We were asked to install the app TA-meraki on splunk.
Following url were given
ta-meraki_111.tgz file was downloaded and copied it to the search head server anaxsplhd01 in the path /opt/splunk/etc/apps.
We unzipped the file using tar -xvzf ta_meraki_111.tgz.
A folder TA-meraki was created in the path /opt/splunk/etc/apps. After that we restarted splunk.
We could able to see the app TA-meraki in splunk web. We made it visible.
Now user is complaining that he is unanble to see the data in the app.
What steps we are missing.
What are the further steps to configure the app.
Following are the contents of the file /opt/splunk/etc/apps/TA-meraki/default/app.conf
is_configured = false
state = enabled
state_change_requires_restart = false
build = 18
description = CIM Compliant Extractions and Tags for meraki
is_visible = false
show_in_nav = false
label = TA-meraki
id = TA-meraki
check_for_updates = true
this is an add-on to extract and map fields, it doesn't contain any visuallzations or dashboard panels. You don't need to make it visible because this add-on doesn't present any views. You can use other apps like Enterprise Security or build a custom reports and dashboard to visualize the meraki data.
If you've done the onboarding right and search for sourcetype=meraki , you should see correctly parsed data.
The extractions are dependent upon having your inputs.conf setup. That setup is site specific. I put a sample regarding syslog-ng setup.
But that isn't relevant in many cases.
These set of extractions make no effect on the data or the ability to see the log.
You should be able to see the logs by searching for sourcetype=meraki, if you can't... try doing a index=meraki (or whatever index you put your data in). Then when you see the log verify sourcetype and that data is extracted.
There is no inputs.conf file present in the /opt/splunk/etc/apps/TA-meraki/default directory.
I thought of copying the inputs.conf file present in the /opt/splunk/etc/apps/TA-meraki/default
Do I need to create inputs.conf in /opt/splunk/etc/apps/TA-meraki/local/ if it does not exist.
Everyones input files are site specific and cannot be defined by the TA.
The TA is a technology adapter which (mostly) applies to the search head. This one has some applicability to your heavy forwarder.
For example if you were running syslog-ng and had all of the plumbing done correctly in syslog-ng:
host_segment = 4
sourcetype = meraki
However the config above is site specific. In order to build one you need to look at your input plumbing architecture.
What device are you sending your Meraki logs too?
How does the device route logs to your heavy forwarder?
You also need to apply your host field somehow.