Getting Data In

Uploading Private App in Splunk Cloud

anandhalagaras1
Communicator

Hi All,

My goal is to mask the Wineventlog:Security  which will be saving us from unnecessary license usage.

If we go through the below link under Saving License section it will provide more information on how to mask those details:

https://hurricanelabs.com/splunk-tutorials/leveraging-windows-event-log-filtering-and-design-techniq... 

 

So initially I have created the Private App as per the document provided below:

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2008/User/PrivateApps

i.e Have created a folder as "Splunk_TA_Wineventlog_Props" and inside that folder I have created the default directory and metadata directory.

In the default directory I have created the app.confprops.conf and transforms.conf as mentioned below in the link.

https://hurricanelabs.com/splunk-tutorials/leveraging-windows-event-log-filtering-and-design-techniq... 

And in metadata folder  I have created the default.meta as well.

 

Then when I have zipped the "Splunk_TA_Wineventlog_Props"  and then later converted from zip to tgz.

Post which when i tried to upload the Created App in Splunk Cloud and after vetting process i am getting an error as "App validation failed to complete".

Unknown failure:  Contact your administrator for  details or try again later.

 

So kindly let me know where i am missing since as per prerequisite i have created the app and uploaded. But don't know why it is getting an error message during vetting process.

 

 

 

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Did you try again as the message suggested?  If so, what were those results?  Did you or your admin look in the _internal index to see if there are any details (I'm not sure if there would be any, but it's worth looking)?

BTW, *masking* data does not save license.  Masking just replaces some characters with others so the original content is hidden.  

Also, app names beginning with "splunk" should be used only by Splunk itself.  Perhaps this is why vetting failed.  Your names should start with the name of your company.  This will make it easier to identify the source of the app in the future and avoid confusion when your replacement tries to find "Splunk_TA_Wineventlog_Props" on splunkbase.

---
If this reply helps you, Karma would be appreciated.
0 Karma

anandhalagaras1
Communicator

Thank you for your swift response.

As per hurricane lab suggestion in the below link we are going to stop the ingestion during the index time itself  if the below keywords are present in the event.

This event is generated

Certificate information is only provided

Token Elevation Type indicates the type

https://hurricanelabs.com/splunk-tutorials/leveraging-windows-event-log-filtering-and-design-techniq...

You can check the Saving License Topic in the link mentioned.

 

And also as per your advise I have changed the naming convention of the app starting with my organization name and uploaded the app in Splunk Cloud but still we are getting an error as below.

App Validation Failed - More Info

Unknown failure: Contact your administrator for details or try again later.

And there is no information about the error as well. Hence I am struck up over here.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Consider downloading the appInspect utility so you can vet your app locally before uploading it to Splunk Cloud.  That should give you better diagnostics than what you're getting now.  See https://dev.splunk.com/enterprise/downloads

Also consider opening a support request with Splunk Cloud so they can look into why your app validation is failing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...