All Apps and Add-ons

How to install and configure TA-meraki app

pratapa
Explorer

We were asked to install the app TA-meraki on splunk.

Following url were given
https://splunkbase.splunk.com/app/3018/

ta-meraki_111.tgz file was downloaded and copied it to the search head server anaxsplhd01 in the path /opt/splunk/etc/apps.

We unzipped the file using tar -xvzf ta_meraki_111.tgz.

A folder TA-meraki was created in the path /opt/splunk/etc/apps. After that we restarted splunk.
We could able to see the app TA-meraki in splunk web. We made it visible.

Now user is complaining that he is unanble to see the data in the app.

What steps we are missing.

What are the further steps to configure the app.

Following are the contents of the file /opt/splunk/etc/apps/TA-meraki/default/app.conf

TA-meraki app configuration file

[install]
is_configured = false
state = enabled
state_change_requires_restart = false
build = 18

[launcher]
author=Myron Davis
version=1.1.1
description = CIM Compliant Extractions and Tags for meraki

[ui]
is_visible = false
show_in_nav = false

label = TA-meraki

[package]
id = TA-meraki
check_for_updates = true

0 Karma

PavelP
Motivator

Hello @pratapa,

this is an add-on to extract and map fields, it doesn't contain any visuallzations or dashboard panels. You don't need to make it visible because this add-on doesn't present any views. You can use other apps like Enterprise Security or build a custom reports and dashboard to visualize the meraki data.

If you've done the onboarding right and search for sourcetype=meraki , you should see correctly parsed data.

pratapa
Explorer

Sourcetype=meraki does not exist.

I think we have missed the steps to configure the App TA-meraki. Could you please help me on this.

0 Karma

myron_davis
Path Finder

The extractions are dependent upon having your inputs.conf setup. That setup is site specific. I put a sample regarding syslog-ng setup.

But that isn't relevant in many cases.

These set of extractions make no effect on the data or the ability to see the log.

You should be able to see the logs by searching for sourcetype=meraki, if you can't... try doing a index=meraki (or whatever index you put your data in). Then when you see the log verify sourcetype and that data is extracted.

0 Karma

pratapa
Explorer

There is no inputs.conf file present in the /opt/splunk/etc/apps/TA-meraki/default directory.

I thought of copying the inputs.conf file present in the /opt/splunk/etc/apps/TA-meraki/default

to /opt/splunk/etc/apps/TA-meraki/local.

Do I need to create inputs.conf in /opt/splunk/etc/apps/TA-meraki/local/ if it does not exist.

0 Karma

myron_davis
Path Finder

Everyones input files are site specific and cannot be defined by the TA.

The TA is a technology adapter which (mostly) applies to the search head. This one has some applicability to your heavy forwarder.

For example if you were running syslog-ng and had all of the plumbing done correctly in syslog-ng:

inputs.conf file:
[default]
host_segment = 4
[monitor:///logpartition/logs/meraki/*/2016/...]
sourcetype = meraki
index=meraki

However the config above is site specific. In order to build one you need to look at your input plumbing architecture.

What device are you sending your Meraki logs too?
How does the device route logs to your heavy forwarder?
You also need to apply your host field somehow.

0 Karma

PavelP
Motivator

Have you configured the input correctly? Does splunk ingesting meraki logs?

0 Karma

nomad899
Loves-to-Learn Lots

To op were you able to get this working? 

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!