SPLK-1002 Splunk Core Certified Power User – Splunk Apps And Add-On’s Part 2
Installing Splunk Add on From Splunk CLI So in our previous video we have successfully installed our Microsoft Windows technology addon on our searcher and we made it visible. Now let us see in the back end what all the files are created and how the architecture of these directories are present. So let us go to our searcher. This is our searcher. I’ll go to etc. That is splunk home first. This is splunk home etc apps. This will be the directory all the add ons and apps that…
So in our previous video we have successfully installed our Microsoft Windows technology addon on our searcher and we made it visible. Now let us see in the back end what all the files are created and how the architecture of these directories are present. So let us go to our searcher. This is our searcher. I’ll go to etc. That is splunk home first. This is splunk home etc apps. This will be the directory all the add ons and apps that are installed on your splunk instance.
I’ll just list all the directories present here. As you can see this is our splunk ta for Windows which was recently installed. I’ll just increase the font size so that you can see better. So this is your splunk Ta windows. As I already mentioned, the third method will be copying your apps directly into this directory that is opt splunk etc apps and once you extract this file you’ll be able to see the same directory present here.
Once you restart after the extraction, you’re almost done with our installation through cli method that is copying the apps directly into your splunk instance. Now we’ll see what all the files are part of this ta. Windows as part of any apps or add ons that are downloaded from the splunkbase will always contain configuration files in the default directory of those apps so that any customization for those apps should be done under local directory, not the default.
There is a local directory and default. We’ll check the default because this is where all the configuration which comes as part of your technology add on resides. So this is the complete path splunk home followed by etc apps, your application name or the add on name and the default directory.
So here you have a lot of files. We have gone through some of the files in this, that is we know what is transforms and what is props and what are inputs, what are indexes confused for and also event types and tags. We have gone through almost most of these configuration files as part of the technology add on.
You’ll always almost always find props, transforms, tags, event types and couple of times even inputs. com which specify which are all the logs to collect from the Windows system. Let’s say if we downloaded the technology add on for syscode device, usually cisco devices, we collect the logs via syslog so you won’t find any inputs. com but you might find props, transforms, tags and event type.
These are some of the common files that you usually find inside a technology add on. Whereas we will be seeing in our next lecture inside an application and add on there will be a lot more difference where you can see a lot of static files, visualization components of the application present as part of the application. This is almost all about technology addon. To summarize, your technology addon is a small component of your splunk application which consists of fields extraction event types, tags and occasionally inputs. conf.
So now it’s almost done. Yes, the transfer was successful. Now let me copy the uploaded file into our etc apps directory. I’ll use this plunk copy sorry linux copy command to copy the file into etc apps directory. As you can see we are the etc apps directory so in this we can’t leave it as it is like in a zip package. We need to extract this package. I’ll be using the following command to extract the package. This command is nothing but extracting your zip file from tgz package into whatever the package contains. So all these files are present as part of the package.
So as you can see we have a new directory that is simple XML examples. After this I’ll go ahead and delete my tar package in case if I require. Also it is already present in my temp. Now we have simple XML example. Go ahead and restart your splunk instance. So once restarted you should be able to see your newly installed app. If you remember in our previous tutorial, once we install the technology add on, by default it was not visible.
We explicitly went and made it visible. Now let us see what happens as part of our application if we install the application. 99% of the applications are by default visible so that the application usually contains some graphical visualization reports, alert, dashboards and searches. As you can see, we have successfully installed our application through copying the apps directly into etc apps directory. Any apps that you refer or you see here as part will be picked up from this directory. That is your splunk home followed by etc apps.
As you can see, this is the search app which is built as part of your splunk installation. This is the ta windows which we installed in the previous video. This is our simple example XML examples that are nothing but your dashboard examples that we installed as part of this video where we have copied this file from our local PC and uploaded it into splunk server to etc apps directory. You can also say these are some of the other apps which are present in the splunk but by default they are not visible. We have successfully installed dashboard examples. Let us go through how it looks. So this is your default screen for the dashboard examples. It says these are some of the visualization that are part of your splunk or you can customize as part of your requirement.
So it has categorized into basic elements, chart elements, table elements, single values, map and this information which continues. And also for each of these criteria there is a dashboard created. If you go to dashboards you’ll be able to see close to 100 dashboards, that is 97 dashboard examples just as part of this application. So this is a good starting point in order to understand what all visualization we can do in splunk. This is not limited to only 97 dashboards, but if you understand this 97 or probably 50 of these dashboards, you’ll be able to create some of the amazing dashboards and splunk.
We have understood how to install an add on, how to install an app and Splunk using multiple ways that is cli web or copying directly to the apps. Now we will see how we can disable or delete an app from Splunk Web, Splunk Cli and also from your linux console. Do that. Let us go to our searcher. This is our newly installed app that is Dashboard Examples. I’ll go to my home screen. So from home screen you can either click on Manage Apps or there is one more option. When you are inside any other application you can click on this apps menu and choose Manage Apps. They both lead you into the same page where you’ll see all the apps that are installed as part of this search.
As you can see there are a total of 19 packages which includes add on inbuilt packages and other applications. As part of your Splunk, there are total of 19 packages. So this 19 packages are part of your Etc apps directory in the Splunk server. So out of these 19 packages which are presently installed, you can choose whichever apps that you would like to disable them. Let’s say we’ll go ahead and disable our dashboard example which we have installed as part of a previous video tutorials.
So this is how splunk’s Dashboard examples app you can just go ahead and click on Disable. This is one method in case post disabling. If your app requires restart, that is your Splunk server. It will prompt for a restart under messages. In order to understand other steps of disabling, we’ll be choosing our Splunk add on for Windows for disabling via Cli and linux console. Let me go to my Splunk ATC Apps directory and check whether my addon is available.
Yes, as you can see there is Splunk ta Windows. You can disable it either by moving this app Splunk ta by typing it correct. Let me paste it. So ta windows into disabled apps directory. You can directly move this using your linux command. That is move this app from the etc apps into etc disabled apps so that this app will be disabled post restart. There is also Splunk cli command to disable this pity splunk bin Splunk. The command is disable app and the package name. Not the display name of your add on. That is splunk add on for Microsoft Windows. No, not that name. It is the package name or the directory name which is under etc app. So this will be your app name.
So it says my app was successfully disabled. You need to restart your Splunk server to change effect. Let us go ahead and restart now our Splunk instance is up. Let us validate whether we have our application disabled. So there are two ways. One you can check whether the visibility of the application is you are able to see this.
As you can see we are not able to see our Splunk xml example or the Ta Windows. We can click on Manage Apps, the Settings icon, so that we can finally verify the status of those apps. This is our add on that we disabled as part of our cli. That is splunk add on for Microsoft Windows. As you can see, the status is disabled. You can go ahead and enable or disable using your Splunk Webballs, which we have seen as part of for Disabling Splunk Dashboard example. So even this is disable. This is all about managing an app or add on.