Splunk Search

Variables available in input app

echalex
Builder

Hi,

I need to reference a file distributed by an input app from within the app itself (outputs.conf). I need to configure a specific receiver with a specific certificate with this app.

I've tried specified a relative path, but it doesn't seem to work:

# first try:
sslRootCAPath = specific-cert.pem
# second try:
sslRootCAPath = ./specific-cert.pem
# third try (copied it first to another dir called certs)
sslRootCAPath = ./certs/specific-cert.pem
# fourth and only successful try:
$SPLUNK_HOME/etc/apps/the_specific_app_directory/certs/specific-cert.pem

However, I'm not happy with this, since the name of the directory may change and I may copy this configuration to other apps as well.

So, is there a generic way of referencing the app's directory? Based on the scripted inputs in the Splunk_TA_nix configuration, I thought a dot might work, but it does not seem to work.

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

You can create an app which contains the outputs.conf and the certificates. Even if you specify the path like in your fourth example, you can still have control over it through Deployment Server.

Using DS the directory will not change unless you deploy it so, and then the certs will go with it.

Perhaps I've misunderstood your problem.


UPDATE:

Probably bad for a number of reasons I don't have energy to think about right now...but I guess you could make more than one app.

  • A generic CertsApp which can be deployed as you like containing several certs.
  • One (or more) apps that uses certs in the CertsApp

That would let you reference the certificates fairly statically from whatever outputs.conf you want.

outputs.conf in /etc/apps/blah/local:

sslRootCAPath = $SPLUNK_HOME/etc/apps/CertsApp/local/certs/certificate_1.pem

/K

View solution in original post

kristian_kolb
Ultra Champion

You can create an app which contains the outputs.conf and the certificates. Even if you specify the path like in your fourth example, you can still have control over it through Deployment Server.

Using DS the directory will not change unless you deploy it so, and then the certs will go with it.

Perhaps I've misunderstood your problem.


UPDATE:

Probably bad for a number of reasons I don't have energy to think about right now...but I guess you could make more than one app.

  • A generic CertsApp which can be deployed as you like containing several certs.
  • One (or more) apps that uses certs in the CertsApp

That would let you reference the certificates fairly statically from whatever outputs.conf you want.

outputs.conf in /etc/apps/blah/local:

sslRootCAPath = $SPLUNK_HOME/etc/apps/CertsApp/local/certs/certificate_1.pem

/K

kristian_kolb
Ultra Champion

Well - glad you like it. I was more concerned with having a lot of certs lying around on servers that weren't using them.

0 Karma

echalex
Builder

That solution is simple and scalable. I don't see anything bad with it.
Actually, I need the cert for at least two different apps, so this would save me some typing. Of course, there will be a dependency from one app to the other, but I should be able to work with that.

Thanks!

0 Karma

kristian_kolb
Ultra Champion

update above.

0 Karma

echalex
Builder

Hi. Yep, that is exactly what I'm doing, but I would like to point to the certificate without using the entire name of the app.

Something like
sslRootCAPath = $APP_DIRECTORY/certs/specific-cert.pem

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...