About vetting for Splunk Cloud

Cloud vetting is a process in which Splunk determines whether an app is ready for use on Splunk Cloud. Splunk Cloud customers can request vetting of a particular Splunk app. This topic provides a brief overview of the cloud-vetting process:

Why cloud vetting?

If a Splunk Cloud customer wants to run a Splunk app that is available on Splunkbase, the app must first be evaluated for suitability for Splunk Cloud. There are several crucial differences between Splunk Enterprise and Splunk Cloud, and cloud vetting is necessary to help ensure the security of the Splunk Cloud environment and the data stored in that environment. While the vast majority of Splunk apps available on Splunkbase are ready for Splunk Enterprise, they have not all been evaluated for use on Splunk Cloud (listed as compatible with Splunk Cloud on Splunkbase). Some apps are suitable for an on-premises Splunk Enterprise instance, but aren't appropriate when data needs to be transmitted and stored in a cloud environment.

How to request cloud vetting

Cloud vetting is primarily a customer-driven process. That is, Splunk Cloud customers can request that cloud vetting be performed on a Splunk app on Splunkbase. To do so, a Splunk Cloud customer opens a support ticket with Splunk Support.

Prepare your Splunk app for cloud vetting

To prepare your Splunk app for cloud vetting, review the requirements and recommendations for Splunk Cloud apps that are detailed on Splunk Cloud app requirements and best practices.

Next, to verify that you've fulfilled all of the Splunk Cloud requirements, run the AppInspect tool in precert mode with the cloud tag set.

For example, use the AppInspect CLI as follows:

splunk-appinspect inspect app_path/app_filename.tgz --mode precert --included-tags cloud

Or, use the AppInspect REST API as follows:

curl -X POST \
	-H "Authorization: bearer <token>" \
	-H "Cache-Control: no-cache" \
	-F "app_package=@\"app_path/app_filename.tgz\"" \
	-F "included_tags=cloud" \
	--url "https://appinspect.splunk.com/v1/app/validate"

Look through the inspect command results:

  • One or more failures indicate that the Splunk app failed cloud vetting, and is therefore not approved for installation on Splunk Cloud. The Splunk app developer should fix the failures, and then try running the command again.
  • One or more manual checks indicate that the Splunk app will require manual checking as part of the cloud vetting process. This means that, if the Splunk app is submitted for cloud vetting, a Splunk employee will check the app manually. The cloud vetting process will most likely take longer. If you review the items that will be checked manually against the Splunk Cloud app requirements and best practices, they will be more likely to pass. Developers who clearly comment their work will be most likely to pass vetting, because they will have addressed possible concerns before submitting.
  • Apps that return zero failures or manual checks will most likely be quickly approved for installation on Splunk Cloud.

How cloud vetting works

Cloud vetting is comprised of an automated and an optional manual process. That is, Splunk first runs the AppInspect tool to perform automated vetting, and then, if necessary, a Splunk employee performs a manual vetting process to further evaluate the app.

The criteria that Splunk uses to vet a Splunk app for Splunk Cloud are listed on Splunk Cloud app requirements and best practices. Be aware that these criteria are always subject to change as new security threats are discovered and the Splunk platform is updated.

If the AppInspect tool returns no failures, and either doesn't require or passes any required manual checks, Splunk will most likely approve the Splunk app for Splunk Cloud. If the cloud vetting was requested by a Splunk Cloud customer, the app is installed on the customer's Splunk Cloud instance upon successful cloud vetting.

If a Splunk app has already been successfully vetted for Splunk Cloud, new versions of the Splunk app will most likely be more quickly vetted.