SPLK-1002 Splunk Core Certified Power User – Splunk Apps And Add-On’s

  1. What is an Add on?

Hi, welcome to this video. In this video you’ll be understanding more about what are add ons and how to install them. And also throughout this course we’ll be learning how to install add ons, how to install an application on splunk, how to download this application, how to create your own application, how to submit your newly created application to the splunk portal and get it splunk verified.

Similarly, we’ll be seeing how to customize your application based on views, based on dashboards, or changing the color navigation menu, creating your own logo, these kind of information, how we can add it to our splunk. So as part of this module beginning, we’ll be seeing how to install an add on.

And what are these add ons? So, add ons are also commonly referred as technology add on. In order to simplify things, you can compare add on to a universal forwarder and an app to a splunk enterprise instance. Add on in functionality is very much limited when compared to a splunk app. Technology add on usually contains field extractions, data inputs and minimum parsing source type, renaming, host renaming, these kind of scenarios where the add ons can collect inputs via location based, script based, or any other methods which splunk supports.

So these add ons are mainly used for data collection and field extractions and partial processing of the logs. In this video we’ll be seeing how to install a Windows add on on our splunk. And also we’ll see how to register to splunk paste in case if you are not registered already, and how to select and download the required add on.

And how we can install these add ons via web cli and copying directly into a splunk server. And this step is the most important one that is troubleshooting the add on because not every add on is 100% compliant to your environment. So as soon as you download, you start to notice issues that the addon might be breaking or it might not be passing the information as required. So we’ll see how to troubleshoot these addons.

  1. Installing Splunk Add on From Splunk Web

One of the first methods of selecting an add on or downloading the addon into your Splunk instance is using your Splunk control itself. This is our search, Ed.

We have our Internet connectivity established on our Splunk server. So let us go ahead and download the addon using our Splunk control. I’ve logged into my search ad. Click on this plus icon in case if you are on any other screen, you can go to Apps and you can click on Browse more Apps. If your Splunk server has Internet connectivity, it directly connects to our Splunk base and it lists all the app, let’s say any technology addon for Windows.

So this is our first addon that we’ll be installing. As part of this video you can directly click on Install. We already have a username and password for our Splunk base, so you can enter your username and password here. Click on the Accept and the technology add on will be automatically installed. The second method of choosing the add on and downloading it is via Splunkbase.

Visit Splunkbase splunk. com and search for the required add on. In our case, it will be Technology Add on for Windows. That is for parsing Windows log. So as you can see, we got our first result itself. In case if you have not already logged in, you’ll get a Login and download button here.

Since I’ve already logged in, I’ll just go ahead and click on Download. So just accept the agreement and click on Download. We have our add on downloaded. Now there are two methods to install these add ons after downloading the add on from the Splunk base. One, you can directly upload this file using Splunk web. Second, you can directly copy this file and unzip it in Splunk etc. Apps directory we’ll see the first method. This is our searched, where we’ll be installing our first add on.

You can click on this plus icon or click on the Manage Apps. So here, just right next to the Browse More apps, you’ll be able to see Install App from File, choose Install App from File and choose the file which we have just downloaded. So in case you already have this add on installed, you can upgrade this by selecting this checkmark.

Since this is the first time we are installing, I’ll keep it unchecked. I’ll click on upload. If this add on requires restart post upload Splunk will pop up to show us it requires a restart and we can go ahead and restart the Splunk searcher. As you can see, this add on requires a restart. So let me proceed and restart this. Once it is restarted, you’ll be able to parse the Windows logs using this technology add on. Usually technology add ons are installed on av forwarders indexes, sometimes on the searches for parsing the search time fields and also avoiders and indexer. Use the technology addon to parse your logs and storing of those logs.

Once it is processed, also, technology add ons with input collection and initial data parsing like host, source and Source type will be present on your universal forwarder. Also, whenever you are downloading a technology addon, just make sure to have a brief look at its documentation so that it will have a clear indication on where this technology addons should be present. So our splunk has restarted. So once we log in, we are not able to see our technology addon because our technology addon doesn’t have any visual component. But you’ll be able to see the installed add on in the same manage apps. Click on the app setting.

Most of the tas will not have any ui so that they are usually installed on forwarders, ev, forwarders and indexers. As you can see here, we have successfully installed our Splunk Ta for Windows. As you can see, it is presently not visible. You can make this visible by clicking on Edit Properties. Make it visible? Yes.

Now we are able to see our Splunk add on for Microsoft Windows. It gives a brief set up saying that the Splunk add on for Microsoft Windows provide pre built data inputs to facilitate Windows system monitoring. That means it contains basic data collection techniques like Windows event log, powershell scripts, couple of batch batch scripts, and default locations of monitoring registries, Active Directory, dns Exchange. These kind of minimal log collection are packaged into this addon and also we’ll see in the back end whenever we install addons what all files are created or added into our search.