Customized Application Creation and Deployment

Each application Application 3 components:

1) Application APPS: This will be installed on Search Head. All searches, queries, dashboard,
report, alerts are stored in this APP.
2) Application TA or Add-on for Indexer: This will be installed on indexer. This helps in creating
necessary index for storing data for APP
3) Application TA or Add-on for Client ( Universal forwarder) : This will be installed on Client on
Universal forwarder. This helps in collecting necessary data from Client to Indexer

Creating Customized APPS :

Login to Master Server ( in Distributed environment) > Click on Splunk * > Create APP specify App
name, App folder name.

Now App is created, in this example App name is Syslog.

You can find this App created on $SplunkHomeDirectory/etc/apps

Next step is to push this App to Search Head:

 a) &SsplunkHomeDirectory/etc/cluster/apps are the directory where all Searches related apps
need to copy. Once we copy APPS to this directory, with Search head bundle distribute
command we can copy this apps to Search head.
b) #cp $splunkhomedirectory/etc/apps/syslog $splunkhomedirectory/etc/cluster/apps
c) Now we need to distribute this apps to Search Head. Here we need to find out who is the
Captain in Search cluster.
d) Run command on any of search head #$splunkhomedirecotry/bin/splunk show cluster-status
e) Run command on Master to push apps on Search Head Capatain
f) #splunk apply cluster-bundle -target <URI>:<management port> -auth
<username>:<password>
Note : -target : is IP address of Captain , example –target https://192.168.1.51:8089
g) Login to Search Head browser and check for Syslog app.

Prepare and deploy TA or Add-on for Indexer:

a) Copy APPS created ( example : Syslog) from $splunkhomedirecotry/etc/apps/syslog to

$splunkhomedirectory/etc/masterapps
b) $splunkhomedirectory/etc/master-apps is directory where all TA or Add-on for indexer is stored
and is distributed from this directory to indexer
c) create indexes.conf file in $splunkhomedirectory/etc/apps/master-apps/syslog/local
d) In indexes.conf we define index name, index hot, cold and tha-wed folder path which need to be
used on Indexer
e) Indexes.conf file content
[Syslog]

homePath = $SPLUNK_DB/syslog/db
coldPath = $SPLUNK_DB/syslog/colddb
thawedPath = $SPLUNK_DB/syslog/thaweddb
maxDataSize = 10000

f) Now login to splunk web and distribute this directory to indexer

Splunkweb > settings > indexer clustering>edit>distribute bundle
g) Login to Indexer verify syslog directory is copied to Splunk indexer in below path
$splunkhomedirectory/etc/slave-apps
h) Also verify necessary index “syslog” is created on splunk web:
Splunkweb>settings>indexes

Prepare and deploy TA or Add-on on client using Deployment server ( part of Master)

a) Copy created apps from $splunkhomedirecoty/etc/apps/syslog to

$splunkhomedirectory/etc/deployment-apps
b) Next step to create necessary inputs.conf and outputs.conf
 #cd $splunkhomedirecotry/etc/deployment-apps/syslog/local
Create inputs.conf
#vi inputs.conf
[monitor:///var/log]
sourcetype = syslog
index = syslog
c) Create outputs.conf with below content
#vi outputs.conf
[tcpout:group3]
server=192.168.1.52:9997,192.168.1.53:9997 ( server is ip addess of indexer1 and indexer
2)

d) Now distribute to this TA or Add-on to client

e) Login to splunk web > Forwarder Management >

Click on Apps:

Click on “syslog” Edit

Add necessary “Server Class” and save.

This will push this apps to Client and necessary logs collection will be started.
 Now login to Search head > select Syslog Apps

And run command as below :

You should able to find events collected from client.