All Apps and Add-ons

Splunk Add-on's installation validation

tlmayes
Contributor

Interested in learning a repeatable process of how to validate the installation of an "Add-on"?

Up to know validation has been easy, since installed Add-on's were accompanied by the installation of an App that depended on the add-on. Now I am being requested to install several Splunk developed Add-on's, with no associated Splunk App. Is there a repeatable process for testing, troubleshooting, or validation that the installation of an Add-on was successful?

So that the question is not too broad, some of the Add-on's currently working on:

Splunk_TA_sourcefire
Splunk_TA_cisco-asa
Splunk_TA_flowfix
Splunk_TA_modsecurity
Splunk_microsoft-iis

Tags (1)
0 Karma

woodcock
Esteemed Legend

Unless the authors of the app have gone above and beyond the call of duty in the app documentation or a README file (look for this), you have to examine the KOs yourself to see what causes the stuff to trigger at the root. Many apps have a sourcetype that you must set in your dataset. Others have an eventtype or macro that you are free to modify and then all of the stuff that the app does uses that root macro of eventttype.

0 Karma

adonio
Ultra Champion

Hi tlmayaes,
use this rest command and filter results as you wish:

| rest /services/apps/local

this summarizes all the data regarding your apps
Hope it helps

0 Karma

tlmayes
Contributor

Thanks for the response. I should have been more precise in my request...

I need to validate that any newly installed Add-on is doing what it is supposed to be doing according to it's props/transforms.conf when installed on remote HF/UF's.

0 Karma

adonio
Ultra Champion

for installation validation, there is an alert on Forwarders Management page if you are using a Deployment Server. or you can search the internal index (_internal)
For app functionality, you can search index = _internal. this slide explains it nicely: https://conf.splunk.com/session/2015/conf2015_VEbken_XLi_SplunkClassics_UsingSplunkInternalLogs.pdf
Narrow your searches of internal index to fit the processor that tied to props and transforms.
another way is to check your data and verify the fields are extracted correctly

0 Karma

tlmayes
Contributor

BTW, already tried:

http://docs.splunk.com/Documentation/AddOns/released/Overview/Troubleshootadd-ons.

Even on add-on's that I know are properly installed and working this reference does not produce the expected results.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...