Terminology

If you are new to the App Framework you may find yourself asking:

  • What is the difference between an app and an add-on?
  • What is a module?
  • How do apps, add-ons, and modules work together?

The terminology and relationships within the framework are not as confusing as they might seem at first.

Read this apps, add-ons, and modules primer to gain an understanding of the various ways you can package and present your code and knowledge for Splunk users.

What is an app?

An app is a redistributable package containing some or all of the following components:

  • Configurations
  • Views
  • Modules
  • Controllers
  • Templates
  • Models
  • JavaScript
  • Static Content (HTML, CSS, Images)

In general, apps create a compelling and enriching user experience for exploring data produced by a:

  • Technology
  • Product
  • Solution

Apps provide a container for custom workflows, views, and other extensions to Splunk Web. Apps also contain saved searches, macros, and other knowledge for working with data and objects related to the given technology, product, or solution.

App packaging is intended to facilitate distribution to Splunk instances running on some or all Splunk-supported operating systems. Apps are commonly distributed using the app and add-on repository on SplunkBase but can also be distributed using Splunk Web or by extracting the package within the Splunk file system.

Apps may or may not depend on one or more add-ons for correct operation.

What is an add-on?

An add-on is a redistributable package containing some or all of the following components:

  • Configurations
  • Scripted Inputs
  • Modules
  • Controllers
  • Templates
  • Models

In general, add-ons:

  • consist of configurations, knowledge, inputs, outputs, and workflows that:
    • classify data
    • transform data
    • normalize data
  • are intended to be used by one or more apps
.

An add-on provides a container for knowledge (event types, field extractions, lookups), scripted inputs, and other extensions to core Splunk capabilities that may or may not apply to a specific technology, product, or solution.

Add-on packaging is intended to facilitate distribution to Splunk instances running on some or all Splunk-supported operating systems. Apps are commonly distributed using the app and add-on repository on SplunkBase but can also be distributed using Splunk Web or by extracting the package within the Splunk file system.

Add-ons should not depend on other apps or add-ons for correct operation.

What is a module?

An module is a self-contained Splunk Web package containing some or all of the following components:

  • Module configuration (required)
  • Module JavaScript (required)
  • Module controller
  • Module templates
  • Module CSS

In general, modules are intended to perform a specific function within the hierarchy of a Splunk view, and are not intended to be packaged or distributed outside the context of an app or add-on.

Default Splunk modules, such as FlashTimeline, SearchBar, and SimpleResultsTable, power all of the views within the 'search' app distributed with Splunk.

You can distribute modules by packaging them within an app or add-on, which is in turn distributed through SplunkBase.

What is a view?

A view is a specific collection and layout of modules that operate together in a hierarchy to provide an enhanced user experience when exploring or visualizing data within Splunk. Most users of Splunk are familiar with the default Splunk views: flashtimeline, charting, and dashboard.

Views are configured using view XML, which specifies the modules that should be used within a view, the parameters provided to the module instances within the view, and the hierarchy by which the modules should share contextual information about user or server actions and events.

In general, views are packaged within the context of an app and subsequently distributed using SplunkBase. Views rarely belong in add-ons and are almost never packaged outside the context of an app or add-on.

The view layout is controlled by view templates such as dashboard.html, which provides standard templates for the layout of visible modules within panels on the page.

What is an the difference between an app and a add-on?

The following table shows the primary similarities and differences between apps and add-ons:

Description

Apps

Add-Ons

Occupies as a unique namespace within Splunk
Can be packaged for redistribution and shared using SplunkBase
Should contain technology or product-specific components not intended for reuse by other apps
 
Should contain general purpose components intended for reuse by other apps
 
Extends Splunk Web for exploring or visualizing data from a specific product or technology
 
Can depend on other add-ons for correct operation
 
Includes inputs, indexes, lookups, and field extractions for a specific product or technology
 

How do modules relate to apps, add-ons, and views?

  • Modules can be packaged within both apps or add-ons.
  • Modules that have a function tied to a specific product or technology should be packaged in an app.
  • Modules that have a general purpose function intended for use by more than one app should be packaged in an add-on.
  • Module names must be unique across all apps and add-ons to avoid namespace collisions.
  • Views are composed of a hierarchy of modules.
  • Views may reference the same module multiple times.

How do views relate to apps, add-ons, and modules?

  • In general, views should be packaged within an app, not an add-on.
  • Views are composed of a hierarchy of modules.
  • Views may reference the same module multiple times.
  • In general, apps should not make views global objects.