Working with Apps in Splunk

0
352
6 min read

(For more resources related to this topic, see here.)

Defining an app

In the strictest sense, an app is a directory of configurations and, sometimes, code. The directories and files inside have a particular naming convention and structure. All configurations are in plain text, and can be edited using your choice of text editor.

Apps generally serve one or more of the following purposes:

  1. A container for searches, dashboards, and related configurations: This is what most users will do with apps. This is not only useful for logical grouping, but also for limiting what configurations are applied and at what time. This kind of app usually does not affect other apps.

  2. Providing extra functionality: Many objects can be provided in an app for use by other apps. These include field extractions, lookups, external commands, saved searches, workflow actions, and even dashboards. These apps often have no user interface at all; instead they add functionality to other apps.

  3. Configuring a Splunk installation for a specific purpose: In a distributed deployment, there are several different purposes that are served by the multiple installations of Splunk. The behavior of each installation is controlled by its configuration, and it is convenient to wrap those configurations into one or more apps. These apps completely change the behavior of a particular installation.

Included apps

Without apps, Splunk has no user interface, rendering it essentially useless. Luckily, Splunk comes with a few apps to get us started. Let’s look at a few of these apps:

  • gettingstarted: This app provides the help screens that you can access from the launcher. There are no searches, only a single dashboard that simply includes an HTML page.

  • search: This is the app where users spend most of their time. It contains the main search dashboard that can be used from any app, external search commands that can be used from any app, admin dashboards, custom navigation, custom css, a custom app icon, a custom app logo, and many other useful elements.

  • splunk_datapreview: This app provides the data preview functionality in the admin interface. It is built entirely using JavaScript and custom REST endpoints.

  • SplunkDeploymentMonitor: This app provides searches and dashboards to help you keep track of your data usage and the health of your Splunk deployment. It also defines indexes, saved searches, and summary indexes. It is a good source for more advanced search examples.

  • SplunkForwarder and SplunkLightForwarder: These apps, which are disabled by default, simply disable portions of a Splunk installation so that the installation is lighter in weight.

If you never create or install another app, and instead simply create saved searches and dashboards in the app search, you can still be quite successful with Splunk. Installing and creating more apps, however, allows you to take advantage of others’ work, organize your own work, and ultimately share your work with others.

Installing apps

Apps can either be installed from Splunkbase or uploaded through the admin interface. To get started, let’s navigate to Manager | Apps, or choose Manage apps… from the App menu as shown in the following screenshot:

Installing apps from Splunkbase

If your Splunk server has direct access to the Internet, you can install apps from Splunkbase with just a few clicks. Navigate to Manager | Apps and click on Find more apps online. The most popular apps will be listed as follows:

Let’s install a pair of apps and have a little fun. First, install Geo Location Lookup Script (powered by MAXMIND) by clicking on the Install free button. You will be prompted for your splunk.com login. This is the same login that you created when you downloaded Splunk. If you don’t have an account, you will need to create one.

Next, install the Google Maps app. This app was built by a Splunk customer and contributed back to the Splunk community. This app will prompt you to restart Splunk.

Once you have restarted and logged back in, check the App menu.

Google Maps is now visible, but where is Geo Location Lookup Script? Remember that not all apps have dashboards; nor do they necessarily have any visible components at all.

Using Geo Location Lookup Script

Geo Location Lookup Script provides a lookup script to provide geolocation information for IP addresses. Looking at the documentation, we see this example:

eventtype=firewall_event | lookup geoip clientip as src_ip

You can find the documentation for any Splunkbase app by searching for it at splunkbase.com, or by clicking on Read more next to any installed app by navigating to Manager | Apps | Browse more apps.

Let’s read through the arguments of the lookup command:

  • geoip: This is the name of the lookup provided by Geo Location Lookup Script.

    You can see the available lookups by going to Manager | Lookups | Lookup definitions.

  • clientip: This is the name of the field in the lookup that we are matching against.

  • as src_ip: This says to use the value of src_ip to populate the field before it; in this case, clientip. I personally find this wording confusing. In my mind, I read this as “using” instead of “as”.

Included in the ImplementingSplunkDataGenerator app (available at http://packtpub.com/) is a sourcetype instance named impl_splunk_ips, which looks like this:

2012-05-26T18:23:44 ip=64.134.155.137

The IP addresses in this fictitious log are from one of my websites. Let’s see some information about these addresses:

sourcetype=”impl_splunk_ips” | lookup geoip clientip AS ip | top client_country

This gives us a table similar to the one shown in the following screenshot:

That’s interesting. I wonder who is visiting my site from Slovenia!

Using Google Maps

Now let’s do a similar search in the Google Maps app. Choose Google Maps from the App menu. The interface looks like the standard search interface, but with a map instead of an event listing. Let’s try this remarkably similar (but not identical) query using a lookup provided in the Google Maps app:

sourcetype=”impl_splunk_ips” | lookup geo ip

The map generated looks like this:

Unsurprisingly, most of the traffic to this little site came from my house in Austin, Texas.

Installing apps from a file

It is not uncommon for Splunk servers to not have access to the Internet, particularly in a datacenter. In this case, follow these steps:

  1. Download the app from splunkbase.com. The file will have a .spl or .tgz extension.

  2. Navigate to Manager | Apps.

  3. Click on Install app from file.

  4. Upload the downloaded file using the form provided.

  5. Restart if the app requires it.

  6. Configure the app if required.

That’s it. Some apps have a configuration form. If this is the case, you will see a Set up link next to the app when you go to Manager | Apps. If something goes wrong, contact the author of the app.

If you have a distributed environment, in most cases the app only needs to be installed on your search head. The components that your indexers need will be distributed automatically by the search head. Check the documentation for the app.


Subscribe to the weekly Packt Hub newsletter

* indicates required

LEAVE A REPLY

Please enter your comment!
Please enter your name here