Skip to content
This repository has been archived by the owner on Nov 16, 2023. It is now read-only.

Linux Dependency Installation

Jump to bottom
Greg Oliver edited this page May 2, 2017 · 8 revisions

In version 1.1.0, a special scripted input was added to the 3 existing inputs. The job of this scripted input is to install Python and Node.js dependencies for this add-on. It executes upon Splunk restart. Each step tests to see if it's needed before executing. If the script has run successfully once, it takes less than 10 seconds to execute these tests. The progress of the script may be tracked with "index=_internal sourcetype=ta:installer". There are several lines in the log ("logging break") that are there to avoid the 256 line maximum enforced by default in Splunk.

The implementation of this scripted input involves two artifacts:

  • a new stanza in default/inputs.conf
  • a shell script - bin/linux_dependencies.sh

When the SPL is initially installed, Splunk will still issue the warning about inability to initialize the add-on:

Unable to initialize modular input "azure_monitor_metrics"  
defined inside the app "TA-Azure_Monitor":  Introspecting  
scheme=azure_monitor_metrics: script running failed  
(exited with code 1).

A Splunk restart executed by root at a shell prompt (NOT Server Controls restart) is required for the script to run successfully. It runs as root. Disable/Enable the add-on after the script completes to clear the warning.

At a high level, the script does the following:

  • apt-get update
  • install node.js + npm
  • install the node.js packages needed by the add-on
  • install python pip.
  • install various python packages required for building cryptography module
  • install Azure Directory Authentication Library (adal)
  • install splunk-sdk
  • install futures (a Python package that implements parallel processing)

The script takes about 5 minutes to run. If you are tracking (index=_internal sourcetype=ta:installer), the last line of the script will say "Logging break - copy libraries to add-on folder". At this point, disable/enable the add-on and proceed with configuration of the data inputs.

After the script has run successfully once, future restarts of Splunk will of course run it again. You'll see the logging breaks in sourcetype ta:installer as before. But the logs are mostly empty because the tests prevent re-execution of the steps. Some of the tests are a little verbose, but they take no time to speak of.

If you want to prevent re-runs of the script, remove the stanza from default/inputs.conf. However, doing this will prevent future versions of the dependency script from updating dependencies as they change in the future.

Azure Monitor Addon For Splunk

Clone this wiki locally