I'm running Splunk for Enterprise 7.3.0 on Ubuntu 18.04 doing a demo deployment with a sales trial license. It's a single instance deployment with only a handful of hosts, but the production deployment will separate out the roles to different servers.
I would like to deploy the Splunk App for Windows Infrastructure app and the other Windows add-ons to my Windows Universal Forwarders, as listed here: https://docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastructure (not enough karma for links, sorry). It's to my understanding that I would have to do the following to prep an app for deployment:
1. Download the "Splunk Add-on for Windows" from Splunkbase (App 742) .tgz file.
2. Manually extract and copy the contents of the of the app to $SPLUNK_HOME/etc/deployment-apps/.
3. Manually restart splunk with "splunk reload deploy-server", non-optional.
This procedure is completely different then the easy GUI based approach when adding apps to my search head.
1. Click Apps -> Find More Apps
2. Search for the App through Splunkbase, even seeing which apps are already installed.
3. Click Install. Authenticate and accept the T&Cs.
4. Click Restart if needed.
If there's an update to an app installed via Splunkbase, and the app is visible, I can click the update button in the listed apps on the home page. To update the same deployed app on the same splunk instance, it appears I have to do the manual process.
Since my search head is also my deployment server, shouldn't installing deployable apps have the same ease and functionality? If I want to update a deployed app that's on Splunkbase, do I have to do this manual process for each Splunkbase app? Is there a GUI based way to install apps for deployment, be it either from Splunkbase or manually written? Am I missing something in my workflow? Is there an app that offers this functionality, or at least notifies me if a Splunkbase deployed app is out of date? I don't want to deploy outdated, broken, or exploitable apps, especially if there's a newer version available.
I can understand the need for maintaining older versions of deployed apps, and not wanting them to update when a Splunkbase maintainer updates their app, but I think there would be the option of at least updating the app through some process in the GUI, or at least notifying the user an update is available.
↧