Splunk Dev

Help with App to get approved over Splunk Cloud

PratikPashte
Explorer

I have vendor whose application is yet not supported on Splunk Cloud but can be installed on HF.

I thought to check what error I am getting post uploading the app, so if possible I can tweak and can get that approved.

Post uploading I got the below failure summary, I need help to understand the error and if possible to get that resolve

I had followed below dev guide as well but not able to get the proper understanding which can help to resolve the error. 

[ Failure Summary ]
Failures will block the Cloud Vetting. They must be fixed.
check_pretrained_sourcetypes_have_only_allowed_transforms
Only TRANSFORMS- or SEDCMD options are allowed for pretrained sourcetypes. File: default/props.conf Line Number: 3

Dev Guide: https://dev.splunk.com/enterprise/docs/reference/splunkappinspectcheck/

 

 

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

By "custom sourcetype" I was thinking of something a little simpler.

In props.conf replace [syslog] with [centrify_syslog] then have all syslog data from Centrify specify the new sourcetype.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

PratikPashte
Explorer

Hi Rich,

Please find the below line,


[syslog]
TIME_PREFIX = (?:^.*Centrify.*whenoccurreddate=|^.*?)
TRANSFORMS-centrify_cisp_syslog_transforms = centrify_cisp_syslog_regex

 

And transform.conf file below,

[centrify_cisp_headers]
REGEX = .*\d{1,2}\:\d{1,2}\:\d{1,2}\.*?\s(?<system>[^\s]*)\s+.*INFO\s+(?<product>(?:[^|\\]|(?:\\{2})|\\\|)+)\|(?<category>(?:[^|\\]|(?:\\{2})|\\\|)+)\|(?<eventname>(?:[^|\\]|(?:\\{2})|\\\|)+)

[centrify_cisp_syslog_regex]
REGEX = .*Centrify.*whenoccurreddate=.*
FORMAT = sourcetype::centrify_cisp_syslog
DEST_KEY = MetaData:Sourcetype

 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Per the error message "Only TRANSFORMS- or SEDCMD options are allowed for pretrained sourcetypes", but you have TIME_PREFIX.  Either get rid of TIME_PREFIX or use a custom sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PratikPashte
Explorer

Hi Rich,

I can remove time prefix but would not get "when occurred" date field which would be needed.

When you say custom source type meaning a separate stanza in props.conf and associated regex under transofrms.conf file right?

Like props would look like this,

[cp_centrify_syslog]
TRANSFORMS-cp_centrify_cisp_syslog_transforms = cp_centrify_cisp_syslog_regex

[syslog]
TRANSFORMS-centrify_cisp_syslog_transforms = centrify_cisp_syslog_regex

 

And transform would look like this,

[cp_centrify_cisp_syslog_regex]
REGEX = (?:^.*Centrify.*whenoccurreddate=|^.*?)
FORMAT = sourcetype::centrify_cisp_syslog

[centrify_cisp_syslog_regex]
REGEX = .*Centrify.*whenoccurreddate=.*
FORMAT = sourcetype::centrify_cisp_syslog
DEST_KEY = MetaData:Sourcetype

 Does this needs to be done?

Thank you for your help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

By "custom sourcetype" I was thinking of something a little simpler.

In props.conf replace [syslog] with [centrify_syslog] then have all syslog data from Centrify specify the new sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PratikPashte
Explorer

I guess this worked only thing now I need to figure out is below,

I cannot do this, 

$SPLUNK_HOME/bin/splunk package app <APP_NAME>

As I am having Splunk Cloud don't have access to the box not sure whether can be done on deployment server, also as Splunk recommends 644 for all files outside of bin/ and 755 for all directories and files in the bin/ directory that is already in place but not sure whether windows is still messing with permission...

[ Failure Summary ]
Failures will block the Cloud Vetting. They must be fixed.
check_for_bin_files
This file has execute permissions for owners, groups, or others. File: test
This file has execute permissions for owners, groups, or others. File: license-eula.txt
This file has execute permissions for owners, groups, or others. File: README.md
This file has execute permissions for owners, groups, or others. File: default/inputs.conf.example
This file has execute permissions for owners, groups, or others. File: default/app.conf

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, you should be able to package the app on the DS.  Packaging on a Windows box, however, will cause the app to fail AppInspect because of the permissions settings.  If you package on Windows, you'll need to transfer the package to a Linux machine, extract the files, change permissions, then re-tar the package.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PratikPashte
Explorer

I did that taking package at Linux extracting doing changes and repackaging.

But still getting same error although the permissions are as per requirement.

I will be now trying to utilize splunk app package utility, to do so, would just need validation on steps to follow,

Place the app (.tgz file or extracted package?) under $SPLUNK_HOME/etc/apps, then to go under,

$SPLUNK_HOME/bin/ and to run below command right?

splunk package app <APP_NAME>

and the app will output to $SPLUNK_HOME/etc/system/static/app-packages

Thank you in advanced

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, those are the steps.

---
If this reply helps you, Karma would be appreciated.

PratikPashte
Explorer

Hi @richgalloway 

Thank you for all your help.

I had actually changed the files permission for the one which got with the report to 644 and it worked.

Rather changing the directory permission recursively i changed only required file permission.

Do not need to use that tool but I guess in future splunk package app would make sense to use rather changing each file permission to get this worked.

Last question..

Now as I added custom sourctype to props.conf file replacing syslog and I would be taking that data from syslog server.

So I should add that sourcetype at syslog server side and same I will get as I am going to install that app on Splunk cloud right?

If possible you can provide some information about the workflow from app custom sourcetype to splunk cloud would be great help.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, the custom sourcetype must be referenced on the syslog server so Splunk knows to apply that sourcetype to the data.

Submit your custom to Splunk Cloud by going to the App Management page in your SC instance.  Then select the Uploaded Apps tab and click the Upload App button.  Provide your splunk.com credentials (those you use for splunkbase) and choose the file to upload.  Splunk will automatically run AppInspect and let you know the results.  If the app passes AppInspect then there will be a link you can click to install the app; otherwise, review the results to see why the app failed.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share lines #1-3 from the app's props.conf file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...