Re: A guide to installing a Splunk TA at command l...

riscyrich · ‎07-20-2017

We have recently had Splunk installed by professional services however with them being so proficient during the install we didn't really get our heads round every part of the install process for TA's.

It was said that installing from the GUI doesn't always work well as it fails to set file permissions correctly. I have therefore compiled what we think to be the install sequence and would welcome some feedback - that is to say have we missed anything?

Thanks in advance.

Rich

1) Download new TA from Splunkbase in .tgz format

2) Copy onto Splunk server /home/xxxx

3) cd /opt/splunk/etc/deployment-apps

4) Unpack splunkxxxxx.tgz to /opt/splunk/etc/deployment-apps
tar -xvf /home/xxxx/splunk-add-on-TA.tgz

5) Change ownership of new app folder
**sudo chown -r splunk:splunk **

6) Copy into /opt/splunk/etc/apps
cp -a /opt/splunk/etc/apps/

7) Restart Splunk
./splunk restart

😎 Create new server class
Navigate to: Splunk>Settings>ForwarderManagement>Server Classes
New Server Class (hyperv in this case)
Add Windows HyperV App
Edit Apps > Selected Splunk_TA_microsoft-hyperv
Added Clients
Edit Clients > add in hyperv servers

9) Create new index
Navigate to: Splunk>Settings>Indexes
"New Index"
Index name = hyperv
App = Splunk_TA_microsoft-hyperv

10) Copy input.conf into new app folder
/opt/splunk/etc/deployment-apps/Splunk_TA_microsoft-hyperv/default/input.conf
to

/opt/splunk/etc/deployment-apps/Splunk_TA_microsoft-hyperv/local/input.conf

woodcock · ‎03-22-2019

Also be aware that there are some things that Splunk does that are not evident when the Splunk installation process happens and these will NOT happen if you manually unpack into the apps directory. For example, the family of seckit apps on Splunkbase will be completely broken if you manually unpack them. So you should never manually unpack and always use the proper CLI command: $SPLUNK_HOME/bin/splunk install app <path-to-app-tgz-or-spl-here> to upack for you (or the GUI method that I described in my other answer).

cubicmotion · ‎03-22-2019

Once you do this, how do you actually start using the app you installed? E.G. I've installed the windows defender TA but how do I get the forwarders to start reporting defender logs? I've done all the above up to step 10...

nickhills · ‎03-22-2019

I'm not sure I agree with 10 - in some cases this is fine, but in others you need to make config changes to have this collect the relevant data.

Now whilst this approach is unlikely to cause problems, it just feels like duplication of config (and increased complexity) for no real benefit

If your text read "copy relevant stanzas from default/inputs.conf (and modify as necessary) to local/inputs.conf" I'd be 100% behind it.

If my comment helps, please give it a thumbs up!

woodcock · ‎07-20-2017

I have no idea what he could have meant abut the GUI and permissions; it makes NO sense to me (same thing with ownership). What I do is go to the DS and install from the GUI, configure EVERYTHING, including all the setup/login/PW/API/Keys. Then go the CLI and move it form the apps directory to the deployment-apps directory and deploy it to everywhere that it should go. This, of course, assumes that all of your infrastructure has the same splunk.secret file.

Perhaps he was talking about the problems with using Windows for your Splunk Infrastructure host OS, this can cause ownership and permission problems (but still has nothing really to do with the GUI/CLI):

https://answers.splunk.com/answers/516059/what-are-the-pain-points-with-deploying-your-splun.html

A guide to installing a Splunk TA at command line? - CentOS7 & Splunk 6.6.2

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes