We were asked to install the app TA-meraki on splunk.
Following url were given
https://splunkbase.splunk.com/app/3018/
ta-meraki_111.tgz file was downloaded and copied it to the search head server anaxsplhd01 in the path /opt/splunk/etc/apps.
We unzipped the file using tar -xvzf ta_meraki_111.tgz.
A folder TA-meraki was created in the path /opt/splunk/etc/apps. After that we restarted splunk.
We could able to see the app TA-meraki in splunk web. We made it visible.
Now user is complaining that he is unanble to see the data in the app.
What steps we are missing.
What are the further steps to configure the app.
Following are the contents of the file /opt/splunk/etc/apps/TA-meraki/default/app.conf
[install]
is_configured = false
state = enabled
state_change_requires_restart = false
build = 18
[launcher]
author=Myron Davis
version=1.1.1
description = CIM Compliant Extractions and Tags for meraki
[ui]
is_visible = false
show_in_nav = false
label = TA-meraki
[package]
id = TA-meraki
check_for_updates = true
Hello @pratapa,
this is an add-on to extract and map fields, it doesn't contain any visuallzations or dashboard panels. You don't need to make it visible because this add-on doesn't present any views. You can use other apps like Enterprise Security or build a custom reports and dashboard to visualize the meraki data.
If you've done the onboarding right and search for sourcetype=meraki , you should see correctly parsed data.
Sourcetype=meraki does not exist.
I think we have missed the steps to configure the App TA-meraki. Could you please help me on this.
The extractions are dependent upon having your inputs.conf setup. That setup is site specific. I put a sample regarding syslog-ng setup.
But that isn't relevant in many cases.
These set of extractions make no effect on the data or the ability to see the log.
You should be able to see the logs by searching for sourcetype=meraki, if you can't... try doing a index=meraki (or whatever index you put your data in). Then when you see the log verify sourcetype and that data is extracted.
There is no inputs.conf file present in the /opt/splunk/etc/apps/TA-meraki/default directory.
I thought of copying the inputs.conf file present in the /opt/splunk/etc/apps/TA-meraki/default
to /opt/splunk/etc/apps/TA-meraki/local.
Do I need to create inputs.conf in /opt/splunk/etc/apps/TA-meraki/local/ if it does not exist.
Everyones input files are site specific and cannot be defined by the TA.
The TA is a technology adapter which (mostly) applies to the search head. This one has some applicability to your heavy forwarder.
For example if you were running syslog-ng and had all of the plumbing done correctly in syslog-ng:
inputs.conf file:
[default]
host_segment = 4
[monitor:///logpartition/logs/meraki/*/2016/...]
sourcetype = meraki
index=meraki
However the config above is site specific. In order to build one you need to look at your input plumbing architecture.
What device are you sending your Meraki logs too?
How does the device route logs to your heavy forwarder?
You also need to apply your host field somehow.
Have you configured the input correctly? Does splunk ingesting meraki logs?
To op were you able to get this working?