This is an add-on powered by the Splunk Add-on Builder.
The NetApp StorageGRID Add-on for Splunk is used to gather data from NetApp StorageGRID environment, do indexing on it and provide the indexed data to "NetApp StorageGRID App for Splunk" which runs searches on indexed data and build dashboards using it. The NetApp StorageGRID App for Splunk can be downloaded from here.
This Add-on is supported on all the tiers of distributed Splunk platform deployment and also on standalone Splunk instance. Below table provides the reference for installing the Add-on on distributed Splunk deployment:
|Splunk instance type||Supported||Required||Comments|
|Search Heads||Yes||Yes||This Add-on is required on Search Heads as it contains search time extractions. This Add-on also contains alert actions. To use these actions user need to configure the Add-on on Search Head.|
|Indexers||Yes||No||All parsing will be done on heavy forwarder only.|
|Heavy Forwarders||Yes||Yes||This Add-on supports only heavy forwarder for data collection.|
Follow the link mentioned below to install the App based on your deployment:
If there is already older version of Add-on in your Splunk instance and then you can upgrade add-on by following two ways:
Using the latest version available on Splunkbase.
You can download latest version of Add-on from Splunkbase and you can upload it into Splunk by navigating to
User can configure the Add-on by following below mentioned steps.
Fill the appropriate details in the dialog-box. Refer the table below to fill in the details
|IP/URL||Yes||IP or URL of StorageGrid|
|Username||Yes||The username belongs that|
|Password||Yes||The password for the above user|
|Confirm Password||Yes||Re-enter the password|
This configuration will be saved in conf file for data collection. Now to start data collection user will have to create an input and keep that input as enabled.
Fill the appropriate details in the dialog-box. Refer the table below to fill in the details
|Name||Yes||Unique name to identify input|
|Interval||Yes||Time after that interval of time input will be executed (Integer - Keep the time interval between 60 to 86400 seconds)|
|Index||Yes||Select an Index from the dropdown (defaults to main index).|
|Source Name||No||Unique name to identify source from different inputs defaults it will be storagegrid_api_input|
Splunk REST API will encrypt the password and store it in Add-on's folder itself in encrypted form, REST modular script will fetch these credentials through REST API to connect to the StorageGRID.
Please note that This Add-on supports HTTPS connection and SSL check for communication between Splunk and Netapp StorageGrid out of the box. If the StorageGrid has a self-signed certificate, then to collect data through a secure network channel (with certificate checks), you first need to get the required certs for the successful SSL verification with your StorageGrid. You need to copy the content of the PEM file into: $SPLUNK_HOME/etc/apps/TA_netapp-sg/bin/ta_netapp_sg/certifi/cacert.pem. Once the certificate is copied to the mentioned location, you need to configure the StorageGrid from the UI as mentioned above in the Configuring REST API section.
If you want to configure the StorageGrid and collect the data through unencrypted communication (without certificate checks) you must disable the SSL check flag in ta_netapp_sg_settings.conf from local directory.
Follow these steps to disable the SSL check flag:
Create/Update the ta_netapp_sg_settings.conf and add cert_verify parameter under additional_parameters stanza to set the data collection over HTTP without using certificate checks.
[additional_parameters] cert_verify = 0
Restart the Splunk.
**2.1) On the StorageGRID System:** Configure the Audit Client for NFS (Source: StorageGRID Administrator Guide(Pg. 185) https://library.netapp.com/ecm/ecm_download_file/ECMLP2753104). 1. Start the NFS configuration utility. Enter: config_nfs.rb 2. Add the audit client(To be done for the first time only): a) Enter: add-audit-share. (If you get 'Cannot add share, an audit share already exists.' message then move to step 3. from here.) b) When prompted, enter the Splunk IP Address range. IP address ranges must be expressed using a subnet mask in CIDR notation (that is, in a form such as 192.168.110.0/24). c) When prompted, press <Enter>. The NFS configuration utility appears and the default audit share is added. 3. If more than one Splunk Server is permitted to access the audit share, add the IP address of the server: a) Enter: add-ip-to-share. A numbered list of the audit shares configured on the Admin Node is displayed. The audit share is named /var/local/audit/export. b) Enter the number of the audit share. Enter: <audit_share_number> c) When prompted, enter the Splunk Server's IP address or IP Address range for the audit share. Enter: <Splunk_Server_IP> . IP address ranges must be expressed using a subnet mask in CIDR notation(that is, in a form such as 192.168.110.0/24). d) When prompted, press <Enter>. The NFS configuration utility is displayed. e) For each additional Splunk Server that should have access to the audit share, repeat the above step 3. 4. Optionally, verify your configuration. a) Enter: "validate-config" - The services are checked and displayed. b) When prompted, press <Enter>. The NFS configuration utility is displayed. 5. Close the NFS configuration utility. Enter: exit
NFS audit Splunk Servers are granted access to an audit share based on their IP address.
Grant access to the audit share to a new NFS Splunk Server by adding its IP address to the share, or remove an existing Splunk Server by removing its IP address.
**2.2) On the Splunk Server:** Linux: ------ NFS Mount the audit share directory using the below syntax for Splunk to read from local: mount -t nfs -o proto=tcp,port=2049 StorageGRID_System_IP:Path_to_audit_share local_path_to_mount Eg. mount -t nfs -o proto=tcp,port=2049 <GRID_IP>:/var/local/audit/export /usr/local/src/temp/ Windows: ------- 1. To install 'Client Services for NFS', go to the Add/Remove Software wizard in the Control Panel. Click on Turn Windows features on or off. OR => In windows server 2008 r2 Click Start, point to Administrative Tools, and then click Server Manager. - In the left pane, click Roles. - Under Roles Summary in the right pane, click Add Roles. The Add Roles Wizard appears. Click Next. - Select the File Services check box to install this role on the server, and then click Next. - Select the Services for Network File System check box, and then click Next. - Confirm your selection, and then click Install. - When the installation completes, the installation results appear. Click Close. => In command line, mount //StorageGrid_system_ip/audit_share_path [Drive_letter] Eg. mount [options] //<GRID_IP>:/var/local/audit/export H: => In windows server 2008 r2: mount \\GRID_IP\var\local\audit\export [drive letter]
The NetApp StorageGrid Add-on for Splunk provides the search knowledge objects for StorageGrid data in the following formats
|Data Source||Sourcetype||Source||CIM Models|
|Rest API||grid:rest:api||1. Management APIs
2. Prometheus endpoints
|Audit Logs||grid:auditlog||Audit logs of the Storagegrid||-|
To uninstall add-on, user can follow below steps:
SSH to the Splunk instance
Go to folder apps($SPLUNK_HOME/etc/apps)
Remove the TA_netapp-sg folder from apps directory
The system and input configuration pages are not loaded of the add-on
Data is not being collected
The following search query can be used to verify that the data is being collected or not
search `get_sg_index` | stats count by sourcetype
In particular, you should see these sourcetypes:
If you don't see these sourcetypes
1. Verify the configurations provided in the Add-on i.e. URL, username and password.
2. Verify the parameters provided for the input i.e. index, source and interval and that the input is enabled.
3. If proxy is enabled, verify the details of proxy server provided in the add-on and that the proxy server is working properly.
4. If The StorageGrid instance has a self signed SSL certificate then the entry for that SSL certificate might be missing from your operating system's certificate store. In this case, you would encounter an SSLHandshakeError. Resolve the issue by adding the certificate to your operating system's trust list. Please refer to "Configuring the REST API over secure network connection" section.
5. If your data collection is over unencrypted communication, you must disable the SSL check flag in the Add-on. Please refer to "Configuring the REST API over insecure network connection"
6. Search for any possible error messages logged by data collection script while trying to fetch REST API data. Here is a sample search that will show them:
index=_internal sourcetype="tanetapp:sg:log" ERROR
Fields are not being extracted
Added support for Alerts data for NetApp StorageGRID v11.4 onwards.
Added support for Splunk v8.1.x
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.