Interested in learning a repeatable process of how to validate the installation of an "Add-on"?
Up to know validation has been easy, since installed Add-on's were accompanied by the installation of an App that depended on the add-on. Now I am being requested to install several Splunk developed Add-on's, with no associated Splunk App. Is there a repeatable process for testing, troubleshooting, or validation that the installation of an Add-on was successful?
So that the question is not too broad, some of the Add-on's currently working on:
Splunk_TA_sourcefire
Splunk_TA_cisco-asa
Splunk_TA_flowfix
Splunk_TA_modsecurity
Splunk_microsoft-iis
Unless the authors of the app have gone above and beyond the call of duty in the app documentation or a README file (look for this), you have to examine the KOs yourself to see what causes the stuff to trigger at the root. Many apps have a sourcetype that you must set in your dataset. Others have an eventtype or macro that you are free to modify and then all of the stuff that the app does uses that root macro of eventttype.
Hi tlmayaes,
use this rest command and filter results as you wish:
| rest /services/apps/local
this summarizes all the data regarding your apps
Hope it helps
Thanks for the response. I should have been more precise in my request...
I need to validate that any newly installed Add-on is doing what it is supposed to be doing according to it's props/transforms.conf when installed on remote HF/UF's.
for installation validation, there is an alert on Forwarders Management page if you are using a Deployment Server. or you can search the internal index (_internal)
For app functionality, you can search index = _internal. this slide explains it nicely: https://conf.splunk.com/session/2015/conf2015_VEbken_XLi_SplunkClassics_UsingSplunkInternalLogs.pdf
Narrow your searches of internal index to fit the processor that tied to props and transforms.
another way is to check your data and verify the fields are extracted correctly
BTW, already tried:
http://docs.splunk.com/Documentation/AddOns/released/Overview/Troubleshootadd-ons.
Even on add-on's that I know are properly installed and working this reference does not produce the expected results.