Solved: update transforms.conf and props.conf from an app

wowbaggerHU

Dear Members,

I have a use case where I would need to update or insert configuration to transforms.conf, props.conf and outputs.conf. I was told that it is possible to do this via a creating an app.

That would make it easier for users to make the necessary changes, instead of doing it via the error-prone manual procedure.

Nevertheless, I haven't come across any documentation that would illustrate and explain how to do it.
Does someone have any experience with that? Or perhaps can someone point me to the relevant documentation?

Thanks in advance!

wowbaggerHU

We took a few steps and looked at how the config files worked.
It seemed as if the content of the different config types were virtually merged (each type of config with its own kind).
Therefore we reasoned that we could use the settings we were setting up via the GUI for the forwarder, and use our outputs.conf from the app, to add/override the settings we needed, and it turned out that this approach works!

So now we have the possibility to set up the forwarding via the Web UI, and also have those settings augmented with our own extra settings.

This seems to solve our initial problem.

View solution in original post

wowbaggerHU

@livehybridand @isoutamo

Thanks for both of your answers!
I more or less know what I need to put in those files, so have that part figured out already.
Yes, as far as my understanding goes, the app is supposed to go on a heavy forwarder node.
We have no plans in place for using a deployment server. For the initial POC phase, I believe that adding the app az a simple zip file would suffice.

As for outputs.conf, is it possible to somehow dinamically generate its content? I mean, to ask the user for a hostname or IP address, and then use that value for the server value.

I will try adding my configs to the app, and will report back in a few days.

Now looking at the page https://dev.splunk.com/enterprise/docs/developapps/extensionpoints
It does mention props.conf and transforms.conf, but there seems to be no mention of outputs.conf.
Is it possible to have an outputs.conf in the app, and force Splunk to somehow use it regardless of not being present in the list above?

isoutamo

Usually there is only one outputs.conf file. There is defined where those events are sent. If/when the next step is your indexer cluster then the easiest way is use indexer discovery feature (see docs.splunk.com). If the next step is another intermediate forwarder or individual indexer(s) then just add those there. See more from outputs.conf definition. I propose that you will do a separate app, which contains just this outputs.conf and other recommended conf files.

If you are packing those apps into zip files, then you must extract those back into correct directory hierarchy in …/etc/apps folder.

wowbaggerHU

I remember being able to install apps from a zip file from the web GUI on physical Splunk installations.

On the other hand, I got an idea. It may be a stupid question , but is it possible to configure a tcpout output on the Splunk web UI? If yes, then there is no need for a separate second app. Then I would only need to add the transforms and props configs, and have the users configure the tcpout on their own, and that's it.

Just to give you an idea, I want to package something similar to the SC4S heavy forwarder configs described here: https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Splunk/heavyforwarder/

isoutamo

You can add base forwarding (forward all events) to target host with gui. But if/when you need so send only some events in that target and other to some another target then you must do it with conf files.
Anyhow I strongly recommended you to do this kind of base configurations by apps! In that ay those are much easier to admin, especially in larger environments. Also your auditors etc. are happier when you are fulfilling their requirements.

livehybrid

Hi @wowbaggerHU

How you create an app would ultimately depend on what your architecture looks like.

Aswell as Props/Transforms, You mentioned that you are looking to make changes outputs.conf - is this app to go on a heavy forwarder?

If so, are you deploying via a deployment server?

Ultimately an app in Splunk can be as simple as a folder structure with specific files, your simple app might looks like this

$SPLUNK_HOME/
- etc/
  - apps/
    - yourAppName/
      - local/
        props.conf
        transforms.conf
        outputs.conf

If you need to deploy this app via a deployment server then your would put the app in $SPLUNK_HOME/etc/deployment-apps and then configure the deployment server configuration to deploy it to your instance(s).

Check out the following useful pages on options for the relevant conf files you are looking to create:
Props - https://docs.splunk.com/Documentation/Splunk/9.4.1/Admin/Propsconf
Transforms - https://docs.splunk.com/Documentation/Splunk/9.4.1/Admin/Transformsconf
Outputs - https://docs.splunk.com/Documentation/Splunk/9.4.1/Admin/Outputsconf

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

wowbaggerHU

I tried putting my props.conf and transforms.conf to $SPLUNK_HOME/etc/apps/yourAppName/local/ but the settings don't seem to take effect for some reason.

I created a tcpout destination from the web UI, but it nevertheless tries to send stuff over S2S, disregarding the things I've set in transforms.conf.

Though I have to admit, I need to have something like this in the outputs.conf:

#Because audit trail is protected and we can't transform it we can not use default we must use tcp_routing
[tcpout]
defaultGroup = NoForwarding

[tcpout:nexthop]
server = localhost:9000
sendCookedData = false

But if I set up the destination from the Forwarding and receiving page, then I get something like this:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = localhost:9000

[tcpout-server://localhost:9000]

isoutamo

You cannot set like 1st example with GUI. It always set the default output which must be some other splunk instance. When you want to set default as devNull you must do it with conf files.

wowbaggerHU

We took a few steps and looked at how the config files worked.
It seemed as if the content of the different config types were virtually merged (each type of config with its own kind).
Therefore we reasoned that we could use the settings we were setting up via the GUI for the forwarder, and use our outputs.conf from the app, to add/override the settings we needed, and it turned out that this approach works!

So now we have the possibility to set up the forwarding via the Web UI, and also have those settings augmented with our own extra settings.

This seems to solve our initial problem.

isoutamo

Hi

You should start with dev.splunk.com where is described how to create an app. That documentation is base for understanding app development for Splunk.

Then there are https://docs.splunk.com/Documentation/Splunk/9.4.1/AdvancedDev/Whatsinthismanual where you can found more information.

Also conf.splunk.com contains lot of good presentations. Personally I haven't use YouTube.com for splunk, but there should be also something about this.

For details about props.conf and transforms.conf you can found https://docs.splunk.com/Documentation/Splunk/9.4.1/Admin/Propsconf

With google you will found lot of other sources too.

r. Ismo

update transforms.conf and props.conf from an app

configuration

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability