All Apps and Add-ons

What is difference between deploying add-ons via copying it to "Splunk\etc\deployment-apps" folder AND via Splunk Web interface?

splunk_sa
Explorer

I am working on deploying the Splunk Add-on for Microsoft Active directory. Some documents suggest to unzip splunk-add-on-for-microsoft-active-directory_100.tgz to folder and copy to Z:\Program Files\Splunk\etc\deployment-apps folder.
Other document suggests to use Splunk Web interface, go to Manage Apps > add new app and point to splunk-add-on-for-microsoft-active-directory_100.tgz.

When I tried first method, it did not work for me as later I learned that I was suppose to create "Local" and put "inputs.conf" in that folder manually
When I used second method I got the desired results automatically
What method is preferred?
Thanks in advance.

0 Karma

splunk_sa
Explorer

HI Giuseppe.
Thanks for taking time to reply, I have gone through almost all of the different versions of splunk docs about deploying Splunk add on for Microsoft Active Directory.
Each document has little difference. My basic question was what is the difference between deploying Splunk add on for Microsoft Active Directory which is described in the below document. I have single server with splunk enterprise and Microsoft Active Directory installed on separate servers. The idea was to collect Active directory data and security logs from the domain controller.
I first tried these 2 documents exactly as it says. I did not get any Active directory related index created such as "msad" "perfmon" etc and nor did I get any security logs pulled form the domain controller where I installed the universal forwarder and deployed the application.
Instead I got the active directory data in the main index rather then its own index as per defined in inputs.conf. May be I was suppose to create a folder Local and put inputs.conf in that folder but that is not specified in these 2 procedures.
So I tried these...
http://docs.splunk.com/Documentation/MSExchange/3.4.1/DeployMSX/DeploytheSplunkAdd-onsforActiveDirec...
AND
https://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/DeploytheSplunkAdd-onsforActiveDirectory

Then I saw below procedure
http://docs.splunk.com/Documentation/AddOns/latest/Overview/Singleserverinstall

which talks about login to splunk app, (Webinterface) go to apps>manage apps> add > and add the app downloaded in the form of splunk-add-on-for-microsoft-active-directory_100.tgz file. Once I did this, suddenly I got index created "msad" "permon" etc and I got the AD data in the msad instead of main. Still I have to create sparate forwarded input and create input for security logs for domain controller.
So I dont understand what is the difference between manually expanding add on file to folder, then copy to deployed apps and then restarting splunk and second methond of using Splunk console and adding app using Gui..
I wish there is one consistent method of deploying splunk add on for active directory rather then many different documents.

Cheers
Sa

gcusello
SplunkTrust
SplunkTrust

Hi splunk_sa,
sorry but I don't understand your need:

  • do you want to deploy this Add-on into one server (see the second question) or you want do deploy it using a Deployment Server?
  • what server are you speaking about: Deployment Server, Universal Forwarder on Domain Controllers or Splunk Enterprise?

To unzip splunk-add-on-for-microsoft-active-directory_100.tgz to folder and copy it to $SPLUNK_HOME\etc\deployment-apps folder is the method to deploy an app from the Deployment Server to other servers, but you you have also to configure Forwarders as Deployment Client and create a Server Class.

If instead you want to manually install your Add-On, you can unzip splunk-add-on-for-microsoft-active-directory_100.tgz to folder and copy it to $SPLUNK_HOME\Splunk\etc\apps folder (and restart Splunk).

In addition I don't understand when you speak about web interface: usually this Add-on is installed on a Forwarder on Domain Controllers and UF haven't web interface.

Every way as described in documentation, the best way is to deploy Apps using a Deployment Server (see https://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/DeploytheSplunkAdd-onsforActiveDirectory ).

Bye.
Giuseppe

0 Karma

niketn
Legend

If you think the manual steps for Microsoft Active directory Add On is missing a required step in the documentation and the documentation is on Splunk Docs, then you can always provide a feedback section provided at the bottom of the documentation so that the Technical Writer will be able to review and rectify the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...