FAQ: Splunk Integration

Installation and Upgrading

How do you install the Apteligent app onto Splunk?

There are two different ways to install the Apteligent application.

  1. Install the application from the file through the web interface.
    From the Splunk interface, navigate to Manage Apps and then click on Install app from file.
    png_base64bb974694d636e67.png
    Upload the Apteligent app named "apteligent-splunk-<version number="">.tgz"
    png_base64aa187e813e1f9f9c.png
    Restart Splunk.
    Note: In older versions, this might be called "crittercism-splunk-<version number="">.tgz". 
  2. Install the app from file through the command line. Under the Apteligent app under the $SPLUNK_HOME/etc/apps directory and restart Splunk.

 

What Apteligent credentials are needed to use the Splunk app?

The app requires an Apteligent username and OAuth token. A new OAuth token can be generated in the OAuth Tokens tab in the User's Settings page here.

Please note that the user must have API access privileges in order to be able to use their OAuth token to access the Splunk integration.

More details about the Apteligent API can be found here.

 
Note: If you are using an older version of the Splunk integration, the app requires the Apteligent login email as the username, the Apteligent login password, and the Client ID also found on the OAuth Tokens tab on the User Settings page.

 

How do I restart the process if I mistype credentials?

Go to $SPLUNK_HOME/etc/apps/crittercism/local and delete the two files app.conf and crittercism.conf. Then restart Splunk.

For example, on a Mac, these files are located in /Applications/Splunk/etc/apps/crittercism/local

 

Will the Splunk app create any new indexes?

This app will create a new index called "crittercism" upon installation. This index must exist on any indexer that is receiving crittercism data.

 

How do I setup the app for a multi-server Splunk environment?

The Apteligent app should be installed on a maximum of one indexer or persistent forwarder. All search heads should have the apps installed with the disabled input script. (The dashboards need to be installed on the search heads, and then the script disabled.)

 

How do I upgrade to a new version of the app?

Upgrading is performed in the same manner as installation. 

 

How the App Works

Where does the app get the data?

The app retrieves data from the Apteligent API. The app then creates a special Apteligent data index.

 

How often is the data pulled from the API?

Currently (as of April 15, 2015), there are 10 API calls made to the Apteligent API endpoints every 10 minutes.

 

How are dashboards created?

Each dashboard consists of various panels showing tables, charts, and other visualizations. Each panel is a specialized search query into the data.

 

What versions of Splunk does it support?

The app has been tested against Splunk versions 6.0, 6.1, and 6.2.

 

How do I delete the app?

Delete the directory $SPLUNK_HOME/etc/apps/crittercism, then restart Splunk.

 

How do I delete the data from the app?

From a command line, run the following command:

splunk clean eventdata -index crittercism

 

Troubleshooting

Known errors reported in the Splunk console: "duplicate labels"

This error can occur if the app is installed on the same Splunk instance as a different user. If so, the fix is to delete the existing crittercism index, then to restart the Splunk server.

 

I updated the Apteligent App and now I'm not seeing any new data.

If you are upgrading from a version older than 1.3, you'll need to reconfigure the app to utilize the new authentication configuration:

  1. Go to $SPLUNK_HOME/etc/apps/crittercism/local and delete the two files app.conf and crittercism.conf.
  2. Restart Splunk
  3. Re-configure the integration using your Apteligent username and OAuth token. You can generate a new OAuth token in the OAuth Tokens tab in the user's settings page as mentioned above here.
  4. Update complete! Note: you may have to wait ~10 minutes for new data to appear.
Have more questions? Submit a request

0 Comments

Article is closed for comments.