Service WinEventLog:Directory-Service WinEventLog:Directory Service WinEventLog
Classic WinEventLog:File Replication Service WinEventLog:File-Replication-Service WinEventLog:File Replication Service WinEventLog
Classic WinEventLog:Key Management Service WinEventLog:Key-Management-Service WinEventLog:Key Management Service WinEventLog
XML WinEventLog:DFS Replication WinEventLog:DFS-Replication XmlWinEventLog:DFS Replication XmlWinEventLog
XML WinEventLog:Directory Service WinEventLog:Directory-Service XmlWinEventLog:Directory Service XmlWinEventLog
XML WinEventLog:File Replication Service WinEventLog:File-Replication-Service XmlWinEventLog:File Replication Service XmlWinEventLog
XML WinEventLog:Key Management Service WinEventLog:Key-Management-Service XmlWinEventLog:Key Management Service XmlWinEventLog

Due to these changes, events that have already been indexed will no longer be extracted properly. The following renaming stanzas are in the Splunk Add-on For Microsoft Windows 6.0.0 to rename your already indexed events at search time:

[WinEventLog:DFS-Replication]
rename = wineventlog

[WinEventLog:Directory-Service]
rename = wineventlog

[WinEventLog:File-Replication-Service]
rename = wineventlog

[WinEventLog:Key-Management-Service]
rename = wineventlog

If you collect WinEventLog data in Xml Format in the Splunk Addon For Active Directoy 1.0.0, add the following stanzas in /Splunk_TA_windows/local/props.conf to rename your already indexed xml wineventlog events at search-time.

[WinEventLog:DFS-Replication]
rename = xmlwineventlog

[WinEventLog:Directory-Service]
rename = xmlwineventlog

[WinEventLog:File-Replication-Service]
rename = xmlwineventlog

[WinEventLog:Key-Management-Service]
rename = xmlwineventlog

Note

Renamed sourcetypes are case sensitive.

Change sourcetype-based extractions to source-based (Active Directory)

If you have added custom extractions in the sourcetype-based stanza of the Splunk Add-on for Microsoft Windows AD, see convert sourcetype-based configurations to source-based extractions.

Move any other custom configurations from TA-AD 1.0.0 to TA-Windows 6.0.0

Copy any other custom configurations from /Splunk_TA_microsoft_ad/ to /Splunk_TA_windows/ in appropriate configuration files.

Migrate custom configurations of perfmon.conf (Active Directory)

If you have a perfmon.conf file in the Splunk Add-on for Microsoft Windows AD, it does not exist in the Splunk Add-on for Microsoft Windows. Copy any custom configurations of perfmon.conf to the perfmon stanza in /Splunk_TA_windows/local/inputs.conf.

Migrate custom configurations of admon.conf

If you have an admon.conf in the Splunk Add-on for Microsoft Windows AD, it does not exist in the Splunk Add-on for Microsoft Windows version 6.0.0. Copy any custom configuration of the [NearestDC] stanza of admon.conf to the [admon://default] stanza in /Splunk_TA_windows/local/inputs.conf.

Migrate from the Splunk Add-on for Microsoft Windows DNS the Splunk Add-on for Microsoft Windows

Migrate from the Splunk Add-on for Microsoft Windows DNS:

Configure DNS inputs

  1. Make sure all the inputs of the Splunk Add-on for Microsoft DNS are disabled in inputs.conf and perfmon.conf, since these inputs are also in the Splunk Add-on for Windows version 6.0.0.
  2. Disable the Splunk Add-on for Microsoft DNS.
  3. Move the Splunk_TA_microsoft_dns from $Splunk_Home/etc/apps to $SPLUNK_HOME/etc/disabled-apps.
  4. Copy the following input stanzas from Splunk_TA_Windows/default/inputs.conf to Splunk_TA_Windows/local/inputs.conf:
  • [WinEventLog://DNS Server]
  • [MonitorNoHandle://$WINDIR\System32\Dns\dns.log]
  • [script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
  • [script://.\bin\runpowershell.cmd dns-health.ps1]
  • [perfmon://Memory]
  • [perfmon://Processor]
  • [perfmon://Network_Interface]
  • [perfmon://DNS]
  1. Make sure there are no duplicate stanzas in inputs.conf after migration.
  2. Update index configurations as described in Configure DNS Indexes.
  3. To continue to collect perfmon data in single mode, see Changed default Perfmon data collection mode to multikv from single for DNS Perfmon inputs.
  4. To continue to collect wineventlog data in classic format, see Changed default WinEventLog data collection mode to XML from classic for DNS inputs.
  5. Enable the DNS inputs in Splunk_TA_Windows/local/inputs.conf.

Configure DNS indexes

The indexes.conf file in the Splunk Add-on for Microsoft DNS 1.0.1 is not in the Splunk Add-on for Windows version 6.0.0, nor is the index=* setting from all stanzas in inputs.conf.

Caution

You must complete the following steps to create index configurations in your Splunk platform deployment and to avoid data loss.

  1. If you were using indexes.conf or any custom index to store your data in an earlier version of the Splunk Add-on for Microsoft DNS 1.0.1, copy or create the msad, wineventlog, perfmon, winevents, and windows stanzas from the indexes.conf and inputs.conf files in your existing Splunk Add-on for Microsoft DNS version 1.0.1 in the /Splunk_TA_microsoft_dns/default/ folder to the Splunk Add-on for Windows version version 6.0.0 /Splunk_TA_Windows/local/ folder. Update the index configurations for these DNS inputs based on your existing configurations. Otherwise, any data collected goes to the default main index.
  2. When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send events to must also have these indexes present. Install the add-on onto the indexer, and create a new indexes.conf file in the /Splunk_TA_Windows/local/ directory. After creating the indexes, specify these indexes in inputs.conf in the /Splunk_TA_Windows/local/ directory.
  3. Make sure there are no duplicate stanzas in indexes.conf.

Changed default Perfmon data collection mode to multikv from single for DNS Perfmon inputs

Multikv mode of Perfmon data collection has benefits over single mode.

Multikv mode has a different event format than single mode. If you want to use multikv mode, set mode = multikv for all required stanzas:

  1. Create a local copy of all the existing [perfmon://*] stanzas in your local/inputs.conf file.
  2. For each stanza, add the line mode = multikv.

If you want to collect Perfmon data inputs in single mode format after migrating to the Splunk Add-on for Windows to 6.0.0, follow these steps:

  1. Create a local copy of all DNS [perfmon://*] stanzas from Splunk_TA_Windows/default/inputs.conf to Splunk_TA_Windows/local/inputs.conf.
  2. For each stanza, add the line mode = single.

The following is an example stanza for perfmon DNS inputs stanza to continue collecting DNS related perfmon data in single mode:

[perfmon://DNS]
object = DNS
counters = Total Query Received; Total Query Received/sec; UDP Query Received; UDP Query Received/sec; TCP Query Received; TCP Query Received/sec; Total Response Sent; Total Response Sent/sec; UDP Response Sent; UDP Response Sent/sec; TCP Response Sent; TCP Response Sent/sec; Recursive Queries; Recursive Queries/sec; Recursive Send TimeOuts; Recursive TimeOut/sec; Recursive Query Failure; Recursive Query Failure/sec; Notify Sent; Zone Transfer Request Received; Zone Transfer Success; Zone Transfer Failure; AXFR Request Received; AXFR Success Sent; IXFR Request Received; IXFR Success Sent; Notify Received; Zone Transfer SOA Request Sent; AXFR Request Sent; AXFR Response Received; AXFR Success Received; IXFR Request Sent; IXFR Response Received; IXFR Success Received; IXFR UDP Success Received; IXFR TCP Success Received; WINS Lookup Received; WINS Lookup Received/sec; WINS Response Sent; WINS Response Sent/sec; WINS Reverse Lookup Received; WINS Reverse Lookup Received/sec; WINS Reverse Response Sent; WINS Reverse Response Sent/sec; Dynamic Update Received; Dynamic Update Received/sec; Dynamic Update NoOperation; Dynamic Update NoOperation/sec; Dynamic Update Written to Database; Dynamic Update Written to Database/sec; Dynamic Update Rejected; Dynamic Update TimeOuts; Dynamic Update Queued; Secure Update Received; Secure Update Received/sec; Secure Update Failure; Database Node Memory; Record Flow Memory; Caching Memory; UDP Message Memory; TCP Message Memory; Nbstat Memory; Unmatched Responses Received
interval = 10
disabled = 0
mode = single
useEnglishOnly=true

Changed default WinEventLog data collection mode to XML from classic for DNS Inputs

All WinEventLog data collection inputs in the Splunk Add-on for Windows version 6.0.0 are in XML mode by default.

If you want to continue data collection of WinEventLog data inputs in existing Classic mode after upgrading the Splunk Add-on for Windows to 6.0.0, follow these steps:

  1. Create a local copy of all the existing DNS [WinEventLog://*] stanzas from Splunk_TA_Windows/default/inputs.conf toSplunk_TA_Windows/local/inputs.conf.
  2. For each stanza, add the line "renderXml = false".

Here is an example stanza for WinEventLog Application inputs stanza to continue collecting data in classic mode:

[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false

If you want to stop data collection of WinEventLog data inputs in existing classic mode and to use XML mode, change the existing WinEventLog stanzas in local/inputs.conf to "renderXml = true".

Configuration file changelog for Windows 6.0.0 and DNS 1.0.1

Here is a changelog for DNS 1.0.1 after migrating to Windows 6.0.0:

Configuration File Name Name of stanza removed
perfmon.conf all
indexes.conf all
tags.conf [eventtype=nt6-dns-events]

WinEventLog extraction changes for DNS sources

The Splunk Add-on for Windows version 6.0.0 updates how source and sourcetypes are assigned to WinEventLog data for DNS collection. All WinEventLogs are now assigned to either the WinEventLog or the XmlWinEventLog sourcetype and are distinguished by their source.

WinEventLog format Source in DNS 1.0.1 Sourcetype in DNS 1.0.1 Source in Windows 6.0.0 Sourcetype in Windows 6.0.0
Classic WinEventLog:DNS Server WinEventLog:DNS-Server WinEventLog:DNS Server WinEventLog
XML WinEventLog:DNS Server WinEventLog:DNS-Server XmlWinEventLog:DNS Server XmlWinEventLog

Due to these changes, events that have already been indexed will no longer be extracted properly. The following renaming stanza is in the Splunk Add-on For Microsoft Windows 6.0.0 to rename your already indexed events at search time:

[WinEventLog:DNS-Server]
rename = wineventlog

If you have been collecting WinEventLog data in Xml Format while using Splunk Addon For Active Directory 1.0.0, add the following stanza in /Splunk_TA_windows/local/props.conf to rename your already indexed xml wineventlog events at search time.

[WinEventLog:DNS-Server]
rename = xmlwineventlog

Note

Renamed sourcetypes are case sensitive.

Change sourcetype-based extractions to source-based

There are no preconfigured extractions for the sourcetype WinEventLog:DNS-Server in Splunk Addon For Microsoft Windows DNS 1.0.1. But if you have added custom extractions in its sourcetype-based stanza, see Change sourcetype-based extractions to source-based extractions.

Move any other custom configurations from TA-DNS 1.0.1 to TA-Windows 6.0.0

Copy any other custom configurations from /Splunk_TA_microsoft_dns/ to /Splunk_TA_windows/ in appropriate conf files.

Migrate custom configurations of perfmon.conf (DNS)

Since perfmon.conf in the Splunk Add-on for Microsoft DNS does not exist in the Splunk Add-on for Windows, copy any custom configuration of PERFMON:* stanzas of perfmon.conf to its related perfmon stanza in /Splunk_TA_windows/local/inputs.conf.