I've built an app that must use the Splunk eventgen from github as well as the custom eventgen directory I created to house my event.conf and sample file that the eventgen uses. I've tried to tar my app with both the eventgen/ and internal_eventgen/ directories so that they all get installed with the app package, but when I test my .spl file I get an error in Splunk saying "There was an error processing the upload."
Can I do this? If yes, how do I get around this error? Any advice so that the eventgen and related/required eventgen configuration can be included with my .spl package would greatly be appreciated.
TYIA!
Paul
Your packaged application should only contain your eventgen.conf file and you samples referenced in this file. Here is an example directory structure:
$SPLUNK_HOME/
etc/
apps/
YOUR_APP/
default/
eventgen.conf
samples/
sample_files
Take a look at the Cisco ASA add-on for a good example.
If someone wants to generate events based off or your eventgen.conf file and samples, they will need to install the eventgen app onto their Splunk instance.
Your packaged application should only contain your eventgen.conf file and you samples referenced in this file. Here is an example directory structure:
$SPLUNK_HOME/
etc/
apps/
YOUR_APP/
default/
eventgen.conf
samples/
sample_files
Take a look at the Cisco ASA add-on for a good example.
If someone wants to generate events based off or your eventgen.conf file and samples, they will need to install the eventgen app onto their Splunk instance.
So though I can ta/gzip the package with the eventgen stuff, Splunk's app management/installation will not allow me to include all the directory and files associated with eventgen/? I'd really like to have this so that a customer could install it in one shot like that......
The GUI installation feature of Splunk is meant to install a single app. It sounds like you are trying to package 2 apps together (your application and the eventgen application). This won't work in the Splunk web GUI. But, you can have your customer uncompress your 2 applications together in $SPLUNK_HOME/etc/apps outside of the GUI. The directory structure should like like this in the end:
$SPLUNK_HOME/
etc/
apps/
YOUR_APP/
SA-Eventgen/
Yes, that's exactly what I was trying to do. But I think since we now have the Eventgen on splunkbase.splunk.com (or at least a reference so that people can go download it and use it) I'll do what you recommended and just keep the eventgen/ separate. I just did a test run of the app I'm creating with the eventgen.conf and samples/ directory in my app and then installed the eventgen via the Splunk web gui and it worked fine. Yes, its another step for people, but it keeps the package clean and plus, I do want to upload this one to splunkbase.splunk.com.
Thanks Jason!