Hi guys i just started using Splunk and i am trying to create a Splunk app that will connect to any syslog server over the internet to get raw TCP or UDP logs from a remote server into splunk index and i do not know how to implement it. I want to include a page UI for the user on my APP to easily configure the details of the remote server such as choosing TCP or UDP connection, Port, which network to exclude out, the IP address of the server...etc.
Currently i am unsure about how to set up the page to configure the settings for the UI, i want my end product to turn out similar to splunk data inputs but want the page to exist in a page on my app. I do not want to use any other add-on.
1) Where do i create the page? On the APP or on the APP add-on
2) Do i have to use modular inputs?
3) Does the page need to use the setup tag or form tag ? (I want it as a page that exist in the nav bar)
4) Do i have to create a python script to link the inputs in the UI page to inputs.conf file?
5) Do i have to edit the restmap.conf file first to link the python script to restmap.conf?
6) Can i create a button on the page to test for connectivity after the user saved the settings?
7) Do i have to make a custom stanza for it and point the input to the stanza value? If so how do i specify in the stanza that it comes from inputs e.g. leaving it blank
Hi, your idea is flawed a bit...
You want splunk to connect to syslog and get raw logs, this is impossible. Splunk will either receive syslog messages from hosts that are sending syslog data to specified IP's (Your indexers / HF's), or it can relay any data received, to syslog. You can't "pull" with syslog, you only receive or forward/send syslog messages. Syslog is simplex.
I think you're diving too deep too soon, all of the points you specify are advanced and some of them can not be done out of the box, there will be hurdles and problems to even the more advanced devs..
Firstly, you need to re-consider the use case here and be more clear, the question is too broad as well.
Tell your syslog hosts to send via TCP to your Splunk instance, then create your syslog listener (inputs.conf in etc/system/local OR via web GUI TCP inputs), consider using outputs.conf / web GUI forwarding to relay the syslog messages elsewhere if you require that, confirm it is working by watching your splunk daemon logs. Later, try to move these settings to your own custom app, and take it from there.
I'd imagine for advanced functionality of forms you want to use BASH scripting and KV Store + REST API, all of which are tricky to combine and I've never done anything like it before either... You have a long way to go before you get any of what you asked materialised!
Thank you for your reply, it help me to cut down on some things that i am confused about.
For starters, right now after creating my APP i am trying to let my APP to automatically listen on port 514 TCP by default which i do not know how to implement.
Also to simplify my previous question my goal is to set up a page UI in my APP somewhat similar to splunk default Local inputs where you can set it at the setting under TCP and UDP. However what i am looking for is to allow my users to easily access that page instead of splunk and set whatever configurations they want to such as any TCP or UDP port and also the sourcetype and index name they want.
For my remote syslog host i have already configured a custom fowarder and is successful in using the default splunk setting to allow the logs to be sent through any port such as tcp port 8888 and receiving the logs as the source type i have named such as custom_logs into the default index.
I hope to implement this setting as a page on my APP to tell my app to listen on whichever port the user would want and i have no idea where to start from.