Vetting apps and add-ons for Splunk Cloud

Cloud vetting is a process that determines whether an app or add-on can be used in Splunk Cloud.

Apps and add-ons must be evaluated to help ensure the security of the Splunk Cloud environment, as well as the security of the data stored in that environment. In addition, Splunk Enterprise and Splunk Cloud have several crucial differences. While most apps and add-ons on Splunkbase are suitable for an on-premises Splunk Enterprise environment, they have not all been evaluated for transmitting and storing data in a cloud environment. Some apps might not be authorized for Splunk Cloud because they are intended for on-premises Splunk Enterprise systems or for installation on Splunk Forwarders.

Vetting for Splunk Cloud is performed when a Splunk Cloud customer requests that an app or add-on in Splunkbase be installed in their Splunk Cloud environment. A Splunk Cloud customer who wants to use an app or add-on can request that cloud vetting be performed by opening a support ticket with Splunk Support and Services. If the app or add-on passes cloud vetting, it is installed on the customer's instance of Splunk Cloud. If the app or add-on is hosted on Splunkbase, Splunk Cloud is added to the list of compatible products.

This rest of this topic describes the cloud vetting process for developers:

The cloud vetting process

Cloud vetting includes an automated and a manual process (if required):

  • Splunk Inc. runs the Splunk AppInspect tool to perform automated cloud vetting.
  • When necessary, a Splunk employee performs a manual cloud vetting process to further evaluate the app or add-on.

Prepare your app or add-on for cloud vetting

To prepare your app or add-on for cloud vetting:

  1. Review the Development requirements for Splunk Cloud below.
  2. Verify that you have fulfilled all of the Splunk Cloud requirements by running the Splunk AppInspect tool with the cloud tag.
  3. For example, use the AppInspect CLI as follows:

    splunk-appinspect inspect app_path/app_filename.tgz --mode precert --included-tags cloud

    Or, use the AppInspect REST API as follows:

    curl -X POST \
    	-H "Authorization: bearer <token>" \
    	-H "Cache-Control: no-cache" \
    	-F "app_package=@\"app_path/app_filename.tgz\"" \
    	-F "included_tags=cloud" \
    	--url ""

    For more about AppInspect, see Overview of Splunk AppInspect.

  4. Review the inspect command results:
    • One or more failures indicate that your app or add-on has failed cloud vetting, and is therefore not approved for installation on Splunk Cloud. Identify and fix the failures, then run the command again.
    • One or more manual checks indicate that the app or add-on requires manual checking as part of the cloud vetting process. Therefore, when you submit your app, a Splunk employee must manually perform cloud vetting. The manual cloud vetting process will most likely take longer. To increase the chances of passing cloud vetting, follow the Development recommendations for Splunk Cloud below.
    • Apps or add-ons that return zero failures or manual checks are most likely to be quickly approved for installation on Splunk Cloud.

Splunk Cloud criteria

The criteria that Splunk uses to vet an app or add-on for Splunk Cloud are listed below. These criteria are subject to change as new security threats are discovered and the Splunk platform is updated.

Important  Splunk Cloud app developers and users of Splunk Cloud apps assume responsibility for ensuring proper usage of any third-party services that they choose to use in connection with Splunk Cloud, including compliance with any relevant terms and licenses. As a reminder and pursuant to Splunk Cloud Terms of Service, Splunk is not liable for any problems that might arise from sending data to those third-party services (including, without limitation, any disclosure, modification or deletion of data resulting from access to such third-party services) and does not provide any support for those services. For more information, see Splunk Cloud Terms of Service FAQs.

Development requirements for Splunk Cloud

This section lists the requirements for developing an app or add-on for installation in Splunk Cloud.

Do the following:

  • Write all scripts for 64-bit Linux. All scripts must be able to run on Linux because the Splunk Cloud service runs on Linux-based servers.
  • Ensure that all network communication is encrypted and secured with the SSL protocol. Any configurable options that affect network communication must be secure as well.
  • Ensure that all credentials that are used and stored by the app (such as API keys, account passwords, and Base64-encoded private keys) are encrypted, using the storage/passwords REST endpoint. For more information, see Access endpoint descriptions in the REST API Reference Manual and Setup page example with user credentials.
  • Provide source code for review, by providing it with the packaged app or by including a link to a public open-source repository.
  • Package the app according to these guidelines for Splunkbase apps:
    • Package the app as a .tgz, .tar.gz, or .spl file.
    • Remove all hidden files.
    • Remove all executable binary files, unless source code is provided.
    • Remove .pyo and .pyc files.
  • Document all dependencies, installation procedures, and post-installation validation procedures, including a precise list of dependencies with their version numbers. To test your app effectively, Splunk needs to know which SDKs, apps, or add-ons are required to run your app.
  • Test your app's performance. Apps that cause significant performance degradation might be rejected.
  • Ensure that any credentials required for the app to function are entered by the user in a setup or configuration page. For more information, see Create a setup page in the Splunk Add-on Builder User Guide and Splunk Meet the Experts Advanced Visualizations on Github.

The following lists those practices you must avoid when developing apps and add-ons for Splunk Cloud:

  • Do not require privilege elevation with sudo, groupadd, useradd, su, or other similar utilities.
  • Do not use the reverse shell technique. For more information, see ReverseShell on the Ubuntu Wiki site.
  • Do not allow your app or add-on to manipulate files outside of the app directory, except in the following circumstances:
    • When writing to the Splunk software log directory, $SPLUNK_HOME/var/log.
    • When creating modular input checkpoints. For more information, see Data checkpoints in the Developing Views and Apps for Splunk Web manual.
  • Do not allow your app or add-on to manipulate processes outside of the control app, including the Splunk software instance or processes created by other apps.
  • Do not allow your app or add-on to manipulate the operating system.
  • Do not allow your app or add-on to allow file management through the user interface.
  • Do not allow your app or add-on to use any of the reserved ports 443 (inbound only), 8080, 8089, 8443, 9887, or 9997.
  • Do not allow your app or add-on to restart the Splunk Cloud server.
  • Do not allow your app or add-on to monitor the Splunk Cloud infrastructure.
  • Do not allow your app or add-on to send user data from the Splunk Cloud server to a third party without the user's explicit consent.
  • Do not provide automatic update features for scripts, executables, or libraries.

Development recommendations for Splunk Cloud

The following practices are recommended, but not required, for developing apps or add-ons for Splunk Cloud:

  • Create setup pages that allow users to configure the app or add-on. Splunk Cloud users cannot access the shell or server file system, and cannot manipulate Splunk configuration files directly. For more information, see Create a setup page for a Splunk app.
  • Clearly comment your code to accelerate the review process.
  • Provide sample data with your app or add-on using the Splunk Event Generator utility (Eventgen), along with an eventgen.conf file. Sample data helps demonstrate how your app or add-on functions during the code review. For more information, see the Eventgen app on Splunkbase.
  • Specify when an app or add-on requires multi-threading. Apps or add-ons that require more than one thread per search might be forced to run on their own search head.
  • Ensure that your app or add-on cleans up after itself, including freeing memory, terminating processes, and closing files.
  • Provide version and build numbers in the app configuration file (app.conf). For more, see app.conf in the Admin Manual.
  • Do not use "#!" characters to specify the Python interpreter in scripts. Splunk Cloud uses a customized Python interpreter to invoke all scripts.
  • Do not use the Python command unset LD_LIBRARY_PATH, because it might prevent scripts from properly mapping Splunk software libraries.