All Apps and Add-ons

Missing eventtypes from Splunk App for AWS

nickhills
Ultra Champion

I am attempting a deployment of a fresh Splunk x for AWS environment, and it seems that there are a significant number of changes in the new deployment for this pair of applications vs the old versions, however, unless I am mistaken there are some fundamental problems with the new deployment model and I wonder if anyone else has experienced this, or have I overlooked something fundamental?

Anyway, the story so far:

1.) I am using a dedicated Heavy Forwarder with the "Add-On" (configured with accounts and inputs)
2.) On the Search head, I have installed both the "App" and the "Add-On", (having configured the Add-On as invisible as per recommendations).

Starting with Billing, I have configured the input on the HF - if I look in my index, I see the events.
If I run the dashboards from the App, no data.

To be expected perhaps as the scheduled searches have not run, so I begin triggering them - only they are all empty - Why?
This seems to be because the reports depend on eventtypes - and these event types are NOT part of the "App" - instead the eventtypes are packaged in the "Add-On" (along with hundreds of other KOs like fields, tags etc)

So looking at the Add-On the eventtype definitions are there, however the permissions are restricting them to the Add-On's context only - they are not defined as Global.

As a consequence none of the reports from the App are building any data, and the whole Splunk x AWS environment is completely defective.

Clearly, the fix is to set all the eventtypes (and field aliases, calculated fields, tags etc.) in the add-on to 'global', which allows the reports and panels to build, but this was supposed to be a box-fresh deployment, and it seems remiss that I have to 'fix' the permissions to get things working - not to mention there are hundreds of them!

My question therefore is this:
Are we experiencing something unusual in this deployment (bad ./metadata/*meta file somehow) or have other people experienced the same issue?
I wonder how many people can be running the latest combination of App/Add-on and have it working, - or - have I simply missed a well hidden (but crucial) page on the documentation site?

Splunk App for AWS 5.1.0
Splunk Add-on for AWS 4.4.0

If my comment helps, please give it a thumbs up!
Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

I cant explain why, but somehow the Sharing for config file-only objects for the Add-On was set to 'this app only'.

I only noticed this when comparing it to the TA on the HF. I can't see that this was actively changed, however setting it back (?) to Global, now allows the knowledge objects from the TA to work in the app.

Rather than delete the question, I leave it here in case this occurs for someone else. I am still keen to understand if this was unusual, or others have had the same.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

I cant explain why, but somehow the Sharing for config file-only objects for the Add-On was set to 'this app only'.

I only noticed this when comparing it to the TA on the HF. I can't see that this was actively changed, however setting it back (?) to Global, now allows the knowledge objects from the TA to work in the app.

Rather than delete the question, I leave it here in case this occurs for someone else. I am still keen to understand if this was unusual, or others have had the same.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...