icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Mothership App for Splunk
SHA256 checksum (mothership-app-for-splunk_110.tgz) 48798aa933eb805e2a99fc0c524f4b3196d512afbb390a61cc593d3f07cb3079 SHA256 checksum (mothership-app-for-splunk_100.tgz) 70878a0fabbc5990b287b7a1e44c3d9e5e9fda79a482d10efbb6537812dbb3ad
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Mothership App for Splunk

Splunk AppInspect Passed
Overview
Details
Mothership is a Splunk App that provides a single pane of glass into large multi-instance Splunk deployments. Mothership dispatches SPL on remote Splunk instances on a scheduled interval and retrieves and stores search results locally. Field extraction is preserved, requiring no configuration other than a valid username and password for a service account on the remote machine. An administrative interface with REST services is provided to simplify management and reporting. All remote search results are stored in RBAC controllable stores (i.e., lookups, indexes).

Mothership Documentation

Table of Contents

  1. App Description
  2. Installation
  3. Configuration
  4. Quickstart
  5. Troubleshooting

App Description

Mothership is a Splunk App that provides a single pane of glass into large multi-instance Splunk deployments. Mothership dispatches SPL on remote Splunk instances on a scheduled interval and retrieves and stores search results locally. Field extraction is preserved, requiring no configuration other than a valid username and password for a service account on the remote machine. An administrative interface with REST services is provided to simplify management and reporting. All remote search results are stored in RBAC controllable stores (i.e., lookups, indexes).

Installation

In a Single-Instance Deployment
  • If you have internet access from your Splunk server, download and install the app by clicking 'Browse More Apps' from the Manage Apps page in the Splunk platform.
  • Otherwise, download the app from Splunkbase and install it using the Manage Apps page in the Splunk platform.
In a Distributed Deployment or a Search Head Cluster Deployment

The Mothership app will write summary results to lookups (transforming searches) and/or indexes (non-transforming searches). In a distributed environment or Search Head Cluster, lookups populated by Mothership can be replicated across the cluster, this means that Mothership running exclusively transforming searches (which write to a lookup) will work with a properly configured Distributed or Search Head Cluster Deployment. Non-transforming searches (which write to an index) are currently not supported in a distributed or Search Head Cluster deployment.

Configuration
  • The Mothership administrative user interface can be found in the Environments dashboard of the Mothership Splunk App.
  • From this dashboard, and administrator has full lifecycle (create, read, update, delete) control of environments and associated environment searches.
  • The following quickstart will walk through the configuration of a single environment with a single search from the management page.
Quickstart
  • To get started, let's configure an environment and environment search which will allow us to query the Splunk instance running Mothership.
  • We will be using the Mothership administrative user interface.
    • Select the 'New Environment' button and fill out the fields as follows.
      • Name: "My First Environment"
      • Management Server: "https://localhost:8089" (edit the hostname and port to reflect the management host server port of the environment Mothership is running on)
      • Web Server: Leave blank
      • Username: Provide the username of a properly credentialed service account (should be able to search)
      • Password: Provide the password of the service account provided above
      • Leave all other fields as is and click 'Save'.
  • We will now configure an environment search for the environment we just created.
    • Expand the environment by clicking the '>' column.
    • Select the 'New Search' button and fill out the fields as follows.
      • Label: "My First Search"
      • In the inline search text area, provide the following SPL search string: | rest /services/licenser/groups
      • Leave all other fields as is and click 'Save'.
  • You may need to refresh the tables. This can be accomplished by clicking the refresh icon next to the Environments or Searches heading.
  • This environment is now being regularly queried on the provided schedule with the provided search. You can view the results of this query by clicking on the Edit menu in the Actions column and selecting Results.
  • Explore the other options available to you in the Edit menu. This menu will provide you with lifecycle management options (create, read, update, delete) ad-hoc querying, metrics and debug logs, and more.
Troubleshooting

Mothership logs all transactions made to a remote machine including success and error state to the _internal index with the following source *environment_poller_debug.log. Click on the "Debug" link found in the "Actions" dropdown for either the Environment or Environment Search to debug errors.

Release Notes

Version 1.1.0
Sept. 4, 2019

* Allow for the deletion of environment searches and environments with non-existant references (saved search, HEC token. password, etc...).
* Update savedsearches.conf.spec to include args.interval to remove warnings on startup.
* Multi-user timezone configurations reflect correct last run time, use epoch time within metrics logger.
* UI Environment search raw search string moved from Saved Search to Search section.

Version 1.0.0
Aug. 16, 2019

Initial public release.

52
Installs
138
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.