Tips for creating Splunk apps

Post-processing for dashboards

You can save search resources by creating a dashboard that feeds all downstream panels with one single search. Use this type of post-processing to enhance the user experience in apps and add-ons that include dashboards to minimize the number of searches that are required. However, do not use post-processing if the parent search is non-reporting, which can lead to incomplete results. For more, see Searches power dashboards and forms in the Dashboards and Visualizations manual.

Techniques for summarization and acceleration

Splunk Enterprise is capable of generating reports on massive amounts of data. However, the amount of time to prepare such reports is directly proportional to the number of events they summarize. Plainly put, a lot of time is needed to report on very large data sets. Splunk evaluates apps and add-ons for their ability to accommodate data sets of all sizes. For more, see Overview of summary-based search and pivot acceleration in the Knowledge Manager Manual.

Splunk Enterprise provides the following methods for creating data summaries:

• Report acceleration uses automatically-created summaries to speed up completion times for certain kinds of reports.
• Data model acceleration uses automatically-created summaries to speed up completion times for pivots.
• Summary indexing enables search and report acceleration by manually creating summary indexes that exist separately from the main indexes.

Dashboard and user interface

Apps that have large quantities of charts and reports are discouraged. Use your best judgment, but apps that have dashboards with more than 20 charts or reports will not pass certification. Use forms when appropriate to allow for more robust reports. For more, see Form examples in the Dashboards and Visualizations manual.

Search efficiency

Use the following tips to help maximize your search efficiency:

• Carefully consider your use of the sort, eventstats, and join search commands, as well as use of subsearches.
• Use the TERM() directive for IP addresses when possible. For more, see Use CASE() and TERM() to match phrases in the Search Manual.
• Use reasonable lookups, CSV files, external data sources, and KV store lookups. For more, see Configure external lookups and Configure KV Store lookups in the Knowledge Manager Manual.

Deprecated and removed features

Deprecated features are those features that are slated to be removed in a future version of Splunk Enterprise but still work and are supported in the current version of the software. Splunk discourages you from using deprecated features, and will provide a report of any deprecated features you have used in your app or add-on. In addition to deprecated features, do not use features that have been removed from the Splunk software.

To determine which features have been deprecated or removed, see the Splunk Enterprise Release Notes.

Splunk Enterprise 5.x

Do not use any features that are specific to Splunk Enterprise 5.x in your app or add-on. For more information about migrating from Splunk Enterprise 5.x to 6.x or later, see Migration issues in the Developing Views and Apps for Splunk Web manual.