If you are new to the App Framework you may find yourself asking:
The terminology and relationships within the framework are not as confusing as they might seem at first.
Read this apps, add-ons, and modules primer to gain an understanding of the various ways you can package and present your code and knowledge for Splunk users.
An app is a redistributable package containing some or all of the following components:
In general, apps create a compelling and enriching user experience for exploring data produced by a:
Apps provide a container for custom workflows, views, and other extensions to Splunk Web. Apps also contain saved searches, macros, and other knowledge for working with data and objects related to the given technology, product, or solution.
App packaging is intended to facilitate distribution to Splunk instances running on some or all Splunk-supported operating systems. Apps are commonly distributed using the app and add-on repository on SplunkBase but can also be distributed using Splunk Web or by extracting the package within the Splunk file system.
Apps may or may not depend on one or more add-ons for correct operation.
An add-on is a redistributable package containing some or all of the following components:
In general, add-ons:
An add-on provides a container for knowledge (event types, field extractions, lookups), scripted inputs, and other extensions to core Splunk capabilities that may or may not apply to a specific technology, product, or solution.
Add-on packaging is intended to facilitate distribution to Splunk instances running on some or all Splunk-supported operating systems. Apps are commonly distributed using the app and add-on repository on SplunkBase but can also be distributed using Splunk Web or by extracting the package within the Splunk file system.
Add-ons should not depend on other apps or add-ons for correct operation.
An module is a self-contained Splunk Web package containing some or all of the following components:
In general, modules are intended to perform a specific function within the hierarchy of a Splunk view, and are not intended to be packaged or distributed outside the context of an app or add-on.
Default Splunk modules, such as FlashTimeline, SearchBar, and SimpleResultsTable, power all of the views within the 'search' app distributed with Splunk.
You can distribute modules by packaging them within an app or add-on, which is in turn distributed through SplunkBase.
A view is a specific collection and layout of modules that operate together in a hierarchy to provide an enhanced user experience when exploring or visualizing data within Splunk. Most users of Splunk are familiar with the default Splunk views: flashtimeline, charting, and dashboard.
Views are configured using view XML, which specifies the modules that should be used within a view, the parameters provided to the module instances within the view, and the hierarchy by which the modules should share contextual information about user or server actions and events.
In general, views are packaged within the context of an app and subsequently distributed using SplunkBase. Views rarely belong in add-ons and are almost never packaged outside the context of an app or add-on.
The view layout is controlled by view templates such as dashboard.html, which provides standard templates for the layout of visible modules within panels on the page.
The following table shows the primary similarities and differences between apps and add-ons: