Splunk Enterprise

How do I install an app outside the splunk instance from the REST API?

Emilio
Explorer

The API reference mentions how to install an app that is already local to the splunk instance with apps/local.

We can already upload an app manually in the Web console by going Apps->Manage Apps->Install App from File.

However, for detection-as-code purposes, I need to be able to do that in a programmatic way, using an API, for CI/CD purposes. I have seen no documented way to do that, which can't be true. Surely if we can do that from the web console, there is a way to do that programmatically using an API.

How do I install an app outside the Splunk instance from the REST API?

Thanks 🙂

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Does it have to be via REST API?  If not, you can use the ACS API to install and manage apps.  See https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Config/ACSreqs

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Emilio
Explorer

Thanks, using the ACS-cli, I was able to deploy my app to my Splunk Cloud Platform instance.

 

For reference, here is a powershell code snippet to deploy such app:

 

# Set up splunk account for app validation with appinspect.splunk.com
$env:SPLUNK_USERNAME = "username@email.com"
$env:SPLUNK_PASSWORD = (Get-Credential -Message a -UserName a).GetNetworkCredential().Password
acs.exe config add-stack <nameofthestack> --target-sh <nameofsearchhead>
acs.exe config use-stack <nameofthestack> --target-sh <nameofsearchhead>
acs.exe login
acs.exe --verbose apps install private --acs-legal-ack Y --app-package .\path\to\my-custom-app-latest.tar.gz

 

Emilio
Explorer

Thanks for the reply. I'll check this out and report back!

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Based on group where you have put this question You are doing this on Splunk Enterprise not in Splunk Cloud? ACS is working only with cloud, not with Enterprise.

In Enterprise you need to have CLI access into node and then you can script it. E.g. ansible is good tool to manage installations. You could have control node where you get packages/apps from git and then install those with ansible-play.
0 Karma

Emilio
Explorer

I'm sorry, I think I put it in the wrong place. We're using Splunk Cloud, so this solution (ACS) will probably work. I'll update when I worked on it to confirm it works for my needs.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Yes if you are using SCP then ACS is your selection to do this.

There is also a Terraform connector to do this kind of stuff if that is familiar tool for you.

And if you are partner then there is a presentation kept couple of years ago in GPS which give you a excellent framework to manage Clients SCP environments.

richgalloway
SplunkTrust
SplunkTrust

Does it have to be via REST API?  If not, you can use the ACS API to install and manage apps.  See https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Config/ACSreqs

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...