Hello all, I'm hoping that someone with a bit of experience with integrating/installing Splunk apps and the common information model will be able to help me with a problem I'm having.
I need to monitor DNS activity, and store this data in my Splunk enterprise instance in a CIM-compliant format. I've got plenty of experience with driving Splunk, building analytics and reports, dashboards etc, but little in the way of the underlying engineering aspects, data pipeline, formatting etc (though I have built regex-based field extractions in the past). CIM compliance is a requirement in order to integrate another tool that's going to go on top of Splunk.
I'm working under some limitations in what I can do to get the data in. Therefore, I've had the DNS server configured to produce debug logging into a plaintext file, and I've deployed a Universal Forwarder to monitor this file. I've also got the Splunk add-on for DNS installed, as my understanding is this will give me the CIM-compliant field extractions and parsing of the log that I need.
I've got a single-instance Splunk Enterprise v8 server built, and I've been able to verify that the data is coming in (albeit with warnings about missing indexes, that I think will be resolved once I've configured the receiving a bit better). My understanding is that I also need to install the DNS add-on into the indexer, and this is where it gets murky.
I believe that the DNS add-on is superseded by the add-on for Microsoft Windows. I've opted to use the DNS add-on, however, as I saw references in other questions that the new add-on isn't actually CIM compliant. However, the DNS add-on isn't compatible with Splunk 8. Having had a look through the add-ons, I can see the same extractions and content the DNS add-on had in the Microsoft add-on, so I think I can put the Windows add-on onto the indexer, and still get all the DNS information/extractions I need from the DNS add-on installed on the forwarder. However, I can't see the WIndows add-on in the splunk apps store - it's just missing.
I'm aiming now to try a manual install, but this seems a fairly straightforward usecase, so I'm asking whether anyone has had experience doing this, and can guide me in the right direction. Is what I'm doing sensible? Will it do what I need it to? And, if I cann't get an add-on onto the indexer, can I not just copy the regex from the add-on config files and extract my own fields, with the appropriate CIM names?
Any insight, experience or suggestions would be greatly appreciated. Right now, I'm trying to hack this into working, and I'd be far happier if I knew I was at least heading in the sane direction.
I can't see the WIndows add-on in the splunk apps store - it's just missing.
Do you mean from the app browser within Splunk? (as opposed to splunkbase.com)
If so - the app browser will only show you compatible apps - although from the sounds of your post you have figured that out!
Your approach seems sensible, and there are only some minor things to highlight on terminology.
Since this is a single instance deployment (ie the server is IDX and SH) you don't actually "need" the add on for the indexing stage.
If memory serves (I don't have a windows env at my fingertips at the moment) There are no transformations needed on those logs, so the indexing stage will not make any use of the TA.
You will however need the search time extractions for search. In other words, If this was a distributed deployment you would only need it on your SH.
Given that, you should be able to 'borrow' the config files and lookups from another app and add them to your SH without any issues.
To check I'm not talking nonsense (its been a while since I have had to deal with MS) can you post splunkbase links to the add-ons you are referring to and I'll try to check.
Hey, thanks for your response.
Not nonsense at all, as I've actually managed to get a bit further on this now, under my own steam, with the ingest and parsing of data, broadly following the approach you suggest. I'm working through a minor issue with formatting at the moment, and I'll probably post an answer to my own question once I've finished that, so there's a record for anyone else who has this issue in future.
To answer your query though, I was using the below:
Splunk Add-on for DNS
That has been replaced by the Splunk Add-on for Microsoft Windows:
All the content, extractions, parsing, transformations etc have been moved over to the Windows app, with the only difference related to DNS seeming to be that now the inputs are disabled by default, and no longer specify an index that needs to be created. Other than compatibility issues between versions of Splunk, there's no reason to use the DNS Add-On. That said, having the DNS Add-On on the forwarder, with the Windows Add-On on the indexer/search head did work - it's the same sourcetype, and all the processing was taking place on the receiving end anyway, as you said.
The remaining issue I have that the DNS debug logs contain spurious characters in the log text (added by Windows), that need to be removed with a regex. And, in addition, the official add-on does not create CIM compliant fields, so those need be extracted, aliased, etc, with a bespoke configuration. I think I have those in hand.
The only strange thing is that, despite the Windows Add-On being compatible with Splunk 8.0, it wasn't showing up in the app browser; manually downloading and installing via the Web interface was a work around, however.
Splunkbase rules changed a good few months back. For apps to pass app-inspect one of the new constraints is that they don't create any indexes.
The docs can make index recommendations, but you should not get a indexes.conf from any validated app.
I believe the issue was people installing apps which were writing data into indexes, and then being surprised when the app is uninstalled and the data vanishes!
Sounds like you have cracked it!
Is your server windows or linux? https://splunkbase.splunk.com/app/742/ is listed as windows only, so if you're on nix that could be why the in-splunk app-browser is trying to get involved.
My server is running on Linux, so that may well be why the app wouldn't show up. Seems like an oversight to me, given the configuration for the receiving end should be agnostic to the platform, if I've understood how it's all working properly, but easily resolved. Manual install is always an option as well. I've come to suspect that for simple apps that just add configurations like parsing, transformations, etc, the compatibility details are probably mostly for guidance in an edge case like this.
But never mind; seems to be sorted.
Thanks for your insight!