Mothership is a Splunk App that provides a single pane of glass into large multi-instance Splunk deployments. Mothership dispatches SPL on remote Splunk instances on a scheduled interval and retrieves and stores search results locally. Field extraction is preserved, requiring no configuration other than a valid username and password for a service account on the remote machine. An administrative interface with REST services is provided to simplify management and reporting. All remote search results are stored in RBAC controllable stores (i.e., lookups, indexes).
The Mothership app will write summary results to lookups (transforming searches) and/or indexes (non-transforming searches). In a distributed environment or Search Head Cluster, lookups populated by Mothership can be replicated across the cluster, this means that Mothership running exclusively transforming searches (which write to a lookup) will work with a properly configured Distributed or Search Head Cluster Deployment. Non-transforming searches (which write to an index) are currently not supported in a distributed or Search Head Cluster deployment.
| rest /services/licenser/groups
Editmenu in the
Actionscolumn and selecting
Editmenu. This menu will provide you with lifecycle management options (create, read, update, delete) ad-hoc querying, metrics and debug logs, and more.
Mothership logs all transactions made to a remote machine including success and error state to the _internal index with the following source
*environment_poller_debug.log. Click on the "Debug" link found in the "Actions" dropdown for either the Environment or Environment Search to debug errors.
* If no index is provided on environment search creation, but index already exists, the environment search will be linked to the existing matching index. This corrects a bug that would show up when environment search creation would initially fail. Thank you @Nicholas Stone for finding this bug!
* Remove authorize.conf warn by setting value to enabled. Thank you @Chris Barrett for finding this bug!
* Bugfix for searches with long name. Thank you @Alan Ivarson for finding this bug
* Configurable global job timeout added to mothership.conf
* Configurable global job status check interval added to mothership.conf
* Search job timeout error messaging supported in the management console
* Allow for the deletion of environment searches and environments with non-existant references (saved search, HEC token. password, etc...).
* Update savedsearches.conf.spec to include args.interval to remove warnings on startup.
* Multi-user timezone configurations reflect correct last run time, use epoch time within metrics logger.
* UI Environment search raw search string moved from Saved Search to Search section.
Initial public release.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.