All Apps and Add-ons

Uploaded App getting rejected by SplunkCloud

rbanksplunk
Engager

I need to install Splunk Add-on for Amazon Web Services on our splunkcloud.

I'm following the below steps to achieve this

  1. Downloaded the app's .tgz from https://splunkbase.splunk.com/app/1876/
  2. I use the "Upload App" button on https://our_organization.splunkcloud.com/en-US/app/dmc/uploaded_apps
  3. The app shows up in the list with status "Vetting"
  4. After some time, the status changes to "rejected" with not much explanation in reports

What am I doing wrong?

0 Karma

jgedeon_splunk
Splunk Employee
Splunk Employee

The app, https://splunkbase.splunk.com/app/1876/ Splunk_TA_aws, is an assisted install app. If you view the app in the UI you should see that the button states that a support case needs to be opened to install it on the search head. That said, Inputs are not allowed on the search heads in cloud, you need to either use a HWF to bring the data in or have an IDM in your cloud deployment. If you don't have an IDM you will soon be able to reach out to your account team and request one. Uploading a package to be installed is for uploading custom customer managed and created apps.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

The Splunk Add-on for Amazon Web Services needs to run on-premise in a Heavy Forwarder, or in a Cloud based component we call an IDM. Not sure if they are full GA yet, but we were doing limited release recently. An IDM is essentially a Heavy Forwarder like component, running in your Splunk Cloud environment. It is not recommended to collect data via a Search Head, which is what you would be doing if you installed the Add-on in your cloud environment without an IDM.

Ask your sales team about IDMs if you aren't willing to install a Heavy Forwarder on-prem to collect the AWS data.

Depending on the data you are trying to ingest from AWS, there are other options as well, like Kinesis Firehose which pushes the data into Splunk via the HTTP Event Collector, which can be enabled in Splunk Cloud by opening a ticket.

sloshburch
Ultra Champion

The add-on is also needed for sourcetype definitions and therefore needs to be deployed to the Search Head(s) with the inputs all turned off. Sounds like a misunderstanding if you only wanted it deployed for the sourcetype info. If you needed it for data collection than @kmorris_splunk is spot on.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Burch, good point on the sourcetype definitions. So it should still allow for upload and installation.

0 Karma

jkat54
SplunkTrust
SplunkTrust

This should be allowed, I would create a support ticket/request to find out how.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Have you tried browsing to the app instead of uploading the tar?

0 Karma

rbanksplunk
Engager

So I made a support ticket to install the app, and support did it. Now, I'm unable to configure the add-on because of some internal server errors. When I talked to support about this, they responded with this documentation : https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/Service/SplunkCloudservice#Differences_betwe...

"Splunk does not support the use of inputs.conf on the search tier of Splunk Cloud. Splunk Cloud uses the Packaging Toolkit (http://dev.splunk.com/view/packaging-toolkit/SP-CAAAE9V#partitioning) to partition apps into appropriate packages for the search tier, indexer tier, and forwarder tier. You are responsible for installing the data collection components of any app you want to use in Splunk Cloud on a Splunk Forwarder under your control. If you require direct input on the search tier and you cannot deploy forwarders, you can request that Splunk Cloud deploy data ingestion processes on the Splunk Cloud search tier, but this approach is not subject to Splunk Cloud SLAs."

0 Karma

rbanksplunk
Engager

Yes, it show's with a disabled "Request install button" in the apps list.

0 Karma