Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Add-on Not Working on Splunk Cloud

doeh
Observer
‎11-23-2024 12:40 PM

Hello,

I need help regarding an add-on which I built. This add-on was build using the Splunk Add-on Builder and it passed all the tests and can be installed on Splunk Enterprise and also on a single instance on Splunk Cloud. However, when it is installed on a cluster it does not work properly.

The add-on when installed is supposed to create some CSVs files and store those in the add. However, when it is installed on a cluster splunk environment, it suddenly will not create the CSVs file and just do not download the files it was supposed to download.

Any help or advise is welcome please.
This is the add-on below.
https://classic.splunkbase.splunk.com/app/7002/#/overview

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-24-2024 10:57 PM

@doeh- I checked your App code and apparently you have many hard-coded paths in the code, which will not work in the clustered environment and specifically in the search-head-clustered environment.

VatsalJagani_0-1732517569206.png

 

This is not recommended, hence use Splunk rest endpoints for all the file modifications:

  • Lookups can be updated/created with rest endpoint
  • Do not use hard-coded splunk home path (/opt/splunk/)  with this import statement (from splunk.clilib.bundle_paths import make_splunkhome_path)
  • and so on.

 

I hope this helps!!! Kindly upvote if it helps!!!

0 Karma
Reply

doeh
Observer
‎11-26-2024 06:39 AM

Thank you so much for your response. However, I did it this way because I wanted to bypass ingesting logs into Splunk index and just collect it as lookup which anyone can use later on.

Also, it was working previously until Splunk upgrade and I had to upgrade the add-on. So, I do not understand why it was working previously and then stop working.

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-28-2024 12:35 AM

@doeh  - You don't need to ingest the logs, just directly modify the lookup but with the help of rest endpoints instead of modifying file. The below document has methods that you can use.

https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#data.2Flookup-table-files....

 

I cannot tell what change has happen after Upgrade, but what I can certainly tell you is direct file modification is not recommended practice and it will not work in Search Head Cluster for sure. So, its a good idea to switch to better approach.

 

I hope this helps! Kindly upvote if it does!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...