- Nov 27, 2017
- Tested on Splunk Version: N/A
Splunk allows users to create their own apps and TAs (technology add-ons) to allow for custom configurations within Splunk. As the Splunk community grows, it's nice to have the option of evaluating apps or TAs. This tutorial goes over a tool that helps with this evaluation, discusses what it's all about, and also includes a method for creating a custom app for Cloud submission to bring things all together.
Splunk AppInspect is used internally at Splunk for app certification testing, Cloud installation approval, among many other things. I wrote this document to help users understand what’s important when submitting TAs to Splunk Cloud, and to allow for a streamlined app install on Cloud instances.
Whenever a request for a TA or app install is sent to Splunk Cloud, one of the very first sanity/security checks is to run the app through AppInspect. This process checks for misconfigurations, Splunk Cloud security requirements, and Splunk Cloud configuration rules. As Splunk Cloud guarantees 100% uptime, it is in everyone’s best interest that nothing is installed on a Splunk Cloud instance that doesn’t meet Cloud requirements.
Splunk AppInspect is free and openly available to anyone.
For this demo, I will be installing Splunk AppInspect on MacOS v10.13 (High Sierra).
Note: Splunk states the install has been tested on 10.12, but that it should work for other versions of OS X/macOS as well. For more details around installation requirements, visit Splunk’s development website.
While I’m not here to bore you with CPU/RAM listings, there are some things that we need to ensure we’re running AppInspect with that are the same settings that they will be tested with by Splunk. Step-by-step instructions are listed by Splunk here.
At a high-level:
Now we’re ready to install AppInspect. Download AppInspect from the Splunk Development site listed above. Once this is installed, you can verify it’s running by issuing the command “splunk-appspect --help”.
I’ve listed a few other prerequisites that I find useful in order to make sure the process goes smoothly:
The video I am providing with this document talks through steps of stripping and packaging a custom TA. The main goal of this demo is to submit a TA to Splunk Cloud that contains field extractions, tags, any necessary lookup tables, and eventtypes so that our data is CIM compliant.
The example uses the Citrix Netscaler TA which offers CIM compliance, but includes inputs that are not compatible with Splunk Cloud. Since we are running our inputs from a Heavy Forwarder on-prem, we don’t need any input configurations in the Cloud.
I’ve included the video, as well as the associated content below.
The example case we used has a specific purpose: obtain field extractions, knowledge objects, and CIM compliance for Citrix Netscaler logs on a Cloud search head. With the AppInspect command, we specified that we were testing for Splunk Cloud regulations. We created a “stripped” version of Splunk_TA_citrix-netscaler in order to get our field extractions and tags, while not introducing any unnecessary options for inputs or UI elements. By removing anything except tags, eventtypes, props, transforms, and lookups, we were able to avoid any Cloud discrepancies that the TA already provided. We also changed the id attribute in app.conf’s package stanza to reflect our new TA’s name.
Now that we have a TA that has passed inspection, we are ready to submit for installation. Do this by navigating to support.splunk.com and logging into the Support Portal (using the account that is permissioned to your Splunk Licensing Entitlement).
From there, you can raise a request by clicking “Submit New Case” for your TA to be installed.
I’ve included a request example for reference that I typically use when requesting a TA for field extractions be installed on a Cloud Search Head.
If you're looking for something different than the typical "one-size-fits-all" security mentality, you've come to the right place.