Splunk MINT Add-on (Legacy)

Splunk MINT Add-on User Guide

Splunk MINT is no longer available for purchase as of January 29, 2021. Customers who have already been paying to ingest and process MINT data in Splunk Enterprise will continue to receive support until December 31, 2021, which is End of Life for all MINT products: App, Web Service (Management Console), SDK and Add-On.

Install and configure the Splunk MINT Add-on

Deployment

You can install the Splunk MINT Add-on in different deployments:

  • Standalone deployment is a deployment of Splunk Enterprise on a single computer, which handles all Splunk functionality. Use this configuration for evaluation purposes, or for small-scale production.
  • Distributed deployment spreads different components of Splunk Enterprise functionality across multiple computers. A typical deployment consists of a search head on one server, with multiple indexers and heavy forwarders on other servers. For MINT, the scale of the configuration depends on the number of monthly active users you have, along with how your organization uses the Splunk platform.
  • Splunk Cloud delivers the features of Splunk Enterprise as a cloud-based service. To install the Splunk MINT Add-on in your Splunk Cloud instance, contact Splunk Support. Install the add-on to forwarders for data collection.


For more about deploying apps and add-ons, see App deployment overview in the Admin Manual. For more about distributed deployment, see the Distributed Deployment Manual. For more about Splunk Cloud Platform, see the Splunk Cloud Platform Admin Manual.

Components of Splunk MINT

Splunk MINT on Splunk Enterprise includes the Splunk MINT Add-on and optionally the Splunk MINT App.

Component

Description

Standalone

Distributed

Search head Indexer Forwarder
Splunk MINT App Provides dashboards, saved reports, and search functionality allowing you to view data for all of your MINT app projects.
Splunk MINT Add-on Includes a custom modular input as well as index-time and search-time settings required to handle MINT data on forwarders, indexers and search heads. Does not contain any dashboards or reports, nor does it have a user interface.
Splunk MINT Modular Input Defines a modular input for receiving MINT data from the Splunk MINT Data Collector.
Splunk MINT Modular Input is included in the Splunk MINT Add-on.
Enable Enable

Before you install the Splunk MINT Add-on

Enable HTTPS traffic

Before you install the Splunk MINT Add-on, ensure the firewalls on the search heads and on heavy forwarders allow outgoing HTTPS traffic (TCP:443). If you have a standalone deployment, the single instance of Splunk Enterprise acts as both a search head and forwarder.

Splunk MINT uses client SSL authentication to connect to the MINT Cloud services. The following URLs are used for sending data:

  • MINT Cloud: data.cds.splkmobile.com
  • MINT Authentication Server: cdsauth.splkmobile.com and auth.cds.splkmobile.com
  • MINT Symbolicator: ios.splkmobile.com

The search heads must be able to connect to the MINT URLs to set up the Splunk MINT App and symbolicate iOS errors. Ensure the following IP addresses are whitelisted so that the MINT Cloud Data Collector authentication endpoint can be reached:

  • 54.193.6.245
  • 54.183.222.143
  • 54.183.222.136
  • 54.153.51.51
  • 52.8.207.32
  • 52.8.207.109
  • 208.78.105.194 through 208.78.105.202

The computers that run the Splunk MINT Add-on (typically heavy forwarders) must be able to make outbound connections to fetch data.

Enable proxy support

If you want to use a proxy server as an alternative to enabling HTTPS traffic:

  • Enable proxy server support by ensuring that your proxy server supports the CONNECT feature over port 443.
  • After you install the Splunk MINT Add-on, specify the proxy address (see Specify a proxy address below).

Install the Splunk MINT Add-on

In a standalone deployment, install the Splunk MINT Add-on on your single instance of Splunk Enterprise.

In a distributed deployment, install the Splunk MINT Add-on on each search head, indexer, and on each heavy forwarder that you are using to collect data. The Splunk MINT Add-on does not support light or universal forwarders for data collection because the add-on requires Python.

In Splunk Cloud, contact Support to install the add-on to your Splunk Cloud instance, and install it yourself on each heavy forwarder that you are using to collect data. Collecting data from your Splunk Cloud instance is not supported.

Important The Splunk MINT Add-on creates a "mint" index. You can customize the index in $SPLUNKHOME/etc/apps/Splunk_TA_mint/local/indexes.conf, including setting unique retention requirements and sizing configurations as needed, before deploying the add-on.

Install the Splunk MINT Add-on using Splunk Web

  1. Download the Splunk MINT Add-on package.
  2. Click the Manage Apps icon next to Apps.
  3. On the Apps page, click Install app from file.
  4. Click Choose File, navigate to and select the package file for the Splunk MINT Add-on, then click Open.
  5. Click Upload.

Install the Splunk MINT Add-on from the command line

  1. Download the Splunk MINT Add-on package.
  2. At the command line, enter:
splunk install app <path/packagename>

Install the Splunk MINT Add-on by copying files

  1. Download the Splunk MINT Add-on package.
  2. Unpack the package file, then copy the /Splunk_TA_mint directory to $SPLUNK_HOME/etc/apps.

Install the Splunk MINT Add-on in Splunk Cloud

Install the MINT Add-on to your heavy forwarders using Splunk Web, using the command line, or by copying files. See the directions in the sections immediately above. For instructions on setting up forwarders to send data to your Splunk Cloud instance, see the appropriate topic in the Introduction to Getting Data In chapter of the Splunk Cloud Admin Manual. This chapter includes instructions for getting data in from Amazon Web Services, Microsoft Azure, *nix, Windows, and local files and directories.

Contact Splunk Support to install the MINT Add-on in your Splunk Cloud instance:

Set the MINT Data Collector token in the MINT Add-on

On each forwarder on which you have installed the MINT Add-on, or on the single instance of Splunk Enterprise in a standalone deployment, you must configure the MINT Add-on with your MINT Data Collector token.

You can only configure one data collection modular input per Splunk platform instance. The Splunk MINT Add-on does not support more than one data collection modular input per Splunk platform instance.

Get your MINT Data Collector token

  1. Log in to MINT Management Console.
  2. Click Account > Account Info, and then click Usage.
  3. Under MINT Data Collector token, click Generate Token if a token has not yet been generated.
  4. Copy the token string.

Configure each forwarder running the MINT Add-on

  1. Restart your data collection node if you have not already done so after installing the MINT Add-on.
  2. In Splunk Web, go to Settings > Data inputs, then click Splunk MINT Data Collector. Or, navigate directly to http://<localhost>:<port>/en-US/manager/launcher/data/inputs/mi_cds.
  3. Under Input Name, click default.
  4. In MINT Data Collector Token, paste the token string you copied above.
  5. Optionally, specify a proxy server in HTTPS Proxy Address.
  6. Click Save. The token is encrypted and stored in the Splunk REST access endpoint /storage/password. See Documentation:Splunk:RESTREF:RESTaccess.
  7. For the default input under Status, click Enable to begin pulling data from the MINT Data Collector.
  8. If the Splunk MINT Add-on is installed on search heads and indexers that are on the Cloud, you must edit the local inputs.conf file and add a setting under the [mi_cds://default] stanza.
    • Only users with the admin role, or a role with equivalent permissions, can edit the inputs.conf file.
    • Review the steps in How to edit a configuration file in the Admin Manual.
  9. Open the local inputs.conf file for the MINT Add-on. For example, $SPLUNK_HOME/etc/apps/splunk_TA_mint/local/inputs.conf. If the file does not exist, create the file.
    Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.
  10. Add the [mi_cds://default] stanza and the setting cloud_install=true.


Verifying data collection

You can verify that data is being collected by running a search, for example:

index=_internal source=*mint.log

Upgrade the Splunk MINT Add-on

You cannot upgrade from the Splunk MINT Add-on version 2.1.0 or earlier to version 3.0.x. You must perform a clean installation:

  1. On computers running the MINT Add-on 2.1.0 or earlier, remove the $SPLUNK_HOME/etc/apps/Splunk_TA_mint directory.
  2. Restart Splunk Enterprise.
  3. Install the Splunk MINT Add-on.
  4. Set the MINT Data Collector token in the MINT Add-on.

To upgrade the Splunk MINT Add-on, follow the instructions above for installing the add-on, with the following change:

  • From Splunk Web, when choosing the add-on file, click Upgrade app.
  • From the Splunk command line, include the "-update 1" parameter.

Specify a proxy address

If you are using a proxy address, specify it on all of the indexers and forwarders that are running the MINT Add-on.

Note: On your forwarders, you can specify a proxy address at the same time you set the MINT Data Collector token.
  1. On each indexer running the MINT Add-on, create a /local directory under $SPLUNK_HOME/etc/apps/Splunk_TA_mint/.
  2. In a text editor, create a text file with a [mi_cds://default] stanza that contains a https_proxy attribute with the full URL of your proxy server. Do not use quotes around the URL string. For example:
  3. [mi_cds://default]
    https_proxy = https://localhost:8888
  4. Save your file as inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_mint/local/.
  5. Restart Splunk Enterprise.

Change the MINT Data Collector token

You can change your MINT Data Collector if you need to, and then you'll also need to set or update the token in the MINT Add-on (and the MINT App, if you are using it).


Generate a new MINT Data Collector token

  1. Log in to MINT Management Console.
  2. Click Account, and then click Usage.
  3. Under MINT Data Collector token, click Remove Token, and then click Generate Token.
  4. Copy the token string.


Update the token in the MINT Add-on

On each forwarder running the MINT Add-on, or on the single instance of Splunk Enterprise in a standalone deployment:

  1. Delete the entire $SPLUNK_HOME/etc/apps/Splunk_TA_mint/auth directory.
  2. Delete the $SPLUNK_HOME/etc/apps/Splunk_TA_mint/local/inputs.conf configuration file.
  3. Restart Splunk Enterprise.
  4. In Splunk Web, go to Settings > Data inputs.
  5. Click Splunk MINT Data Collector.
  6. Under Input Name, click default.
  7. In MINT Data Collector Token, paste the token string you copied above.
  8. Optionally, specify a proxy server in HTTPS Proxy Address.
  9. Click Save.
  10. For the default input under Status, click Enable to begin pulling data from the MINT Data Collector.


Update the token in the MINT App

If you're using the MINT App, update the MINT Data Collector to use iOS symbolication.

  1. On the computer running the MINT App, in a text editor open $SPLUNK_HOME/etc/apps/splunk_app_mint/local/symbolicator.conf and set the authentication_key property to your MINT Data Collector token:
  2. [settings]
    authentication_key = your_token_string
  3. Save your changes and restart Splunk Enterprise.
Last modified on 09 August, 2021
Requirements   What's new

This documentation applies to the following versions of Splunk MINT Add-on (Legacy): 3.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters