Installation

Best practices on Index and TCP Input creation by .spl application package install?

altink
Builder

Dear All

working with app deployment and installing, and after reading Dev articles
SP-CAAAEMY
SP-CAAAE3H
... and all related

noticed a few things:

the app_name.spl package - installing in a new clean environment - does create both:
1. a new index
2. a new TCP/Input (on a certain port xxxxx - my app makes use of it to get data input )

while the above is great and helps big, I wander if it is invasive a bit, especially:

the second part - TCP input creation on the client's Splunk server. That xxxxx port is a parameter in my solution (software that will feed the App) and can be set to anything.

But also the index creation, as in the "App Certification criteria", article SP-CAAAE3H on dev.splunk,
under "Indexes.conf standards", it is said (quoted):
"Check that the app does not create indexes."
Does this excludes app_name.spl install ? I guess it should be yes, in the sense that index creation is forbidden
during normal app operations, while allowed to create own index[s] during install.

So, my questions in this case would be:
Q1. Is Best practice to Create index on .spl install, or do it not (create manually)?

Q2. Is Best practice to Create TCP input on .spl install, or do it not (create manually)?

Q3. what is the relation of the two above regarding Splunk App Certification process?

thank you very much
best regards
Altin

Labels (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Best practice and I believe a requirement now is that you don't create ANY resource-consuming KOs (e.g. index, input, etc.) you supply a setup.xml that the user should be dropped into on first run and he will choose (or not) to create that stuff.

Best practice for TCP inputs is to NOT DO IT AT ALL. This should be done to a syslog HF and then Splunk can pick it up from disk where syslog writes it.

View solution in original post

woodcock
Esteemed Legend

Best practice and I believe a requirement now is that you don't create ANY resource-consuming KOs (e.g. index, input, etc.) you supply a setup.xml that the user should be dropped into on first run and he will choose (or not) to create that stuff.

Best practice for TCP inputs is to NOT DO IT AT ALL. This should be done to a syslog HF and then Splunk can pick it up from disk where syslog writes it.

altink
Builder

Thank you very much Mr. Woodcock

I am forced to use the TCP Input - at least for now.

So from your answer I got the first rule:
No TCP Input creation on a app_name.spl install!

But what about index creation on the same (app_name.spl install)?
Would that be considered invasive ?
Be a problem in certification?

thank you very much,
best regards
Altin

0 Karma

woodcock
Esteemed Legend

Are you using the Add-on Builder?
https://splunkbase.splunk.com/app/2962/

0 Karma

altink
Builder

No Sir

no third parties
only Simple XML

my app is meant to be this way - at least in its initial version.

I think I will satisfy myself with a:
1. Manual Index install
2. Manual TCP Input creation

I might also look to implement both in a setup.xml

Let me ask you one more question please.
I did the following test.
1. Installed app_name.spl (with built-in index creation)
2. populated the app with some data and confirmed data presence
3. delete the app by stop-splunk and delete app-dir in /etc/app
4. after splunk restart I noticed that the index was not present anymore on the GUI
5. installed the same app_name.spl again.
Nothing failed, kind of "index xxxxx already exists" - very good!

after this I noticed in the app that the "old" index data were preserved and during
the install the existing index's data were not erased by a new empty index.
This is very good too, but I need to know:

Is this the always behavior of the .spl install ?
If yes - will this continue in the future

otherwise I think I will go for a manual index create/setup too

thanks and best regards
Altin

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Did you mean "indexes" in the first sentence rather than "inputs"?

---
If this reply helps you, Karma would be appreciated.
0 Karma

woodcock
Esteemed Legend

Fixed it, yes.

0 Karma

altink
Builder

I guess yes, but please indicate the "first sentence"

thanks and regards
Altin

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...