App certification criteria

When you submit your app or add-on for certification, Splunk evaluates it against a set of criteria. The set of App Certification criteria is described below.

Note: This list doubles as the list of checks run by the Splunk AppInspect tool and API. For more information, see Splunk AppInspect.

Checklist for submission

25 August, 2017 (v1.5.0)

App.conf standards

The app.conf file located in the default folder provides key application information and branding.

Splunkbase App Certification Description
x Check that the app.conf file contains an application version number.
x Check that the default/app.conf setting is_configured is set to False.

Application Content Structure Standards

Splunkbase App Certification Description
x x Check that static/appIcon_2x is 72x72px or less.
x x Check that static/appIcon_2x is a Portable Network Graphics (PNG) file.
x x Check that static/appIconAlt_2x.png is 72x72px or less.
x x Check that static/appIconAlt_2x is a PNG file.
x x Check that static/appIconAlt.png is 36x36px or less.
x x Check that static/appIconAlt is a PNG file.
x x Check that static/appIcon is 36x36px or less.
x x Check that static/appIcon is a PNG file.
x x Check that static/appLogo_2x.png is 320x80px or less.
x x Check that static/appLogo_2x is a PNG file.
x x Check that static/appLogo.png is 160x40px or less.
x x Check that static/appLogo is a PNG file.

Directory structure standards

Ensure that the directories and files that exist adhere to desired hierarchy standards.

Splunkbase App Certification Description
x x Check there is no local directory.
  x Check that app has no .conf or dashboard filenames that contain spaces.
  x Check that all metadata is supplied in default.meta, not local.meta.
  x Check that there is no passwords.conf file in the local directory.
x x Check that, when decompressed, the Splunk app directory name matches the app.conf [package] stanza's id property.

Configuration file standards

Ensure that all configuration files located in the default folder are well formed and valid.

Splunkbase App Certification Description
  x Check to ensure that all config files parse cleanly—no trailing whitespace after continuations, no duplicated stanzas or options.
  x Check that submission does not contain any .conf files that create global definitions using the [default] stanza.
  x Check that no duplicate stanzas exist in .conf files.

Indexes.conf standards

Ensure that the indexes.conf file located in the default folder is well formed and valid.

Splunkbase App Certification Description
    Check that all index definitions does not contain invoke scripts options including: warmToColdScript, coldToFrozenScript, and vix.command.
  x Check that all required index definitions options exist including: homePath, coldPath, and thawedPath.
  x Check that the app does not create indexes.
  x Check the app does not modify any default Splunk indexes.

Meta file standards

Ensure that all .meta files located in the metadata folder are well formed and valid.

Splunkbase App Certification Description
  x Check that all .meta files parse with no trailing whitespace after continuations with no duplicate stanzas or options.
x Check that no duplicate stanzas exist in .meta files.

Props configuration file standards

Ensure that all props.conf files located in the default folder are well formed and valid.

Splunkbase App Certification Description
  x Check that each REPORT- in props.conf has an associated transforms.conf file.
  x Check that each REPORT- in props.conf has an associated stanza in transforms.conf file.
  x Check that for each REPORT- option in props.conf, either DELIMS or REGEX options are used in the matching transforms.conf stanza.
  x Check that each TRANSFORM- in props.conf has an associated transforms.conf file.
  x Check that each TRANSFORM- in props.conf has an associated stanza in the transforms.conf file.
  x Check that the props.conf stanzas (delayed rule, host, rule, or source) is followed by ::. For example:
  • [host::nyc*]
  • [rule::bar_some]

Transforms.conf file standards

Ensure that the transforms.conf file located in the default folder is well formed and valid/

Splunkbase App Certification Description
  x All files in the /lookups directory should be referenced in transforms.conf.
  x Check that all capture groups are used in transforms.conf. Groups not used for capturing should use the non-capture group syntax.

Intellectual property standards

Splunkbase App Certification Description

x

x

Check that use of the Splunk logo and name meets Splunk branding guidelines.

Malware/viruses, malicious content, user security standards

Splunkbase App Certification Description

 

x

Check that no plain text authorization credentials are stored in the app.

 

x

Check that embedded links included in the app are not malicious.

 

x

Check that the app does not include any offensive material.

 

x

Check that no sensitive hostnames/IPs are stored in the app.

Operating system standards

Splunkbase App Certification Description

x

x

Check for the use of malicious commands designed to corrupt the OS or Splunk instance.

 

x

Check that applications only write to the $SPLUNK_HOME/etc/$APP_NAME/local, $SPLUNK_HOME/etc/$APP_NAME/lookup, $SPLUNK_HOME/var/log/$APP_NAME/<LOG_NAME>.log, $SPLUNK_HOME/var/log/$APP_NAME.log, $SPLUNK_HOME/var/run and OS temporary directories.

x

x

Check for hard-coded filepaths in scripts relative to author's local developer environment, or absolute paths.

x

x

Check that scripts are not trying to switch into other user accounts, create new users, or run sudo.

Security vulnerabilities

Splunkbase App Certification Description

 

x

Check for command injection through environment variables.

 

x

Check for the use of environment variables.

 

x

Check for insecure HTTP calls in Python.

 

x

Check for use of pexpect.

 

x

Check for passwords and secrets.

 

x

Check that stack traces are not being returned to an end user.

 

x

Check for command injection in VBS files.

Source code and binaries standards

Splunkbase App Certification Description

x

x

Check that files outside of the bin/ directory do not have execute permissions and are not .exe files. Splunk recommends 644 for all app files outside of the bin/ directory, 644 for scripts within the bin/ directory that are invoked using an interpreter (example: python my_script.py or sh my_script.sh), and 755 for scripts within the bin/ directory that are invoked directly (example: ./my_script.sh or ./my_script).

x

x

Check that files outside of the bin/ directory do not appear to be executable according to the Unix file command. From man file: files have a ``magic number'' stored in a particular place near the beginning of the file that tells the UNIX operating system that the file is a binary executable.

 

x

Check that no files have *nix write permissions for all users (xx2, xx6, xx7). Splunk recommends 644 for all files outside of bin/ and 755 for all directories and files in the bin/ directory.

  x Check that there are no hidden files or directories.

 

x

Check that URLs do not include redirect or requests from external web sites.

x x Check that documentation declares platform-specific binaries.

 

x

Check whether the app uses Flash for visualizations.

Platform targets and claimed supported Splunk software versions

Splunkbase App Certification Description

x

x

Check that the app installs on all claimed target platforms.

 

x

Check that the app can be setup on a distributed system after self-service.

XML file standards

Splunkbase App Certification Description

 

x

Check to ensure <iframe> elements don't violate security policy.

x

x

All XML files need to be well-formed.

 

x

Check to ensure any XML files do not embed JavaScript via inline calls or external references.

 

x

Ensure that global event handlers are not used within XML files.

Calls to external data sources

Splunkbase App Certification Description

x

x

Check that the documentation lists calls to external data sources.

Modular inputs structure and standards

Modular inputs are configured via an inputs.conf.spec file located at README/inputs.conf.spec.

Splunkbase App Certification Description

 

x

Check that a valid inputs.conf.spec file exists at README/inputs.conf.spec.

 

x

Check that README/inputs.conf.spec contains stanzas.

 

x

Check that modular input stanzas do not contain duplicate arguments.

 

x

Check that modular inputs do not have duplicate stanzas.

 

x

Check that line breaks are included in configuration when using a modular input.

 

x

Check that modular inputs specify arguments.

 

x

Check that there is a script file in bin/ for each modular input defined in README/inputs.conf.spec.

JSON file standards

Splunkbase App Certification Description

 

x

Check that all JSON files are well formed.

Lookup file standards

Lookups add fields from an external source to events based on the values of fields that are already present in those events.

Splunkbase App Certification Description

 

x

Check that .csv files have a least one row.

Saved search standards

Saved searches are defined in a savedsearches.conf file located at default/savedsearches.conf.

Splunkbase App Certification Description

 

x

Check that a savedsearches.conf file exists at default/savedsearches.conf.

 

x

Check that any email alerts (action.email.to) set in savedsearches.conf do not have a default value.

 

x

Check that default/savedsearches.conf has no description properties that are empty.

 

x

Check that default/savedsearches.conf searches are cron scheduled reasonably. Fewer than five asteriks should be used.

 

x

Check that no real-time saved searches are being used in savedsearches.conf. Real-time per-index saved searches are system intensive and should be avoided.

 

x

Check that if a savedsearch.conf stanza contains scheduling options, it contains an earliest and latest time.

 

x

Check that saved searches have a search string specified.

 

x

Check that saved searches are enabled.

Alert actions structure and standards

Custom alert actions are defined in an alert_actions.conf file located at default/alert_actions.conf.

Splunkbase App Certification Description

 

x

Check that a valid alert_actions.conf file exists at default/alert_actions.conf.

 

x

Check that each custom alert action has a valid executable.

 

x

Check that each icon file defined for alert actions in the alert_actions.conf exist. For more information, see the Custom Alert Action Component Reference.

 

x

Check if any custom alert actions have executable arguments.

 

x

Check that each custom alert action's payload format has a value of xml or json.

 

x

Check that custom alert actions are user configurable with a setup.xml file.

 

x

Check that each custom alert action has an associated HTML file.

Custom search command structure and standards

Custom search commands are defined in a default/commands.conf.

Splunkbase App Certification Description

x

Check that a commands.conf file exists at default/commands.conf.

x

Check that custom search commands have an executable or script per stanza.

x

Check that a valid default.meta file exists when using a custom search command.

x

Check that the custom commands attributes maxwait and maxchunksize are only used when chunked = true. For more information, see the Commands.conf reference.

x

Check for ignored arguments in commands.conf when chunked=true. For more information, see the Commands.conf reference.

x

Check that custom search commands using passauth have enableheader set to true.

x

Check that custom search commands using requires_preop have streaming_preop set to true.

x

Check that custom search commands using requires_srinfo have enableheader set to true.

Custom workflow actions structure and standards

Custom workflow actions are defined in workflow_actions.conf located at default/workflow_actions.conf.

Splunkbase App Certification Description

x

Check that a valid workflow_actions.conf file exists in the default directory.

x

Check that stanzas in workflow_actions.conf.spec have the required fields, type, and label.

x

Check that for each workflow action in workflow_actions.conf, the link.uri property starts with https.

REST endpoints and handler standards

REST endpoints are defined via a restmap.conf file located in the default directory.

Splunkbase App Certification Description

x

Check that restmap.conf file exists in the default directory when using REST endpoints.

x

Check that each stanza in restmap.conf has a matching handler script.

Data model files and configurations

Data models are configured via a datamodels.conf located at default/datamodels.conf.

Splunkbase App Certification Description

x

Check that when using data models the datamodels.conf file only exists in the default directory.

x

Check that for each stanza in datamodels.conf that there is a matching JSON file in default/data/models/.

ITSI module file and folder structure verification

This set of checks verifies the file and folder structure of an ITSI module container.

Splunkbase App Certification Description

x

Check that the appserver/ directory exists.

x

Check that the default/app.conf file exists.

x

Check that the default/deep_dive_drilldowns.conf file exists.

x

Check that the default/ directory exists.

x

Check that the default/inputs.conf file exists.

x

Check that the default/itsi_kpi_base_search.conf file exists.

x

Check that the default/itsi_kpi_template.conf file exists.

x

Check that the default/itsi_service_template.conf file exists.

x

Check that the default/savedsearches.conf file exists.

x

Check that the metadata/ directory exists.

Python file standards

Splunkbase App Certification Description

x

Check that the Python __import__method is not used.

x

Check that the app does not include .pyc or .pyo files.

x

Check that all Python imports are explicit. from package import * may run unneeded code.

x

Check for the use of threading, and multiprocesses. Threading must be used with discretion.

x

Check whether the app contains Python scripts.

x

Check for the use of subprocess and OS command calls in Python.

For example:

  • subprocess.call
  • exec

Documentation standards

Splunkbase App Certification Description

x

x

Package your app with a README file that includes version support, system requirements, installation, configuration, troubleshooting and running of the app, or a link to online documentation.

x

Check that any custom commands are documented.

x

Check whether the app uses report acceleration, search acceleration, or summary indexing.

x

Check whether the app uses data model acceleration.

x

Document prerequisites of the app. All prerequisites must be either packaged with your app, or be available on Splunkbase as a certified app.

x

List any open source components you've used in developing the app. List the end-user license for each.

x

x

Deliver core documentation in English.

x

x

Check that your documentation is free of major editing and proofreading (spelling, grammar, punctuation) issues.

Appropriate use of sensitive functionality

Splunkbase App Certification Description

x

Check that indexes created by the app are explained in the app's documentation.

x

Check that the use of datamodels is explained in the app's documentation.

x

Check that the use of inputcsv is explained in the app's documentation.

x

Check that the use of outputcsv is explained in the app's documentation.

x

Check that the use of tscollect is explained in the app's documentation.

x

Check that any outbound network communications in outputs.conf are explained in the app's documentation.

x

Check that file access outside of the app's home directory, $SPLUNK_HOME/var/log, $SPLUNK_HOME/var/run, and system temporary directories is explained in the app's documentation.

x

Check that use of eventgen.conf is explained in the app's documentation.

x

Check that any compressed archives within the main release that need extracting are explained in the app's documentation.

Support requirements

Splunkbase App Certification Description

x

x

Check that the app's documentation lists contact information and level of support for the app. Any level of support is acceptable for developer supported apps, as long as it is clearly declared in documentation. Community supported apps must be open source with a public repository. For example:

  • Email support during weekday business hours (US, West Coast).
  • Phone support 24x7 @ +1 (555) 123-4567.
  • This is an open source project, no support provided, public repository available.

x

Check that stanzas in authentication.conf do not use the bindDNpassword property.

x

Check that authorize.conf does not contain any modified capabilities.

Cloud operations simple application checks

This group of checks helps validate simple applications in an effort to try and automate the cloud operations validation process.

Splunkbase App Certification Description

x

Check that commands referenced in the alert.execute.cmd property of all alert actions are checked for compliance with Splunk Cloud security policy.

x

Check that app does not contain audit.conf, as it is prohibited in Splunk Cloud due to its ability to configure/disable cryptographic signing and certificates.

x

Check that app does not contain authentication.conf, as it is prohibited in Splunk Cloud due to its ability to configure LDAP authentication and could contain LDAP credentials in plain text.

x

Check that authorize.conf does not grant excessive administrative permissions to the user.

x

Check that app does not contain crawl.conf, as it was deprecated in Splunk 6.0 and allows Splunk to introspect the filesystem which is not permitted in Splunk Cloud.

x

Check that app does not contain datatypesbnf.conf, as it is prohibited in Splunk Cloud.

x

Check that default/data/ui/alerts contains only .xml or .html files.

x

Check that default/data/ui/html contains only .xml or .html files.

x

Check default/data/ui/manager for any files that configure modular inputs, communicate unencrypted data, or store plain text credentials.

x

Check that default/data/ui/nav contains only .xml or .html files.

x

Check that default/data/ui/panels contains only .xml or .html files.

x

Check that default/data/ui/quickstart contains only .xml or .html files.

x

Check that default/data/ui/views contains only .xml or .html files.

x

Check for any files in default/ not whitelisted or not covered by other checks for Splunk Cloud.

x

Check that app does not contain default-mode.conf Inputcsvt is prohibited in Splunk Cloud because light forwarders and universal forwarders are not run in Splunk Cloud.

x

Check that app does not contain deployment.conf. Apps should leave deployment configuration up to Splunk administrators. property.

x

Check that app does not contain deploymentclient.conf as it configures the deployment server client. Apps should leave deployment configurations to Splunk administrators.

x

Check that apps only monitor their own directory, $SPLUNK_HOME/etc/apps/<app-dir>/*.

x

Check that the app does not implement auto-update features.

x

Check that all executable binary files have matching source code.

x

Check whether the app is sending data to third-party services.

x

Check that indexes.conf does not declare volumes.

x

Check [fifo] stanza is not used in inputs.conf.

x

Check whether the app contains Java files. Java files will be inspected for compliance with Splunk Cloud security policy.

x

Check whether the app contains JavaScript files. JavaScript scripts will be inspected for compliance with Splunk Cloud security policy.

x

Check third party libraries for known vulnerabilities.

x

Check that local settings do not violate Splunk Cloud security policies.

x

Check for pre-filled lookup tables.

x

Check that the app does not monitor Splunk Cloud infrastructure.

x

Check whether the app contains Perl scripts. Perl scripts will be inspected for compliance with Splunk Cloud security policy.

x

Check whether the app requires access to private infrastructure.

x

Check that the app does not contain reverse shells.

x

Check that apps do not monitor the $SPLUNK_HOME/var/log/* directory. property.

x

Check for UDP network communication.

x

Check that all network communications are encrypted.

x

Check that indexes defined in indexes.conf use relative paths starting with $SPLUNK_DB.

x

Check that default/inputs.conf does not contain a [batch] stanza.

x

Check that default/inputs.conf does not contain an [fschange] stanza.

x

Check that default/inputs.conf does not use any global settings.

x

Check that default/inputs.conf does not contain an [http] stanza.

x

Check that default/inputs.conf does not contain a [splunktcp] stanza.

x

Check that default/inputs.conf does not contain a [splunktcptoken] stanza.

x

Check that default/inputs.conf does not contain a [tcp] stanza.

x

Check that the inputs.conf file does not have any UDP inputs.

x

Check that the [fifo] stanza does not use .. in any part of its path.

x

Check that the [monitor] stanza does not use .. in any part of its path.

x

Check that app does not contain instance.cfg.conf. Apps should not configure server/instance specific settings.

x

Check that app does not contain literals.conf. Apps should not alter/override text strings displayed in Splunk Web.

x

Check that lookups/ contains only known file types (.csv, .csv.default, .csv.gz, .csv.tgz, .kmz).

x

Check that app does not contain outputs.conf as forwarding is not permitted in Splunk Cloud.

x

Check that app does not contain pubsub.conf as it defines a custom client for the deployment server. Apps should leave deployment configurations to Splunk administrators.

x

Check that root directory only contains files with the following extensions: '.doc', '.docx', '.md', '.pdf', '.rst', '.rtf', '.txt' or the following filenames: app.manifest, CHANGELOG, CONTRIBUTORS, LICENSE, README.

x

Check that app does not contain segmenters.conf. A misconfigured segmenters.conf can result in unsearchable data that could only be addressed by re-indexing and segmenters.conf configuration is system-wide.

x

Check that app does not contain server.conf as it is prohibited in Splunk Cloud due to its ability to manipulate server settings that are incompatible in Splunk Cloud and can break ingestion.

x

Check that app does not contain serverclass.conf as it defines deployment server classes for use with deployment server. Apps should leave deployment configuration up to Splunk administrators.

x

Check that app does not contain serverclass.seed.xml.conf as it configures deploymentClient to seed a Splunk installation with applications at startup time. Apps should leave deployment configuration up to Splunk administrators.

x

Check that all passwords configured in setup.xml are stored in the storage/passwords endpoint.

x

Check that app does not contain source-classifier.conf as it configures system-wide settings for ignoring terms (such as sensitive data).

x

Check that app does not contain sourcetypes.conf as it is a machine-generated file that stores source type learning rules. props.conf should be used to define sourcetypes.

x

Check that app does not contain splunk-launch.conf as it defines environment values used at startup time. System-wide environment variables should be left up to Splunk administrators.

x

Check that the static/ directory contains only known file types.

x

Check that app does not contain telemetry.conf as it controls a Splunk-internal feature that should not be configured by apps.

x

Check that transforms.conf does not contain any transforms with an external_cmd=<string> attribute.

x

Check that app does not contain user-seed.conf as it is used to preconfigure default login and password information.

x

Check that app does not contain wmi.conf is as it is prohibited in Splunk Cloud due to its ability to configure Splunk to ingest data via Windows Management Instrumentation, which should be done via forwarder. Forwarders are not permitted in Splunk Cloud.

Custom visualizations support checks

Custom visualizations are defined in default/visualizations.conf.

Splunkbase App Certification Description

x

Check the property defined in spec file of README/savedsearches.conf.spec if the property is defined in spec file and does not provide a default value in default/savedsearches.conf, this check should fail.

x

Check appserver/static/visualizations/<viz_name>/formatter.html for bad nodes that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.

x

Check appserver/static/visualizations/<viz_name>/formatter.html for comments that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.

x

Check appserver/static/visualizations/<viz_name>/formatter.html for css expressions from all tags that are replaced by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.

x

Check appserver/static/visualizations/<viz_name>/formatter.html for inappropriate attributes that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.

x

Check appserver/static/visualizations/<viz_name>/formatter.html for inline style attributes from all tags that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.

x

Check that for each custom visualization stanza in default/visualizations.conf there is a matching directory in the appserver/static/visualizations/</cttde> directory.

x

Check that each custom visualization stanza in default/visualizations.conf has some required source files in the appserver/static/visualizations/<visualization_name>/ directory.

x

Check that custom visualizations have an appserver/static/visualizations/ directory.

x

Check the required file appserver/static/visualizations/<viz_name>/preview.png exists for the visualization.

x

Check that each stanza in default/vizualizations.conf has a matching stanza in metadata/default.meta.

Limits.conf file standards

File standards for limits.conf.

Splunkbase App Certification Description

 

x

Check that default/limits.conf has not been included.

Outputs.conf file standards

Ensure that the outputs.conf file located in the default folder is well formed and valid.

Splunkbase App Certification Description
x x Check that, if forwarding is enabled in outputs.conf, it is explained in the app's documentation.

Features deprecated in Splunk 6.3.0 and later

These features have been deprecated in Splunk 6.3.0 and later.

Splunkbase App Certification Description

 

x

Check for Advanced XML appserver/modules directory.

 

x

Check for Advanced XML <module> elements.

 

x

Check for Advanced XML <view> elements that do not have the redirect or html types.

 

x

Check for Module System web.conf endpoints. The Module system was deprecated in Splunk 6.3 as part of the advanced XML deprecation. See: Module System User Manual.

 

x

Check for use of Django bindings.

 

x

Check for the deprecated <option name='previewResults'> in Simple XML files.

 

x

Check for Simple XML <chart> panels with deprecated options charting.axisLabelsY.majorTickSize or charting.axisLabelsY.majorLabelVisibility.

 

x

Check for the deprecated <option name='previewResults'> in Simple XML files.

 

x

Check for the deprecated <searchTemplate> element in Simple XML files. Use the <search> element instead.

 

x

Check for the deprecated <seed> option in Simple XML forms. Use the <initialValue> element instead.

Web.conf file standards

File standards for web.conf.

Splunkbase App Certification Description

 

x

Check that default/web.conf only defines [endpoint:] and [expose:] stanzas, with [expose:*] only containing pattern= and methods=.

 

x

Check that apps only expose web endpoints that are defined by the Splunk App within default/restmap.conf. Each default/web.conf [expose:] stanza should have the property pattern= which defines a url pattern to expose. Each url pattern exposed should correspond to a stanza within default/restmap.conf with a url pattern defined with the match= property, or for the case of [admin:] stanzas a combination of match= and members= properties.

Features deprecated in Splunk 6.4.0 and later

These features have been deprecated in Splunk 6.4.0 and later.

Splunkbase App Certification Description

 

x

Check that <option name="height"> uses an integer for the value. Do not use <option name="height">[value]px</option>.

 

x

Check Simple XML files for <single> panels with deprecated options additionalClass, afterLabel, beforeLabel, classField, linkFields, linkSearch, linkView.

 

x

Check that views are not importing d3chartview.

 

x

Check that views are not importing googlemapsview.

 

x

Check that the appServerPorts property in the web.conf file does not contain port 0.

 

x

Check that a web.conf file does not use the property simple_xml_force_flash_charting.

 

x

Check that web.conf does not use the simple_xml_module_render property.

 

x

Check that web.conf does not use the simple_xml_module_render property.

Features deprecated in Splunk 6.5.0 and later

These features have been deprecated in Splunk 6.5.0 and later.

Splunkbase App Certification Description

 

x

Check Simple XML files for <list> element used in dashboards.

 

x

Check Simple XML files for <option> element with the deprecated option value "refresh.auto.interval".

 

x

Check that views are not importing splunkjs/mvc/headerview or splunkjs/mvc/footerrview.


Deployment verification

One of the strengths of Splunk Enterprise is its ability to scale from a single-server deployment to large, even global deployment using the same binary. Similarly, you can write an app or add-on for a single server deployment or a distributed deployment. For certification, Splunk tests your app or add-on in a single-server and distributed deployment.

  • Single-server deployment: In a single-server deployment, one instance of Splunk Enterprise acts as both a search head and an indexer. The instance can collect data locally, or you can deploy one or more forwarders to collect data. For single-server certification, Splunk analyzes your app or add-on on a single instance of Splunk wherein one indexer and one search head operate on the same server.
  • Distributed deployment: In a distributed deployment, you install Splunk Enterprise on at least two servers. At least one instance acts as a search head, and at least one acts as an indexer. Generally, you deploy one or more forwarders to collect data. On a distributed deployment, you may install apps or add-ons using a configuration management tool, such as a deployment server. For distributed deployment certification, Splunk analyzes your app or add-on on multiple indexers and at least one search head operating on separate servers.