All Apps and Add-ons

A guide to installing a Splunk TA at command line? - CentOS7 & Splunk 6.6.2

New Member

We have recently had Splunk installed by professional services however with them being so proficient during the install we didn't really get our heads round every part of the install process for TA's.

It was said that installing from the GUI doesn't always work well as it fails to set file permissions correctly. I have therefore compiled what we think to be the install sequence and would welcome some feedback - that is to say have we missed anything?

Thanks in advance.


1) Download new TA from Splunkbase in .tgz format

2) Copy onto Splunk server /home/xxxx

3) cd /opt/splunk/etc/deployment-apps

4) Unpack splunkxxxxx.tgz to /opt/splunk/etc/deployment-apps
tar -xvf /home/xxxx/splunk-add-on-TA.tgz

5) Change ownership of new app folder
**sudo chown -r splunk:splunk **

6) Copy into /opt/splunk/etc/apps
cp -a /opt/splunk/etc/apps/

7) Restart Splunk
./splunk restart

😎 Create new server class
Navigate to: Splunk>Settings>ForwarderManagement>Server Classes
New Server Class (hyperv in this case)
Add Windows HyperV App
Edit Apps > Selected Splunk_TA_microsoft-hyperv
Added Clients
Edit Clients > add in hyperv servers

9) Create new index
Navigate to: Splunk>Settings>Indexes
"New Index"
Index name = hyperv
App = Splunk_TA_microsoft-hyperv

10) Copy input.conf into new app folder


0 Karma

Esteemed Legend

Also be aware that there are some things that Splunk does that are not evident when the Splunk installation process happens and these will NOT happen if you manually unpack into the apps directory. For example, the family of seckit apps on Splunkbase will be completely broken if you manually unpack them. So you should never manually unpack and always use the proper CLI command: $SPLUNK_HOME/bin/splunk install app <path-to-app-tgz-or-spl-here> to upack for you (or the GUI method that I described in my other answer).


Once you do this, how do you actually start using the app you installed? E.G. I've installed the windows defender TA but how do I get the forwarders to start reporting defender logs? I've done all the above up to step 10...

0 Karma

Ultra Champion

I'm not sure I agree with 10 - in some cases this is fine, but in others you need to make config changes to have this collect the relevant data.

Now whilst this approach is unlikely to cause problems, it just feels like duplication of config (and increased complexity) for no real benefit

If your text read "copy relevant stanzas from default/inputs.conf (and modify as necessary) to local/inputs.conf" I'd be 100% behind it.

If my comment helps, please give it a thumbs up!
0 Karma

Esteemed Legend

I have no idea what he could have meant abut the GUI and permissions; it makes NO sense to me (same thing with ownership). What I do is go to the DS and install from the GUI, configure EVERYTHING, including all the setup/login/PW/API/Keys. Then go the CLI and move it form the apps directory to the deployment-apps directory and deploy it to everywhere that it should go. This, of course, assumes that all of your infrastructure has the same splunk.secret file.

Perhaps he was talking about the problems with using Windows for your Splunk Infrastructure host OS, this can cause ownership and permission problems (but still has nothing really to do with the GUI/CLI):

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...