Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add-on Not Working on Splunk Cloud

doeh
Observer
‎11-23-2024 12:40 PM

Hello,

I need help regarding an add-on which I built. This add-on was build using the Splunk Add-on Builder and it passed all the tests and can be installed on Splunk Enterprise and also on a single instance on Splunk Cloud. However, when it is installed on a cluster it does not work properly.

The add-on when installed is supposed to create some CSVs files and store those in the add. However, when it is installed on a cluster splunk environment, it suddenly will not create the CSVs file and just do not download the files it was supposed to download.

Any help or advise is welcome please.
This is the add-on below.
https://classic.splunkbase.splunk.com/app/7002/#/overview

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-24-2024 10:57 PM

@doeh- I checked your App code and apparently you have many hard-coded paths in the code, which will not work in the clustered environment and specifically in the search-head-clustered environment.

VatsalJagani_0-1732517569206.png

 

This is not recommended, hence use Splunk rest endpoints for all the file modifications:

  • Lookups can be updated/created with rest endpoint
  • Do not use hard-coded splunk home path (/opt/splunk/)  with this import statement (from splunk.clilib.bundle_paths import make_splunkhome_path)
  • and so on.

 

I hope this helps!!! Kindly upvote if it helps!!!

0 Karma
Reply

doeh
Observer
‎11-26-2024 06:39 AM

Thank you so much for your response. However, I did it this way because I wanted to bypass ingesting logs into Splunk index and just collect it as lookup which anyone can use later on.

Also, it was working previously until Splunk upgrade and I had to upgrade the add-on. So, I do not understand why it was working previously and then stop working.

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-28-2024 12:35 AM

@doeh  - You don't need to ingest the logs, just directly modify the lookup but with the help of rest endpoints instead of modifying file. The below document has methods that you can use.

https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#data.2Flookup-table-files....

 

I cannot tell what change has happen after Upgrade, but what I can certainly tell you is direct file modification is not recommended practice and it will not work in Search Head Cluster for sure. So, its a good idea to switch to better approach.

 

I hope this helps! Kindly upvote if it does!!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...