Proofpoint - ET Splunk TA: Is there any mechanism ...

wryanthomas · ‎06-25-2019

I see that this app is "Splunk Cloud" compatible, but I'm wondering...

The add-on appears to be based on the assumption that the data input is set up on the search head. (Lookups are created directly by the add-on without sending it first to an index ... and therefore, lookups are available only where the data input is created.)

Is there any mechanism within the add-on for delivering the lookups to a search head? (Some add-ons use index-based ingestion of the dynamic data, then the add-on on the search head generates the lookups.)

I'm not seeing this information in the documentation, and I'm hoping I'm just missing it.

Thanks in advance.

amitm05 · ‎06-25-2019

Hi wryanthomas
Can you specify which addon are you talking about ?

By the way, there can be addons which needs to be directly installed to SHs. These are valid in the cases where an addon specifically is being used for generating lookups to enrich your data with some intel.
One such example is https://splunkbase.splunk.com/app/3127/#/overview

So principally there is nothing wrong if your addon is only installed on SH and is directly creating/updating some lookups only.

Hope it answers your doubt. Let me know

wryanthomas · ‎06-25-2019

Thanks.

The add-on is Proofpoint - ET Splunk TA. (See tags.)

https://splunkbase.splunk.com/app/2915/

So... when I go to the app installed on a heavy forwarder, I have the opportunity to enter the key(s) for connecting (and ingesting) the data. It works. But on Splunk Cloud (see tags), I don't get the option to add the key(s) ... for establishing the connection.

Note: The app claims Splunk Cloud compatibility. I'm wondering if I'm doing something wrong.

wryanthomas · ‎06-25-2019

In Splunk Cloud (SHC), data inputs are disabled, apparently. Submitting support request to see if they can get this set up with us. (We need to enter the access code/key.)

amitm05 · ‎06-26-2019

Do you have a Self Service or a Managed Splunk Cloud deployment ?
If it is Self Service, You must be a Splunk Cloud administrator to install and manage apps in your Splunk Cloud deployment.
It also needs to be checked if this app is available for self service installation OR whether you need to ask Splunk support to do that.

Check this -
https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/User/SelfServiceAppInstall

wryanthomas · ‎06-26-2019

Sorry for not being clear in original post. Splunk Support has already installed this for us. (There is a Search Head Cluster-related bug that makes it necessary for Splunk Support to install our apps for us at the moment.) The experience with the TA in Splunk Cloud (it doesn't work -- doesn't prompt for access code when going to app) is why I made this post.

Splunk Support replied to my request yesterday. They informed me that scripted inputs are not allowed on Splunk Cloud ... but suggested I submit a new case for Engineering to look at.

I am hoping Engineering has a helpful response.

Would be interested to hear if anyone else in Splunk Cloud has gotten this add-on to work (in Splunk Cloud) ... and if so, how.

Proofpoint - ET Splunk TA: Is there any mechanism within the add-on for delivering the lookups to a search head?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes