All Apps and Add-ons

A guide to installing a Splunk TA at command line? - CentOS7 & Splunk 6.6.2

riscyrich
New Member

We have recently had Splunk installed by professional services however with them being so proficient during the install we didn't really get our heads round every part of the install process for TA's.

It was said that installing from the GUI doesn't always work well as it fails to set file permissions correctly. I have therefore compiled what we think to be the install sequence and would welcome some feedback - that is to say have we missed anything?

Thanks in advance.

Rich

1) Download new TA from Splunkbase in .tgz format

2) Copy onto Splunk server /home/xxxx

3) cd /opt/splunk/etc/deployment-apps

4) Unpack splunkxxxxx.tgz to /opt/splunk/etc/deployment-apps
tar -xvf /home/xxxx/splunk-add-on-TA.tgz

5) Change ownership of new app folder
**sudo chown -r splunk:splunk **

6) Copy into /opt/splunk/etc/apps
cp -a /opt/splunk/etc/apps/

7) Restart Splunk
./splunk restart

😎 Create new server class
Navigate to: Splunk>Settings>ForwarderManagement>Server Classes
New Server Class (hyperv in this case)
Add Windows HyperV App
Edit Apps > Selected Splunk_TA_microsoft-hyperv
Added Clients
Edit Clients > add in hyperv servers

9) Create new index
Navigate to: Splunk>Settings>Indexes
"New Index"
Index name = hyperv
App = Splunk_TA_microsoft-hyperv

10) Copy input.conf into new app folder
/opt/splunk/etc/deployment-apps/Splunk_TA_microsoft-hyperv/default/input.conf
to

/opt/splunk/etc/deployment-apps/Splunk_TA_microsoft-hyperv/local/input.conf

0 Karma

woodcock
Esteemed Legend

Also be aware that there are some things that Splunk does that are not evident when the Splunk installation process happens and these will NOT happen if you manually unpack into the apps directory. For example, the family of seckit apps on Splunkbase will be completely broken if you manually unpack them. So you should never manually unpack and always use the proper CLI command: $SPLUNK_HOME/bin/splunk install app <path-to-app-tgz-or-spl-here> to upack for you (or the GUI method that I described in my other answer).

cubicmotion
Explorer

Once you do this, how do you actually start using the app you installed? E.G. I've installed the windows defender TA but how do I get the forwarders to start reporting defender logs? I've done all the above up to step 10...

0 Karma

nickhills
Ultra Champion

I'm not sure I agree with 10 - in some cases this is fine, but in others you need to make config changes to have this collect the relevant data.

Now whilst this approach is unlikely to cause problems, it just feels like duplication of config (and increased complexity) for no real benefit

If your text read "copy relevant stanzas from default/inputs.conf (and modify as necessary) to local/inputs.conf" I'd be 100% behind it.

If my comment helps, please give it a thumbs up!
0 Karma

woodcock
Esteemed Legend

I have no idea what he could have meant abut the GUI and permissions; it makes NO sense to me (same thing with ownership). What I do is go to the DS and install from the GUI, configure EVERYTHING, including all the setup/login/PW/API/Keys. Then go the CLI and move it form the apps directory to the deployment-apps directory and deploy it to everywhere that it should go. This, of course, assumes that all of your infrastructure has the same splunk.secret file.

Perhaps he was talking about the problems with using Windows for your Splunk Infrastructure host OS, this can cause ownership and permission problems (but still has nothing really to do with the GUI/CLI):

https://answers.splunk.com/answers/516059/what-are-the-pain-points-with-deploying-your-splun.html

Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...