We have recently had Splunk installed by professional services however with them being so proficient during the install we didn't really get our heads round every part of the install process for TA's.
It was said that installing from the GUI doesn't always work well as it fails to set file permissions correctly. I have therefore compiled what we think to be the install sequence and would welcome some feedback - that is to say have we missed anything?
Thanks in advance.
1) Download new TA from Splunkbase in .tgz format
2) Copy onto Splunk server /home/xxxx
3) cd /opt/splunk/etc/deployment-apps
4) Unpack splunkxxxxx.tgz to /opt/splunk/etc/deployment-apps
tar -xvf /home/xxxx/splunk-add-on-TA.tgz
5) Change ownership of new app folder
**sudo chown -r splunk:splunk **
6) Copy into /opt/splunk/etc/apps
cp -a /opt/splunk/etc/apps/
7) Restart Splunk
😎 Create new server class
Navigate to: Splunk>Settings>ForwarderManagement>Server Classes
New Server Class (hyperv in this case)
Add Windows HyperV App
Edit Apps > Selected Splunk_TA_microsoft-hyperv
Edit Clients > add in hyperv servers
9) Create new index
Navigate to: Splunk>Settings>Indexes
Index name = hyperv
App = Splunk_TA_microsoft-hyperv
10) Copy input.conf into new app folder
Also be aware that there are some things that Splunk does that are not evident when the Splunk installation process happens and these will NOT happen if you manually unpack into the apps directory. For example, the family of
seckit apps on Splunkbase will be completely broken if you manually unpack them. So you should never manually unpack and always use the proper CLI command:
$SPLUNK_HOME/bin/splunk install app <path-to-app-tgz-or-spl-here> to upack for you (or the GUI method that I described in my other answer).
Once you do this, how do you actually start using the app you installed? E.G. I've installed the windows defender TA but how do I get the forwarders to start reporting defender logs? I've done all the above up to step 10...
I'm not sure I agree with 10 - in some cases this is fine, but in others you need to make config changes to have this collect the relevant data.
Now whilst this approach is unlikely to cause problems, it just feels like duplication of config (and increased complexity) for no real benefit
If your text read "copy relevant stanzas from default/inputs.conf (and modify as necessary) to local/inputs.conf" I'd be 100% behind it.
I have no idea what he could have meant abut the GUI and permissions; it makes NO sense to me (same thing with ownership). What I do is go to the DS and install from the GUI, configure EVERYTHING, including all the setup/login/PW/API/Keys. Then go the CLI and move it form the
apps directory to the
deployment-apps directory and deploy it to everywhere that it should go. This, of course, assumes that all of your infrastructure has the same
Perhaps he was talking about the problems with using Windows for your Splunk Infrastructure host OS, this can cause ownership and permission problems (but still has nothing really to do with the GUI/CLI):