Resources & Helpful Links

Tips for a better Splunk App experience

• Post-processing for dashboards: You can save search resources by creating a dashboard that feeds all downstream panels with one single search. Use this kind of post-processing to enhance the user experience in apps and add-ons that include dashboards, since it can work to minimize the number of searches required. However, do not use post-processing if the parent search is non-reporting since this can lead to incomplete results. For more information, see "Searches power dashboards and forms."
• Summarization and acceleration techniques: Splunk Enterprise is capable of generating reports on massive amounts of data. However, the amount of time it takes to prepare such reports is directly proportional to the number of events they summarize. Plainly put, it can take a lot of time to report on very large data sets. Splunk evaluates apps and add-ons for their ability to accommodate data sets of all sizes. For more information, see "Overview of summary-based search and pivot acceleration." Splunk Enterprise provides three data summary creation methods:
• Report acceleration uses automatically-created summaries to speed up completion times for certain kinds of reports.
• Data model acceleration uses automatically-created summaries to speed up completion times for pivots.
• Summary indexing enables search and report acceleration by manual creating summary indexes that exist separately from the main indexes.
• Dashboard and user interface: Splunk discourages submitting apps that have large quantities of charts and reports. Use your own best judgment, but your app will not pass certification if it has dashboards with over twenty charts or reports. Splunk encourages you to use forms, when appropriate, to allow for more robust reports. For more information, see "Form examples."
• Search efficiency: With an arsenal of search processing language (SPL) commands, a user may not use them efficiently. Splunk encourages you to maximize search efficiency. A few examples follow.
• Carefully consider commands such as sort, eventstats, and join, as well as subsearches.
• Use tricks such as using TERM() for an IP address when possible.
• Use reasonable lookups. Splunk encourages you to use CSV files, external data sources, and KV store lookups.
• Deprecated and removed features: Deprecated features are features Splunk plans to remove in a future version of Splunk Enterprise, but which still work and are supported in the current version of the software. Splunk discourages you from using deprecated features, and will provide a report of any deprecated features you have used in your app or add-on. Removed features are features that Splunk has removed from Splunk Enterprise. Do not use removed features. To determine any deprecated or removed features for the most recent release of Splunk Enterprise, consult the Release Notes.
• Splunk Enterprise 5.x: Do not use any Splunk Enterprise 5.x-specific features in your app or add-on. For more information about migration issues from Splunk Enterprise 5.x to Splunk Enterprise 6.x, see "Migration issues".