topic Re: Help with App to get approved over Splunk Cloud in Splunk Dev

Help with App to get approved over Splunk Cloud

PratikPashte — Fri, 19 Mar 2021 09:14:11 GMT

I have vendor whose application is yet not supported on Splunk Cloud but can be installed on HF.

I thought to check what error I am getting post uploading the app, so if possible I can tweak and can get that approved.

Post uploading I got the below failure summary, I need help to understand the error and if possible to get that resolve

I had followed below dev guide as well but not able to get the proper understanding which can help to resolve the error.

[ Failure Summary ]
Failures will block the Cloud Vetting. They must be fixed.
check_pretrained_sourcetypes_have_only_allowed_transforms
Only TRANSFORMS- or SEDCMD options are allowed for pretrained sourcetypes. File: default/props.conf Line Number: 3

Dev Guide: https://dev.splunk.com/enterprise/docs/reference/splunkappinspectcheck/

Re: Help with App to get approved over Splunk Cloud

richgalloway — Fri, 19 Mar 2021 12:15:23 GMT

Please share lines #1-3 from the app's props.conf file.

Re: Help with App to get approved over Splunk Cloud

PratikPashte — Mon, 22 Mar 2021 07:02:57 GMT

Hi Rich,

Please find the below line,

[syslog]
TIME_PREFIX = (?:^.*Centrify.*whenoccurreddate=|^.*?)
TRANSFORMS-centrify_cisp_syslog_transforms = centrify_cisp_syslog_regex

And transform.conf file below,

[centrify_cisp_headers]
REGEX = .*\d{1,2}\:\d{1,2}\:\d{1,2}\.*?\s(?<system>[^\s]*)\s+.*INFO\s+(?<product>(?:[^|\\]|(?:\\{2})|\\\|)+)\|(?<category>(?:[^|\\]|(?:\\{2})|\\\|)+)\|(?<eventname>(?:[^|\\]|(?:\\{2})|\\\|)+)

[centrify_cisp_syslog_regex]
REGEX = .*Centrify.*whenoccurreddate=.*
FORMAT = sourcetype::centrify_cisp_syslog
DEST_KEY = MetaData:Sourcetype

Re: Help with App to get approved over Splunk Cloud

richgalloway — Mon, 22 Mar 2021 12:27:40 GMT

Per the error message "Only TRANSFORMS- or SEDCMD options are allowed for pretrained sourcetypes", but you have TIME_PREFIX. Either get rid of TIME_PREFIX or use a custom sourcetype.

Re: Help with App to get approved over Splunk Cloud

PratikPashte — Mon, 22 Mar 2021 13:20:02 GMT

Hi Rich,

I can remove time prefix but would not get "when occurred" date field which would be needed.

When you say custom source type meaning a separate stanza in props.conf and associated regex under transofrms.conf file right?

Like props would look like this,

[cp_centrify_syslog]
TRANSFORMS-cp_centrify_cisp_syslog_transforms = cp_centrify_cisp_syslog_regex

[syslog]
TRANSFORMS-centrify_cisp_syslog_transforms = centrify_cisp_syslog_regex

And transform would look like this,

[cp_centrify_cisp_syslog_regex]
REGEX = (?:^.*Centrify.*whenoccurreddate=|^.*?)
FORMAT = sourcetype::centrify_cisp_syslog

[centrify_cisp_syslog_regex]
REGEX = .*Centrify.*whenoccurreddate=.*
FORMAT = sourcetype::centrify_cisp_syslog
DEST_KEY = MetaData:Sourcetype

Does this needs to be done?

Thank you for your help.

Re: Help with App to get approved over Splunk Cloud

richgalloway — Mon, 22 Mar 2021 14:39:50 GMT

By "custom sourcetype" I was thinking of something a little simpler.

In props.conf replace [syslog] with [centrify_syslog] then have all syslog data from Centrify specify the new sourcetype.

Re: Help with App to get approved over Splunk Cloud

PratikPashte — Tue, 23 Mar 2021 08:44:28 GMT

I guess this worked only thing now I need to figure out is below,

I cannot do this,

$SPLUNK_HOME/bin/splunk package app <APP_NAME>

As I am having Splunk Cloud don't have access to the box not sure whether can be done on deployment server, also as Splunk recommends 644 for all files outside of bin/ and 755 for all directories and files in the bin/ directory that is already in place but not sure whether windows is still messing with permission...

[ Failure Summary ]
Failures will block the Cloud Vetting. They must be fixed.
check_for_bin_files
This file has execute permissions for owners, groups, or others. File: test
This file has execute permissions for owners, groups, or others. File: license-eula.txt
This file has execute permissions for owners, groups, or others. File: README.md
This file has execute permissions for owners, groups, or others. File: default/inputs.conf.example
This file has execute permissions for owners, groups, or others. File: default/app.conf

Re: Help with App to get approved over Splunk Cloud

richgalloway — Tue, 23 Mar 2021 12:22:20 GMT

Yes, you should be able to package the app on the DS. Packaging on a Windows box, however, will cause the app to fail AppInspect because of the permissions settings. If you package on Windows, you'll need to transfer the package to a Linux machine, extract the files, change permissions, then re-tar the package.

Re: Help with App to get approved over Splunk Cloud

PratikPashte — Thu, 25 Mar 2021 06:41:37 GMT

I did that taking package at Linux extracting doing changes and repackaging.

But still getting same error although the permissions are as per requirement.

I will be now trying to utilize splunk app package utility, to do so, would just need validation on steps to follow,

Place the app (.tgz file or extracted package?) under $SPLUNK_HOME/etc/apps, then to go under,

$SPLUNK_HOME/bin/ and to run below command right?

splunk package app <APP_NAME>

and the app will output to $SPLUNK_HOME/etc/system/static/app-packages

Thank you in advanced

Re: Help with App to get approved over Splunk Cloud

richgalloway — Thu, 25 Mar 2021 12:59:19 GMT

Yes, those are the steps.

Re: Help with App to get approved over Splunk Cloud

PratikPashte — Thu, 25 Mar 2021 13:06:25 GMT

Hi @richgalloway

Thank you for all your help.

I had actually changed the files permission for the one which got with the report to 644 and it worked.

Rather changing the directory permission recursively i changed only required file permission.

Do not need to use that tool but I guess in future splunk package app would make sense to use rather changing each file permission to get this worked.

Last question..

Now as I added custom sourctype to props.conf file replacing syslog and I would be taking that data from syslog server.

So I should add that sourcetype at syslog server side and same I will get as I am going to install that app on Splunk cloud right?

If possible you can provide some information about the workflow from app custom sourcetype to splunk cloud would be great help.

Re: Help with App to get approved over Splunk Cloud

richgalloway — Thu, 25 Mar 2021 15:56:50 GMT

Yes, the custom sourcetype must be referenced on the syslog server so Splunk knows to apply that sourcetype to the data.

Submit your custom to Splunk Cloud by going to the App Management page in your SC instance. Then select the Uploaded Apps tab and click the Upload App button. Provide your splunk.com credentials (those you use for splunkbase) and choose the file to upload. Splunk will automatically run AppInspect and let you know the results. If the app passes AppInspect then there will be a link you can click to install the app; otherwise, review the results to see why the app failed.