I'm running Splunk for Enterprise 7.3.0 on Ubuntu 18.04 doing a demo deployment with a sales trial license. It's a single instance deployment with only a handful of hosts, but the production deployment will separate out the roles to different servers.
I would like to deploy the Splunk App for Windows Infrastructure app and the other Windows add-ons to my Windows Universal Forwarders, as listed here: https://docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastructure (not enough karma for links, sorry). It's to my understanding that I would have to do the following to prep an app for deployment:
Download the "Splunk Add-on for Windows" from Splunkbase (App 742) .tgz file.
Manually extract and copy the contents of the of the app to $SPLUNK_HOME/etc/deployment-apps/.
Manually have splunk rescan the directory with "splunk reload deploy-server", which is non-optional and not automatic.
This procedure is completely different then the easy GUI based approach when adding apps to my search head.
Click Apps -> Find More Apps
Search for the App through Splunkbase, even seeing which apps are already installed.
Click Install. Authenticate and accept the T&Cs.
Click Restart if needed.
If there's an update to an app installed via Splunkbase, and the app is visible, I can click the update button in the listed apps on the home page. To update the same deployed app on the same splunk instance, it appears I have to do the manual process.
Since my search head is also my deployment server, shouldn't installing deployable apps have the same ease and functionality? If I want to update a deployed app that's on Splunkbase, do I have to do this manual process for each Splunkbase app? Is there a GUI based way to install apps for deployment, be it either from Splunkbase or manually written? Am I missing something in my workflow? Is there an app that offers this functionality, or at least notifies me if a Splunkbase deployed app is out of date? I don't want to deploy outdated, broken, or exploitable apps, especially if there's a newer version available.
I can understand the need for maintaining older versions of deployed apps, and not wanting them to update when a Splunkbase maintainer updates their app, but I think there would be the option of at least updating the app through some process in the GUI, or at least notifying the user an update is available.
... View more