All Apps and Add-ons

Installed App v1.3 on Splunk 6.6.2 do not see any new data inputs

Mostlyqueries
Explorer

I do not see any new data inputs, I tried refreshing and restarting splunk.
Is there a video showing the install and how to get data to be used by the application?
Will there be something that allows to decode with protobuf?

0 Karma

Damien_Dallimor
Ultra Champion

You need to write a custom data handler to decode the protobuf binary payload. This is the purpose of custom data handlers.The app ships with several examples in different languages to get you started.There are many libraries available (just google) containing the logic to decode protobuf , so it would likely be very simply to create a custom data handler.

http://www.baboonbones.com/blog/get-binary-data-splunk/

0 Karma

Mostlyqueries
Explorer

When a python script uses import inside the custom data handler, where does it look to find it?

Is it in here: /opt/splunk/etc/apps/protocol_ta/bin/vertx_modules/io.vertx~lang-jython~2.1.1/ ?

I am getting errors inside splunkd.log when I save the Protocol Data Input, so it looks like it is trying.

0 Karma

493669
Super Champion

Refer this and follow guidelines for Setup, Configuration and Troubleshooting:
https://splunkbase.splunk.com/app/1901/#/details

0 Karma

Mostlyqueries
Explorer

Took a look. Attempted again , this time putting Java on first and not installing the app in the gui , but did it by hand with a tar.
Dont know which part helped, but I can see the Protocol Data Inputs in Data inputs now.

I still don't know how to get splunk to run the protobuf with the proto files I have.
Basically I have a linux command that works, and I need splunk to do it so I can index the data.

protoc --decode TelemetryStream firewall.proto -I /usr/include -I .

Is this the Custom data handler section?

0 Karma

493669
Super Champion

have a look at https://www.splunk.com/blog/2014/11/11/protocol-data-inputs.html if it doesn't help then @Damien Dallimore can help you.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...