Splunk Cloud app requirements and best practices

Develop an app or add-on to work with Splunk Cloud platform deployments.


About

Use the recommended practices for the Splunk App Certification Program whenever possible.

For more information, see About app certification.

Splunk AppInspect evaluates your Splunk platform app or add-on against a set of defined criteria and then produces a detailed report that lists any missed criteria, including Splunk Cloud-specific criteria. For more information, see AppInspect.

Note:Most Splunk certified apps are automatically approved for installation in Splunk Cloud. Some certified apps may not be authorized for Splunk Cloud because they are intended for on-premises Splunk Enterprise systems or for installation on Splunk Forwarders.

Prerequisites

Important: Splunk Cloud app developers and users of Splunk Cloud apps assume responsibility for ensuring proper usage of any third-party services that they choose to use in connection with Splunk Cloud, including compliance with any relevant terms and licenses. As a reminder and pursuant to Splunk Cloud Terms of Service, Splunk is not liable for any problems that might arise from sending data to those third-party services (including, without limitation, any disclosure, modification or deletion of data resulting from access to such third-party services) and does not provide any support for those services.

Required behaviors

For an app or add-on to be installed in Splunk Cloud, all developers of apps for Splunk Cloud must follow these requirements:

  1. Write all scripts for 64-bit Linux. The Splunk Cloud service runs on Linux-based servers, so all scripts must be able to run on Linux.
  2. Ensure that all network communication is encrypted and secure. Any configurable options that affect network communication must be secure as well.
  3. Ensure that all credentials (examples: API keys, account passwords, Base64 encoded private keys) that the app uses and stores are encrypted, preferably using the storage/passwords REST access endpoint. For more information, see Access endpoint descriptions in the REST API Reference Manual and Setup page example with user credentials in the Splunk Web Framework.
  4. Provide source code for review, either packaged with the app or by including a link to a public open source repository.
  5. Package the app according to the the guidelines for Splunkbase apps. For more information, see Package and publish a Splunk app in the Splunk Web Framework. Specifically, you must:
    1. Package the app as a .tgz, .tar.gz, .zip, or .spl file.
    2. Remove all hidden files.
    3. Remove all executable binary files, unless source code is provided.
    4. Remove .pyo and .pyc files.
  6. Document all dependencies, installation procedures, and post-installation validation procedures, including a precise list of dependencies and their version numbers. To test your app effectively, Splunk needs to know what SDKs, apps, or add-ons are required for your app to run.
  7. Test app performance. Apps that cause significant performance degradation may be rejected.
  8. Ensure that any credentials required for the app to function are entered by the user in a setup or configuration screen. For more information, see the setup section of the Create a setup page in the Splunk Add-on Builder User Guide and Splunk Meet the Experts Advanced Visualizations on Github.

Prohibited behaviors

Listed below are behaviors that are prohibited in apps and add-ons for Splunk Cloud:

  1. Do not require privilege elevation with sudo, groupadd, useradd, su, or other similar utilities.
  2. Do not use the Reverse Shell technique. For more information, see Reverse Shell on the Ubuntu Wiki site.
  3. Apps must not manipulate files outside of the app directory, except in the following circumstances:
    1. When writing to the Splunk server instance's log directory, $SPLUNK_HOME/var/log.
    2. When creating modular input checkpoints. For more information, see Data checkpoints in the Developing Views and Apps for Splunk Web manual.
  4. Apps must not manipulate processes outside of the control app, including the Splunk server instance and processes created by other apps.
  5. Apps must not manipulate the operating system.
  6. Apps must not allow file management through the user interface.
  7. Apps must not use any of the reserved ports: 443 (inbound only), 8080, 8089, 8443, 9887, 9997.
  8. Apps must not restart the Splunk Cloud server.
  9. Apps must not monitor the Splunk Cloud infrastructure.
  10. Apps must not send user data from the Splunk Cloud server to a third-party without the user's explicit consent.
  11. Do not provide automatic update features for scripts, executables, or libraries.

Recommended actions

The following actions are recommended before submitting an app for Splunk Cloud. They are not required.

  1. Create setup screens for users to configure the application. Splunk Cloud users can't access the shell or server file system, and can't manipulate .conf files directly. For more information, see Create a setup page for a Splunk app in the Splunk Web Framework.
  2. Provide clearly commented code to accelerate the review process.
  3. Use the Splunk Event Generator utility (Eventgen), and add an eventgen.conf file to your app to create sample data that helps developers understand how your app functions during the code review. For more information, see Eventgen in Splunkbase.
  4. Specify when an app requires multi-threading. Apps that require more than one thread per search may be forced to run on their own search head.
  5. Ensure that your app cleans up after itself, including freeing memory, terminating processes, and closing files.
  6. Provide version and build numbers in the app.conf file.
  7. Do not use #! to specify the Python interpreter in scripts. Splunk Cloud uses a customized Python interpreter to invoke all scripts.
  8. Do not use the python command unset LD_LIBRARY_PATH, as it may prevent scripts from properly mapping Splunk provided libraries.

Cloud vetting


About

This topic provides a brief overview of the Cloud vetting process:

Cloud vetting is a process that determines whether an app is ready for use on Splunk Cloud. If a Splunk Cloud customer wants to run a Splunk platform app that is available on Splunkbase, the app must first be evaluated to help ensure the security of the Splunk Cloud environment as well as the data stored in that environment. Splunk Cloud vetting is performed as part of the certification process. Request certification as soon as possible.

There are several crucial differences between Splunk Enterprise and Splunk Cloud. And while most of Splunk platform apps available on Splunkbase are suitable for an on-premises Splunk Enterprise environment, they have not all been evaluated or certified for cases when data needs to be transmitted and stored in a cloud environment.

Cloud vetting process

Note: If you submit your Splunk app for app certification, it will undergo Cloud vetting as part of the certification process. You do not need to request Cloud vetting separately.

Cloud vetting is comprised of an automated and an optional manual process. That is, Splunk Inc. first runs the AppInspect tool to perform automated vetting, and then, if necessary, a Splunk employee performs a manual vetting process to further evaluate the app.

The criteria that Splunk uses to vet a Splunk app for Splunk Cloud are listed above. Be aware that these criteria are always subject to change as new security threats are discovered and the Splunk platform is updated.

When an app passes Cloud Vetting, Splunk Cloud will be added to the list of supported products for that version of the app on Splunkbase. If the Cloud vetting was requested by a Splunk Cloud customer, the app is installed on the customer's Splunk Cloud instance upon successful Cloud vetting. For increased turnaround time, consider running the Appinspect tool before you submit the app for review.


How to request Cloud vetting

Splunk Cloud customers can request that Cloud vetting be performed on a Splunk app on Splunkbase. To do so, a Splunk Cloud customer opens a support ticket with Splunk Support.

Prepare your Splunk app for Cloud vetting

  1. To prepare your Splunk app for Cloud vetting, review the requirements and recommendations for Splunk Cloud apps that are detailed above.

  2. Next, to verify that you've fulfilled all of the Splunk Cloud requirements, run the AppInspect tool in precert mode with the cloud tag set:
  3. splunk-appinspect inspect path/to/splunk/splunk_app.tgz --mode precert --included-tags cloud
  4. Look through the inspect command results:
  • One or more failures indicate that your app submission has failed Cloud vetting, and is therefore not approved for installation on Splunk Cloud. Identify, and fix the failures, before running the command again.
  • One or more manual checks indicate that the Splunk app will require manual checking as part of the Cloud vetting process. This means that, if the Splunk app is submitted for Cloud vetting, a Splunk employee will check the app manually. The Cloud vetting process will most likely take longer, though the Splunk app is not any more or less likely to be approved. If you review the items that will be checked manually against the Splunk Cloud app requirements and best practices, they will be more likely to pass. Developers who clearly comment their work will be most likely to pass vetting, because they will have addressed possible concerns before submitting.
  • Apps that return zero failures or manual checks will most likely be quickly approved for installation on Splunk Cloud.