SPLK-1003 Splunk Enterprise Certified Admin – Splunk Apps And Add-On’s

1. What is an Add on?

Hi, welcome to this video. In this video we’ll be understanding more about what are add ons and how to install them. And also throughout this course we’ll be learning how to install add ons, how to install an application on Splunk, how to download this application, how to create your own application, how to submit your newly created application to the Splunk portal and get it Splunk verified. Similarly, we’ll be seeing how to customize your application based on views, based on Dashboards, or changing the color navigation menu, creating your own logo, these kind of information, how we can add it to our Splunk. So as part of this module beginning, we’ll be seeing how to install an add on. And what are these add ons? So, add ons are also commonly referred as technology add on. In order to simplify things, you can compare add on to a universal forwarder and an app to a Splunk enterprise instance.

Add on in functionality is very much limited when compared to a Splunk app. Technology add on usually contains field extractions, data inputs and minimum parsing source type, renaming, host renaming, these kind of scenarios where the add ons can collect inputs via location based, script based, or any other methods which Splunk supports.

So these add ons are mainly used for data collection and field extractions and partial processing of the logs. In this video we’ll be seeing how to install a Windows add on on our Splunk, and also we’ll see how to register to Splunk pace in case if you are not registered already, and how to select and download the required add on. And how we can install these add ons via web CLI and copying directly into our Splunk server. And this step is the most important one that is troubleshooting the add on because not every add on is 100% and compliant to your environment. So as soon as you download, you start to notice issues that the add on might be breaking or it might not be passing the information as required. So we’ll see how to troubleshoot these add ons.

2. Installing Splunk Add on From Splunk Web

One of the first methods of selecting an add on or downloading the addon into your Splunk instance is using your Splunk control itself. This is our search, Ed. We have our Internet connectivity established on our Splunk server. So let us go ahead and download the addon using our Splunk control. I’ve logged into my search ad. Click on this plus icon in case if you are on any other screen, you can go to Apps and you can click on Browse more Apps.

If your Splunk server has Internet connectivity, it directly connects to our Splunk base and it lists all the app, let’s say any technology addon for Windows. So this is our first addon that we’ll be installing. As part of this video you can directly click on Install. We already have a username and password for our Splunk base, so you can enter your username and password here. Click on the Accept and the technology add on will be automatically installed. The second method of choosing the add on and downloading it is via Splunkbase.

Visit Splunkbase splunk. com and search for the required add on. In our case, it will be Technology Add on for Windows. That is for parsing Windows log. So as you can see, we got our first result itself. In case if you have not already logged in, you’ll get a Login and download button here. Since I’ve already logged in, I’ll just go ahead and click on Download. So just accept the agreement and click on Download. We have our add on downloaded. Now there are two methods to install these add ons after downloading the add on from the Splunk base. One, you can directly upload this file using Splunk web. Second, you can directly copy this file and unzip it in Splunk etc. Apps directory we’ll see the first method. This is our searched, where we’ll be installing our first add on. You can click on this plus icon or click on the Manage Apps. So here, just right next to the Browse More apps, you’ll be able to see Install App from File, choose Install App from File and choose the file which we have just downloaded. So in case you already have this add on installed, you can upgrade this by selecting this checkmark.

Since this is the first time we are installing, I’ll keep it unchecked. I’ll click on upload. If this add on requires restart post upload Splunk will pop up to show us it requires a restart and we can go ahead and restart the Splunk searcher. As you can see, this add on requires a restart. So let me proceed and restart this. Once it is restarted, you’ll be able to parse the Windows logs using this technology add on. Usually technology add ons are installed on AV Forwarders Indexes, sometimes on the searches for parsing the search time fields and also Avoiders and indexer. Use the technology addon to parse your logs and storing of those logs. Once it is processed, also, technology add ons with input collection and initial data parsing like host, source and Source type will be present on your universal forwarder.

Also, whenever you are downloading a technology addon, just make sure to have a brief look at its documentation so that it will have a clear indication on where this technology add-ons should be present. So our splunk has restarted. So once we log in, we are not able to see our technology addon because our technology addon doesn’t have any visual component. But you’ll be able to see the installed add on in the same manage apps. Click on the app setting. Most of the Tas will not have any UI so that they are usually installed on Forwarders, EV, Forwarders and Indexers. As you can see here, we have successfully installed our Splunk Ta for Windows. As you can see, it is presently not visible.

You can make this visible by clicking on Edit Properties. Make it visible? Yes. Now we are able to see our Splunk add on for Microsoft Windows. It gives a brief set up saying that the Splunk add on for Microsoft Windows provide pre built data inputs to facilitate Windows system monitoring. That means it contains basic data collection techniques like Windows event log, PowerShell scripts, couple of batch scripts, and default locations of monitoring registries, Active Directory, DNS Exchange. These kind of minimal log collection are packaged into this addon and also we’ll see in the back end whenever we install addons what all files are created or added into our search.

3. Installing Splunk Add on From Splunk CLI

So in our previous video we have successfully installed our Microsoft Windows technology addon on our searcher and we made it visible. Now let us see in the back end what all the files are created and how the architecture of these directories are present. So let us go to our searcher. This is our searcher. I’ll go to etc. That is Splunk home first. This is Splunk home etc apps. This will be the directory all the add ons and apps that are installed on your Splunk instance. I’ll just list all the directories present here. As you can see this is our Splunk ta for Windows which was recently installed. I’ll just increase the font size so that you can see better. So this is your Splunk Ta windows.

As I already mentioned, the third method will be copying your apps directly into this directory that is opt Splunk etc apps and once you extract this file you’ll be able to see the same directory present here. Once you restart after the extraction, you’re almost done with our installation through CLI method that is copying the apps directly into your Splunk instance. Now we’ll see what all the files are part of this ta. Windows as part of any apps or add ons that are downloaded from the Splunkbase will always contain configuration files in the default directory of those apps so that any customization for those apps should be done under local directory, not the default. There is a local directory and default. We’ll check the default because this is where all the configuration which comes as part of your technology add on resides. So this is the complete path Splunk home followed by etc apps, your application name or the add on name and the default directory.

So here you have a lot of files. We have gone through some of the files in this, that is we know what is transforms and what is props and what are inputs, what are indexes confused for and also event types and tags. We have gone through almost most of these configuration files as part of the technology add on. You’ll always almost always find props, transforms, tags, event types and couple of times even inputs. com which specify which are all the logs to collect from the Windows system. Let’s say if we downloaded the technology add on for Sysco device, usually Cisco devices, we collect the logs via Syslog so you won’t find any inputs. com but you might find props, transforms, tags and event type.

These are some of the common files that you usually find inside a technology add on. Whereas we will be seeing in our next lecture inside an application and add on there will be a lot more difference where you can see a lot of static files, visualization components of the application present as part of the application. This is almost all about technology addon. To summarize, your technology addon is a small component of your Splunk application which consists of fields extraction event types, tags and occasionally inputs. Conf.

4. Installation of Splunk App

So now it’s almost done. Yes, the transfer was successful. Now let me copy the uploaded file into our etc apps directory. I’ll use this plunk copy sorry Linux copy command to copy the file into etc apps directory. As you can see we are the etc apps directory so in this we can’t leave it as it is like in a zip package. We need to extract this package. I’ll be using the following command to extract the package. This command is nothing but extracting your zip file from TGZ package into whatever the package contains. So all these files are present as part of the package. So as you can see we have a new directory that is simple XML examples. After this I’ll go ahead and delete my tar package in case if I require. Also it is already present in my temp. Now we have simple XML example.

Go ahead and restart your Splunk instance. So once restarted you should be able to see your newly installed app. If you remember in our previous tutorial, once we install the technology add on, by default it was not visible. We explicitly went and made it visible. Now let us see what happens as part of our application if we install the application. 99% of the applications are by default visible so that the application usually contains some graphical visualization reports, alert, dashboards and searches. As you can see, we have successfully installed our application through copying the apps directly into etc apps directory. Any apps that you refer or you see here as part will be picked up from this directory. That is your Splunk home followed by etc apps.

As you can see, this is the search app which is built as part of your Splunk installation. This is the ta windows which we installed in the previous video. This is our simple example XML examples that are nothing but your dashboard examples that we installed as part of this video where we have copied this file from our local PC and uploaded it into Splunk server to etc apps directory. You can also say these are some of the other apps which are present in the Splunk but by default they are not visible. We have successfully installed dashboard examples. Let us go through how it looks. So this is your default screen for the dashboard examples. It says these are some of the visualization that are part of your Splunk or you can customize as part of your requirement. So it has categorized into basic elements, chart elements, table elements, single values, map and this information which continues. And also for each of these criteria there is a dashboard created. If you go to dashboards you’ll be able to see close to 100 dashboards, that is 97 dashboard examples just as part of this application. So this is a good starting point in order to understand what all visualization we can do in Splunk. This is not limited to only 97 dashboards, but if you understand this 97 or probably 50 of these dashboards, you’ll be able to create some of the amazing dashboards and splunk.

5. Disabling an App or Add on

We have understood how to install an add on, how to install an app and Splunk using multiple ways that is CLI web or copying directly to the apps. Now we will see how we can disable or delete an app from Splunk Web, Splunk CLI and also from your Linux console. Do that. Let us go to our searcher. This is our newly installed app that is Dashboard Examples. I’ll go to my home screen. So from home screen you can either click on Manage Apps or there is one more option. When you are inside any other application you can click on this apps menu and choose Manage Apps. They both lead you into the same page where you’ll see all the apps that are installed as part of this search.

As you can see there are a total of 19 packages which includes add on inbuilt packages and other applications. As part of your Splunk, there are total of 19 packages. So this 19 packages are part of your Etc apps directory in the Splunk server. So out of these 19 packages which are presently installed, you can choose whichever apps that you would like to disable them. Let’s say we’ll go ahead and disable our dashboard example which we have installed as part of a previous video tutorials. So this is how Splunk’s Dashboard examples app you can just go ahead and click on Disable. This is one method in case post disabling. If your app requires restart, that is your Splunk server. It will prompt for a restart under messages. In order to understand other steps of disabling, we’ll be choosing our Splunk add on for Windows for disabling via CLI and Linux console. Let me go to my Splunk ATC Apps directory and check whether my addon is available.

Yes, as you can see there is Splunk ta Windows. You can disable it either by moving this app Splunk ta by typing it correct. Let me paste it. So ta windows into disabled apps directory. You can directly move this using your Linux command. That is move this app from the etc apps into etc disabled apps so that this app will be disabled post restart. There is also Splunk CLI command to disable this pity splunk bin Splunk. The command is disable app and the package name. Not the display name of your add on. That is splunk add on for Microsoft Windows. No, not that name. It is the package name or the directory name which is under etc app. So this will be your app name.

So it says my app was successfully disabled. You need to restart your Splunk server to change effect. Let us go ahead and restart now our Splunk instance is up. Let us validate whether we have our application disabled. So there are two ways. One you can check whether the visibility of the application is you are able to see this. As you can see we are not able to see our Splunk XML example or the Ta Windows. We can click on Manage Apps, the Settings icon, so that we can finally verify the status of those apps. This is our add on that we disabled as part of our CLI. That is splunk add on for Microsoft Windows. As you can see, the status is disabled. You can go ahead and enable or disable using your Splunk Webballs, which we have seen as part of for Disabling Splunk Dashboard example. So even this is disable. This is all about managing an app or add on.