Develop Splunk apps

Learn more about developing Splunk apps:

 

About Splunk apps

Splunk apps make it easier for an organization and its users to interact with data. Apps are designed to address a specific type of task, such as real-time data analysis, or security and monitoring, and then display the data using any number of visualizations to make the data easier to interpret. Splunk provides different ways for you to create apps for the Splunk users within your organization, as well as apps to share with or sell to other Splunk users.

Splunk Enterprise Security

 

What is a Splunk app?

A Splunk app is a collection of knowledge objects and extensions packaged for a specific technology or use case allowing for a more effective use of Splunk Enterprise. A Splunk app can include such elements as a custom UI with dashboards, reports, custom search commands, modular inputs, field extraction definitions, data lookups, a navigation menu, custom alert actions, custom code files, and much more. Splunk apps run in Splunk Web, and you access them from the Home page or the Apps menu.

Splunk Web apps

To expand on this definition of a Splunk app:

  • A Splunk app is a packaged solution that solves specific issues for specific users.
  • A Splunk app often targets a specific type of role, restricting read/write access by role. So, different users of the same Splunk Enterprise instance can see only the data that is relevant to their interests.
  • A Splunk app includes one or more dashboards containing forms and visualizations.
  • A Splunk app can handle getting data into Splunk in different ways, such as by using a scripted input or modular input, and from different data sources.
  • Multiple apps can run at the same time on the same instance of Splunk.

Here are some examples of Splunk apps for different users and roles:

  • The Splunk App for Microsoft Exchange is for the Exchange administrator. This app gathers performance metrics, log files, and PowerShell data from all aspects of Microsoft Exchange and its underlying infrastructure.
  • Splunk Enterprise Security is for the security specialist. This app looks for threats by analyzing massive volumes of activity data.
  • The Splunk App for VMware is for the system administrator. This app provides an accurate real-time picture of the health of the environment, proactively identifying performance and capacity bottlenecks.
  • The Splunk App for NetApp Data ONTAP is for the storage administrator. This app lets you visualize configuration, logs, and performance of all your NetApp Data ONTAP storage systems.
  • The S.o.S - Splunk on Splunk app is for anyone who wants to troubleshoot Splunk. This app lets you analyze and troubleshoot problems in your Splunk environment.
 

What is a Splunk add-on?

Technically, a Splunk add-on is a Splunk app. In practice, a Splunk add-on refers to a Splunk app that does not contain a full UI, and typically provides some custom configurations or data inputs. And without a UI, add-ons aren't available from the Splunk Web home page or the Splunk App menu, nor do they have a dedicated URL.

A single add-on can be used in multiple apps, suites, or solutions. So, every object in an add-on must be globally available in order to be globally accessible. For more, see App architecture and object ownership in the Admin Manual.

 

Why would someone want to use a Splunk app?

Splunk apps are useful for many reasons:

  • Apps provide deep insights by role (such as Exchange admin, system admin, storage admin, and so forth).
  • Apps provide instant visibility and analysis across all servers and network devices from one place.
  • Apps drive business growth to secure, forecast, plan, and monitor usage.
  • Apps improve security posture, speed incident investigations, and meet compliance mandates.
  • Apps consolidate tools (multiple monitoring tools are no longer needed).
  • Apps monitor and help troubleshoot the development and production applications.
 

Where do I distribute my Splunk apps?

Splunkbase is the Splunk app and add-on marketplace. You can download apps and add-ons for use in your Splunk Enterprise environment, and you can create your own Splunk apps and share them with other members of the Splunk community. For more about submitting apps to Splunkbase, see the Working with Splunkbase manual.

You can also obtain Splunk Certification for apps and add-ons, which means that Splunk has examined an app or add-on and found that it conforms to best practices for Splunk development. For more, see About app certification.

 

What is the basic process for developing a Splunk app?

Just creating a Splunk app is easy, but developing a fully-featured app takes work. The basic process is as follows:

  1. Get data into Splunk using data inputs, indexes, and modular inputs. Follow the logging best practices.
  2. Search your data using the Splunk search language and optimize your searches (filter, limit scope, avoid real-time searches).
  3. Enrich the search with Splunk knowledge objects such as saved searches, event types, transactions, tags, field extractions, transforms, lookups, search commands, and data models.
  4. Visualize your data by creating visualizations and dashboards.
  5. Create alerts using both out-of-the-box alert actions, as well as custom alert actions to integrate with other systems.
  6. Certify, package, and publish your app to Splunkbase.
 

What tools do I use to develop a Splunk app?

Many components of a Splunk app can be built using Splunk Enterprise, such as data inputs, indexes, modular inputs, knowledge objects, alerts, and searches. See the Splunk Enterprise documentation for details.

The Splunk Web Framework provides tools for developers to create dashboards and visualizations for Splunk apps from the ground up with CSS, HTML, and JavaScript. For more, see Use the Splunk Web Framework here on the Splunk Developer Portal website.

 

What considerations apply to apps in Splunk Cloud?

Apps running in Splunk Cloud undergo a vetting process before they can be installed. This process ensures that the app does not compromise security or pose an operations risk in the public cloud environment. Splunk Cloud customers can submit their app for vetting by contacting Splunk Cloud support.

For more information about using apps with Splunk Cloud, see Get Splunk Cloud apps in the Splunk Cloud User Manual.