My Environment
I have a heavy forwarder that collects REST data and a load-balanced set of heavy forwarders that collect syslog. These servers also collect other data; they are not dedicated to Isilon. I have a search head cluster that hosts the App and a multi-site indexer cluster.
My Installation
The heavy forwarder that collects REST data from the Isilon cluster node has the Add-on installed with the isilon_setup.py and macros.conf changes described below. Delete default/inputs.conf, default/eventgen.conf, and the samples/ directory.
The heavy forwarders that collect syslog have no Isilon app components installed. My general-purpose syslog collection is configured so that Isilon sources are source-typed as emc:isilon:syslog. You will have to set up something like what Crest supplied with their default/inputs.conf.
The indexers have no Isilon app components installed. Obviously they have indexes configured, one of which is for Isilon events.
The search head cluster has the Add-on and App installed with the distsearch.conf and macros.conf changes. Delete default/inputs.conf, default/eventgen.conf, and the bin/ and samples/ directories.
Changes
Create local/distsearch.conf containing:
[replicationSettings:refineConf]
replicate.macros = true
Why?: Search heads do not normally put macros into the bundles that they forward to their indexers. This changes that behavior. Don't bother putting the macro directly on your indexers; it has to come from your search tier as part of a search bundle. The locally defined macro is only used when you run the search on the indexer itself, like from the indexer's UI.
Create local/macros.conf containing:
[isilon_index]
definition = index=thenameofyourindex
iseval = 0
Why?: The 'isilon_index' macro is not defined in default/macros.conf (it should be IMO) and your searches will fail with errors because the macro is not defined. This does not only affect Isilon-related searches, but other searches that use certain tags and/or event types. Change the index name to match whatever you want to use as an index. The default name is 'isilon'. That's what the app sets if you do not provide an index name on the setup screen. That's also the index you are stuck with if you run setup again for the same node with a new index name. You must edit local/inputs.conf directly if you want to change the index after initial configuration – the setup screen will ignore an index name if one is already set (tested with v2.3).
Remove (comment) lines 145-148 of bin/isilon_setup.py:
#indexes = en.getEntities(['data', 'indexes'], count=-1, sessionKey=sessionKey)
#if not index in indexes.keys():
# logger.error("EMC Isilon Error: index %s does not exist" % index)
# raise Exception("EMC Isilon Error: index %s does not exist" % index)
Why?: The app insists that you have a local index on the heavy forwarder that you are using for collection. Why? Because the TA was written with a single-instance Splunk environment in mind, I guess. Crest is not unique in writing code that assumes that the index is defined on the local Splunk instance even if it doesn't make any sense. Splunk even does it. Mind-boggling. This code will cause the setup to fail with an error. It doesn't bother mentioning that it is failing because an index that you do not need does not exist, which would be helpful and not just frustrating. Of course, make sure the index exists on the indexer tier where REST data is heading.
... View more