From 6ef4667832e5e48e51ed052af61293fd73a7025f Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 4 Feb 2026 22:21:03 +0000 Subject: [PATCH 1/2] Fix AppInspect: Remove index paths for Splunk Cloud compatibility - Remove homePath, coldPath, thawedPath from indexes.conf - Remove frozenTimePeriodInSecs (admin-controlled setting) - Keep only datatype=metric for index definition - Add note about Splunk Cloud admin creating the index https://claude.ai/code/session_014YNv3fKbpjQB5eMZCrHwzi --- default/indexes.conf | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/default/indexes.conf b/default/indexes.conf index 9e5aab8..0b670a0 100644 --- a/default/indexes.conf +++ b/default/indexes.conf @@ -1,12 +1,10 @@ # Metrics index for CACA - Content Activity Checking Application # This index stores all dashboard usage, health, and performance metrics +# +# NOTE: For Splunk Cloud, this index must be created by your Splunk Cloud admin. +# Request a metrics index named "caca_metrics" with appropriate retention. +# +# For Splunk Enterprise, this configuration will create the index automatically. [caca_metrics] datatype = metric -homePath = $SPLUNK_DB/caca_metrics/db -coldPath = $SPLUNK_DB/caca_metrics/colddb -thawedPath = $SPLUNK_DB/caca_metrics/thaweddb - -# Retain metrics for 1 year (365 days) by default -# Adjust based on your retention requirements -frozenTimePeriodInSecs = 31536000 From c001673e0daa61d12ef21d526921ba3412d918dd Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 4 Feb 2026 22:26:50 +0000 Subject: [PATCH 2/2] Remove indexes.conf for Splunk Cloud compatibility - Remove indexes.conf entirely (Splunk Cloud apps cannot define indexes) - Update README with manual index creation instructions - Add instructions for both Enterprise and Cloud environments - Update Initial Setup section to reflect manual index creation https://claude.ai/code/session_014YNv3fKbpjQB5eMZCrHwzi --- README.md | 31 +++++++++++++++++++++++++------ default/indexes.conf | 10 ---------- 2 files changed, 25 insertions(+), 16 deletions(-) delete mode 100644 default/indexes.conf diff --git a/README.md b/README.md index 037d266..b69f3b6 100644 --- a/README.md +++ b/README.md @@ -109,10 +109,20 @@ Version 1.0.0 - Production Ready After installation, follow these steps to initialize CACA: -### 1. Verify Index Creation +### 1. Create the Metrics Index -The `caca_metrics` index should be created automatically. Verify by running: +Create a metrics index named `caca_metrics` before using CACA: +**For Splunk Enterprise:** +```spl +| rest /services/data/indexes | search title=caca_metrics +``` +If the index doesn't exist, create it via CLI or indexes.conf (see Configuration section). + +**For Splunk Cloud:** +Request your Splunk Cloud administrator to create a metrics index named `caca_metrics`. + +Verify the index exists: ```spl | eventcount summarize=false index=caca_metrics ``` @@ -397,15 +407,24 @@ Edit `default/savedsearches.conf` or use Splunk Web to modify: - **Health tracking frequency**: Default every 15 minutes - **Registry update frequency**: Default daily at 2 AM -### Customizing Metrics Retention +### Creating the Metrics Index + +CACA requires a metrics index named `caca_metrics`. This index must be created manually before using the app. -Edit `default/indexes.conf` to adjust retention: +**For Splunk Enterprise:** +```bash +# Via CLI +splunk add index caca_metrics -datatype metric -```ini +# Or add to $SPLUNK_HOME/etc/system/local/indexes.conf: [caca_metrics] -frozenTimePeriodInSecs = 31536000 # 1 year (default) +datatype = metric +frozenTimePeriodInSecs = 31536000 ``` +**For Splunk Cloud:** +Contact your Splunk Cloud administrator to create a metrics index named `caca_metrics` with appropriate retention settings. + ### Configurable Thresholds CACA uses configurable thresholds stored in `lookups/caca_settings.csv`. You can customize these settings to match your environment: diff --git a/default/indexes.conf b/default/indexes.conf deleted file mode 100644 index 0b670a0..0000000 --- a/default/indexes.conf +++ /dev/null @@ -1,10 +0,0 @@ -# Metrics index for CACA - Content Activity Checking Application -# This index stores all dashboard usage, health, and performance metrics -# -# NOTE: For Splunk Cloud, this index must be created by your Splunk Cloud admin. -# Request a metrics index named "caca_metrics" with appropriate retention. -# -# For Splunk Enterprise, this configuration will create the index automatically. - -[caca_metrics] -datatype = metric