- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Best practices on Index and TCP Input creation by ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear All
working with app deployment and installing, and after reading Dev articles
SP-CAAAEMY
SP-CAAAE3H
... and all related
noticed a few things:
the app_name.spl package - installing in a new clean environment - does create both:
1. a new index
2. a new TCP/Input (on a certain port xxxxx - my app makes use of it to get data input )
while the above is great and helps big, I wander if it is invasive a bit, especially:
the second part - TCP input creation on the client's Splunk server. That xxxxx port is a parameter in my solution (software that will feed the App) and can be set to anything.
But also the index creation, as in the "App Certification criteria", article SP-CAAAE3H on dev.splunk,
under "Indexes.conf standards", it is said (quoted):
"Check that the app does not create indexes."
Does this excludes app_name.spl install ? I guess it should be yes, in the sense that index creation is forbidden
during normal app operations, while allowed to create own index[s] during install.
So, my questions in this case would be:
Q1. Is Best practice to Create index on .spl install, or do it not (create manually)?
Q2. Is Best practice to Create TCP input on .spl install, or do it not (create manually)?
Q3. what is the relation of the two above regarding Splunk App Certification process?
thank you very much
best regards
Altin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best practice and I believe a requirement now is that you don't create ANY resource-consuming KOs (e.g. index, input, etc.) you supply a setup.xml that the user should be dropped into on first run and he will choose (or not) to create that stuff.
Best practice for TCP inputs is to NOT DO IT AT ALL. This should be done to a syslog HF and then Splunk can pick it up from disk where syslog writes it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best practice and I believe a requirement now is that you don't create ANY resource-consuming KOs (e.g. index, input, etc.) you supply a setup.xml that the user should be dropped into on first run and he will choose (or not) to create that stuff.
Best practice for TCP inputs is to NOT DO IT AT ALL. This should be done to a syslog HF and then Splunk can pick it up from disk where syslog writes it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much Mr. Woodcock
I am forced to use the TCP Input - at least for now.
So from your answer I got the first rule:
No TCP Input creation on a app_name.spl install!
But what about index creation on the same (app_name.spl install)?
Would that be considered invasive ?
Be a problem in certification?
thank you very much,
best regards
Altin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using the Add-on Builder?
https://splunkbase.splunk.com/app/2962/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No Sir
no third parties
only Simple XML
my app is meant to be this way - at least in its initial version.
I think I will satisfy myself with a:
1. Manual Index install
2. Manual TCP Input creation
I might also look to implement both in a setup.xml
Let me ask you one more question please.
I did the following test.
1. Installed app_name.spl (with built-in index creation)
2. populated the app with some data and confirmed data presence
3. delete the app by stop-splunk and delete app-dir in /etc/app
4. after splunk restart I noticed that the index was not present anymore on the GUI
5. installed the same app_name.spl again.
Nothing failed, kind of "index xxxxx already exists" - very good!
after this I noticed in the app that the "old" index data were preserved and during
the install the existing index's data were not erased by a new empty index.
This is very good too, but I need to know:
Is this the always behavior of the .spl install ?
If yes - will this continue in the future
otherwise I think I will go for a manual index create/setup too
thanks and best regards
Altin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you mean "indexes" in the first sentence rather than "inputs"?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed it, yes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess yes, but please indicate the "first sentence"
thanks and regards
Altin
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
