Splunk Cloud app requirements and best practices

For an app to be installed in Splunk Cloud, it must meet the requirements specified in the first two sections of this topic. The third section lists several highly recommended, but not required, actions.

Whenever possible, you should follow the recommended practices for the Splunk App Certification Program. Splunk certified apps are automatically approved for installation in Splunk Cloud. For more information, see About app certification.

Splunk AppInspect is now available. AppInspect evaluates your Splunk app against a set of defined criteria and then produces a detailed report that clearly lists any missed criteria, including Splunk Cloud-specific criteria. For more information, see AppInspect.

Note: Some certified apps may not be authorized for Splunk Cloud because they are intended for on-premises Splunk Enterprise systems or for installation on Splunk Forwarders.

This topic contains the following sections:

Important: Splunk Cloud app developers and users of Splunk Cloud apps assume responsibility for ensuring proper usage of any third-party services that they choose to use in connection with Splunk Cloud, including compliance with any relevant terms and licenses. As a reminder and pursuant to Splunk Cloud Terms of Service, Splunk is not liable for any problems that might arise from sending data to those third-party services (including, without limitation, any disclosure, modification or deletion of data resulting from access to such third-party services) and does not provide any support for those services.

Required behaviors

All developers of apps for Splunk Cloud must follow these requirements:

  1. Write all scripts for 64-bit Linux. The Splunk Cloud service runs on Linux-based servers, so all scripts must be able to run on Linux.
  2. Ensure that all network communication is encrypted and secure. Any configurable options that affect network communication must be secure as well.
  3. Ensure that all credentials that the app uses and stores are encrypted, preferably using the storage/passwords REST access endpoint. For more information, see Access endpoint descriptions in the REST API Reference Manual and Setup page example with user credentials in the Splunk Web Framework.
  4. Provide source code for review, either packaged with the app or by including a link to a public open source repository.
  5. Package the app according to the the guidelines for Splunkbase apps. For more information, see Package and publish a Splunk app in the Splunk Web Framework. Specifically, you must:
    1. Package the app as a .tar, .tgz, .tar.gz, .zip, or .spl file.
    2. Remove all hidden files.
    3. Remove all executable binary files, unless source code is provided.
    4. Remove .pyo and .pyc files.
  6. Provide clear instructions for installation and post-installation validation, including a precise list of dependencies and their version numbers.
  7. Test app performance. Apps that cause significant performance degradation may be rejected.
  8. Document all dependencies and installation procedures. To test your app effectively, Splunk needs to know what SDKs, apps, or add-ons are required for your app to run.
  9. Ensure that any credentials required for the app to function are entered by the user in a setup or configuration screen.

Prohibited behaviors

Listed here are behaviors that are prohibited in apps for Splunk Cloud:

  1. Do not require privilege elevation with sudo, groupadd, useradd, su, or other similar utilities.
  2. Do not use the Reverse Shell technique. For more information, see Reverse Shell on the Ubuntu Wiki site.
  3. Apps must not manipulate files outside of the app directory, except in the following circumstances:
    1. When writing to the Splunk server instance's log directory, $SPLUNK_HOME/var/log.
    2. When creating modular input checkpoints. For more information, see Data checkpoints in the Developing Views and Apps for Splunk Web manual.
  4. Apps must not manipulate processes outside of the control app, including the Splunk server instance and processes created by other apps.
  5. Apps must not manipulate the operating system.
  6. Apps must not allow file management through the user interface.
  7. Apps must not use any of the reserved ports: 443 (inbound only), 8080, 8089, 8443, 9887, 9997.
  8. Apps must not restart the Splunk Cloud server.
  9. Apps must not monitor the Splunk Cloud infrastructure.
  10. Apps must not send user data from the Splunk Cloud server to a third-party without the user's explicit consent.
  11. Do not provide automatic update features for scripts, executables, or libraries.

Recommended actions

The following actions are recommended before submitting an app for Splunk Cloud. They are not required.

  1. Create setup screens for users to configure the application. Splunk Cloud users can't access the shell or server file system, and can't manipulate .conf files directly. For more information, see Create a setup page for a Splunk app in the Splunk Web Framework.
  2. Provide clearly commented code to accelerate the review process.
  3. Use the Splunk Event Generator utility (Eventgen), and add an eventgen.conf file to your app to create sample data that helps developers understand how your app functions during the code review. For more information, see Eventgen in Splunkbase.
  4. Specify when an app requires multi-threading. Apps that require more than one thread per search may be forced to run on their own search head.
  5. Ensure that your app cleans up after itself, including freeing memory, terminating processes, and closing files.
  6. Provide version and build numbers in the app.conf file.
  7. Do not use #! to specify the Python interpreter in scripts. Splunk Cloud uses a customized Python interpreter to invoke all scripts.
  8. Do not use the python command unset LD_LIBRARY_PATH, as it may prevent scripts from properly mapping Splunk provided libraries.