Splunk Dev

Add-on Not Working on Splunk Cloud

doeh
Observer

Hello,

I need help regarding an add-on which I built. This add-on was build using the Splunk Add-on Builder and it passed all the tests and can be installed on Splunk Enterprise and also on a single instance on Splunk Cloud. However, when it is installed on a cluster it does not work properly.

The add-on when installed is supposed to create some CSVs files and store those in the add. However, when it is installed on a cluster splunk environment, it suddenly will not create the CSVs file and just do not download the files it was supposed to download.

Any help or advise is welcome please.
This is the add-on below.
https://classic.splunkbase.splunk.com/app/7002/#/overview

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@doeh- I checked your App code and apparently you have many hard-coded paths in the code, which will not work in the clustered environment and specifically in the search-head-clustered environment.

VatsalJagani_0-1732517569206.png

 

This is not recommended, hence use Splunk rest endpoints for all the file modifications:

  • Lookups can be updated/created with rest endpoint
  • Do not use hard-coded splunk home path (/opt/splunk/)  with this import statement (from splunk.clilib.bundle_paths import make_splunkhome_path)
  • and so on.

 

I hope this helps!!! Kindly upvote if it helps!!!

0 Karma

doeh
Observer

Thank you so much for your response. However, I did it this way because I wanted to bypass ingesting logs into Splunk index and just collect it as lookup which anyone can use later on.

Also, it was working previously until Splunk upgrade and I had to upgrade the add-on. So, I do not understand why it was working previously and then stop working.

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@doeh  - You don't need to ingest the logs, just directly modify the lookup but with the help of rest endpoints instead of modifying file. The below document has methods that you can use.

https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#data.2Flookup-table-files....

 

I cannot tell what change has happen after Upgrade, but what I can certainly tell you is direct file modification is not recommended practice and it will not work in Search Head Cluster for sure. So, its a good idea to switch to better approach.

 

I hope this helps! Kindly upvote if it does!!!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...