Splunk AppInspect check criteria

When you submit your app or add-on for certification, it is evaluated against a set of criteria for use in Splunk platform deployments.

Dynamics checks are performed only when you use AppInspect API, not AppInspect CLI tool to vet your app.

Checklist for submission

2019-08-12 (AppInspect API v2019.08, CLI v1.7.2)

Alert actions structure and standards

Custom alert actions are defined in an alert_actions.conf file located in the /default directory of the app. For more, see Custom alert actions overview and alert_actions.conf.

Check Name splunk_appinspect cloud Description
check_alert_actions_conf_exists x Check that a valid alert_actions.conf file exists at default/alert_actions.conf.
check_alert_actions_exe_exist x x Check that each custom alert action has a valid executable.
check_alert_icon_exists_for_custom_alerts x Check that icon files defined for alert actions in alert_actions.conf exist. Custom Alert Action Component Reference
check_for_explict_exe_args x Check whether any custom alert actions have executable arguments.
check_for_payload_format x Check that each custom alert action's payload format has a value of xml or json.
check_workflow_html_exists_for_custom_alert x Check that each custom alert action has an associated html file.

App.conf standards

The app.conf file located at default/app.conf provides key application information and branding. For more, see app.conf.

Check Name splunk_appinspect cloud Description
check_app_version x Check that the app.conf contains an application version number in the [launcher] stanza.
check_for_invalid_app_names x Check that default/app.conf has author = <some words are not about Splunk> must not has attributes label or description with values of Splunk App for XXXX.
check_for_trigger_stanza x x Check that default/app.conf doesn't have a reload.<CONF_FILE>, where CONF_FILE is a non-custom conf. (https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Appconf#.5Btriggers.5D)
check_no_install_source_checksum x x Check in default/app.conf, install_source_checksum not be set explicitly.
check_that_setup_has_not_been_performed x Check that default/app.conf setting is_configured = False.

Application content structure standards

Ensure that the application content adheres to Splunk standards.

Check Name splunk_appinspect cloud Description
check_app_icon_2x_dimensions x Check that static/appIcon_2x is 72x72px or less
check_app_icon_2x_is_png x Check that static/appIcon_2x is a png file
check_app_icon_alt_2x_dimensions x Check that static/appIconAlt_2x.png is 72x72px or less
check_app_icon_alt_2x_is_png x Check that static/appIconAlt_2x is a png file
check_app_icon_alt_dimensions x Check that static/appIconAlt.png is 36x36px or less
check_app_icon_alt_is_png x Check that static/appIconAlt is a png file
check_app_icon_dimensions x Check that static/appIcon is 36x36px or less
check_app_icon_is_png x Check that static/appIcon is a png file
check_app_logo_2x_dimensions x Check that static/appLogo_2x.png is 320x80px or less
check_app_logo_2x_is_png x Check that static/appLogo_2x is a png file
check_app_logo_dimensions x Check that static/appLogo.png is 160x40px or less
check_app_logo_is_png x Check that static/appLogo is a png file

Appropriate use of sensitive functionality

Appropriate use of sensitive functionality

Check Name splunk_appinspect cloud Description
check_implements_data_models x Check that the use of datamodels is explained in the app's documentation.
check_implements_inputcsv x Check that the use of inputcsv is explained in the app's documentation.
check_implements_outputcsv x Check that the use of outputcsv is explained in the app's documentation.
check_implements_tscollect x Check that use of 'tscollect' is explained in the app's documentation.
check_initiates_outbound_communications x Check that any outbound network communications in outputs.conf are explained in the app's documentation.
check_requires_access_to_files_outside_apps_dir x Check that file access outside of the app's home directory, $SPLUNK_HOME/var/log, $SPLUNK_HOME/var/run, and system temporary directories is explained in the app's documentation.
check_uses_eventgen x Check that use of 'eventgen.conf' is explained in the app's documentation.

Authentication.conf file standards

Ensure that bindDNpassword is not specified. For more, see authentication.conf.

Check Name splunk_appinspect cloud Description
check_authentication_conf_does_not_have_binddnpassword_property x Check that stanzas in authentication.conf do not use the the bindDNpassword property.
check_saml_auth_should_not_turn_off_signed_assertion x x Check that saml-* stanzas in authentication.conf do not turn off signedAssertion property

Authorize.conf file standards

Ensure that the authorize configuration file located in the /default folder is well formed and valid. For more, see authorize.conf.

Check Name splunk_appinspect cloud Description
check_authorize_conf_capability_not_modified x x Check that authorize.conf does not contain any modified capabilities.

Calls to external data sources

Calls to external data sources

Check Name splunk_appinspect cloud Description
check_external_data_sources x Check that all external data sources are explained in the app's documentation.

Cloud operations simple application check

This group serves to help validate simple applications in an effort to try and automate the validation process for cloud operations.

Check Name splunk_appinspect cloud Description
check_alert_actions_conf_for_alert_execute_cmd_properties x Check that commands referenced in the alert.execute.cmd property of all alert actions are checked for compliance with Splunk Cloud security policy.
check_audit_conf_black_list x Check that app does not contain audit.conf, as it is prohibited in Splunk Cloud due to its ability to configure/disable cryptographic signing and certificates.
check_authentication_conf_black_list x Check that app does not contain authentication.conf, as it is prohibited in Splunk Cloud due to its ability to configure LDAP authentication and could contain LDAP credentials in plain text.
check_authorize_conf_admin_all_objects_privileges x x Check that authorize.conf does not grant excessive administrative permissions to the user.
check_command_scripts_exist_for_cloud x Check that custom search commands have an executable or script per stanza.
check_datatypesbnf_conf_black_list x Check that app does not contain datatypesbnf.conf, as it is prohibited in Splunk Cloud.
check_default_data_ui_alerts_file_white_list x Check that default/data/ui/alerts contains only .xml or .html files.
check_default_data_ui_html_file_white_list x Check that default/data/ui/html contains only .xml or .html files.
check_default_data_ui_manager_for_plain_text_credentials x Check default/data/ui/manager for any files that use password/key/secret and other keywords.
check_default_data_ui_nav_file_white_list x Check that default/data/ui/nav contains only .xml or .html files.
check_default_data_ui_panels_directory_file_white_list x Check that default/data/ui/panels contains only .xml or .html files.
check_default_data_ui_quickstart_file_white_list x Check that default/data/ui/quickstart contains only .xml or .html files.
check_default_data_ui_views_directory_file_white_list x Check that default/data/ui/views contains only allowed files.
check_default_mode_conf_black_list x Check that app does not contain default-mode.conf is as it is prohibited in Splunk Cloud due to the fact that Splunk Light Forwarders and Splunk Universal Forwarders are not run in Splunk Cloud.
check_deployment_conf_black_list Check that app does not contain deployment.conf. Apps should leave deployment configuration up to Splunk administrators. Also, deployment.conf has been removed and replaced by: 1) deploymentclient.conf - for configuring Deployment Clients 2) serverclass.conf - for Deployment Server server class configuration.
check_deploymentclient_conf_black_list x x Check that app does not contain deploymentclient.conf as it configures the deployment server client. Apps should leave deployment configuration up to Splunk administrators.
check_distsearch_conf_for_concerning_replicated_file_size x Check if concerningReplicatedFileSize in distsearch.conf is larger than 50 MB.
check_for_auto_update_features x x Check that the app does not implement auto-update features.
check_for_binary_files_without_source_code x x Check that all executable binary files have matching source code. For any binary files, there should be a source code provided with the same name. Or, there should be a decalaration of what the binary file is all about in the app's REAMDE. Details for passing this check will be returned if you fail it.
check_for_communication_with_third_party_services x x Check that the app exports data to 3rd party services. Splunk Cloud Application Security policy defines "Exporting Splunk Data to 3rd party service" as a moderate security risk and may or may not be permitted based on cumulative risk score.
check_for_implementing_tscollect x Check that use of 'tscollect' in .conf filesl and dashboard xmls then fail it.
check_for_index_volume_usage x Check that indexes.conf does not declare volumes.
check_for_inputs_fifo_or_monitor_usage x Check [fifo] or [monitor] stanza is not used in inputs.conf unless the input stanza is used to ingest data from $SPLUNK_HOME/var/log/splunk.
check_for_java x Check whether the app contains java files. Java files will be inspected for compliance with Splunk Cloud security policy.
check_for_known_vulnerabilities_in_third_party_libraries x x Check third party libraries for known vulnerabilities. Splunk Cloud Application Security policy defines "Included application libraries have multiple vulnerabilities not covered by the components in Transit" as a moderate security risk and may or may not be permitted based on cumulative risk score.
check_for_lookup_tables_prefilled_with_customer_data x x Check for pre-filled lookup tables. Splunk Cloud Application Security policy defines "Lookup Table with Customer Supplied Data" as a minor risk and may or may not be permitted based on cumulative risk score.
check_for_monitoring_of_splunk_cloud_infrastructure x x Check that the app does not monitor Splunk Cloud infrastructure.
check_for_perl x Check if the app contains Perl scripts. Perl scripts will be inspected for compliance with Splunk Cloud security policy.
check_for_required_access_to_private_infrastructure x x Check that the app requires access to private infrastructure. Splunk Cloud Application Security policy defines "Network access required to customer service and or infrastructure" as a minor risk and may or may not be permitted based on cumulative risk score.
check_for_reverse_shells x x Check that the app does not contain reverse shells.
check_indexes_conf_only_uses_splunk_db_variable x Check that indexes defined in indexes.conf use relative paths starting with $SPLUNK_DB.
check_inputs_conf_for_batch x Check that batch input accesses files in a permitted way. To be permissible, the batch input must meet the following criteria: 1) The file path needs to match a file in the directory "$SPLUNK_HOME/var/spool/splunk/" 2) The file name needs to be application specific "$SPLUNK_HOME/etc/apps/<my_app>" 3) The file name should not end with "stash" or "stash_new"
check_inputs_conf_for_fschange x Check that default/inputs.conf or local/inputs.conf does not contain a fschange stanza.
check_inputs_conf_for_global_settings x Check that default/inputs.conf or local/inputs.conf does not use any global settings.
check_inputs_conf_for_http_global_usage x Check that default/inputs.conf or local/inputs.conf does not contain a [http] stanza.
check_inputs_conf_for_splunk_tcp x Check that default/inputs.conf or local/inputs.conf does not contain a splunktcp stanza.
check_inputs_conf_for_splunktcptoken x Check that default/inputs.conf or local/inputs.conf does not contain a splunktcptoken stanza.
check_inputs_conf_for_ssl x Check that inputs.conf does not have any SSL inputs.
check_inputs_conf_for_tcp x Check that default/inputs.conf or local/inputs.conf does not contain a tcp stanza.
check_inputs_conf_for_udp x x Check that inputs.conf does not have any UDP inputs.
check_instance_cfg_conf_black_list x x Check that app does not contain instance.cfg.conf. Apps should not configure server/instance specific settings.
check_introspection_of_cloud_filesystem x Check that app does not contain crawl.conf as it allows Splunk to introspect the filesystem which is not permitted in Splunk Cloud.
check_literals_conf_black_list x x Check that app does not contain literals.conf. Apps should not alter/override text strings displayed in Splunk Web.
check_lookups_white_list x Check that lookups/ contains only approved file types (.csv, .csv.default, .csv.gz, .csv.tgz, .kmz) or files formatted as valid csv.
check_messages_conf_black_list x x Check that app does not contain messages.conf. Apps should not alter/override messages/externalized strings.
check_metadata_white_list x x Check that the metadata/ directory only contains .meta files.
check_modular_inputs_scripts_exist_for_cloud x Check that there is a script file in bin/ for each modular input defined in README/inputs.conf.spec.
check_outputs_conf_black_list x Check that app does not contain outputs.conf as forwarding is not permitted in Splunk Cloud.
check_pubsub_conf_black_list x x Check that app does not contain pubsub.conf as it defines a custom client for the deployment server. Apps should leave deployment configuration up to Splunk administrators.
check_scripted_inputs_cmd_path_pattern x Check the cmd path pattern of scripted input defined in inputs.conf.
check_segmenters_conf_black_list x x Check that app does not contain segmenters.conf. A misconfigured segmenters.conf can result in unsearchable data that could only be addressed by re-indexing and segmenters.conf configuration is system-wide.
check_serverclass_conf_black_list x x Check that app does not contain serverclass.conf as it defines deployment server classes for use with deployment server. Apps should leave deployment configuration up to Splunk administrators.
check_serverclass_seed_xml_conf_black_list x x Check that app does not contain serverclass.seed.xml.conf as it configures deploymentClient to seed a Splunk installation with applications at startup time. Apps should leave deployment configuration up to Splunk administrators.
check_setup_xml_for_incorrect_password_rest_endpoint x Check that all passwords configured in setup.xml are stored in the storage/passwords endpoint. (Documentation)[http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/SetupExampleCredentials]
check_source_classifier_conf_black_list x x Check that app does not contain source-classifier.conf.conf as it configures system-wide settings for ignoring terms (such as sensitive data).
check_sourcetypes_conf_black_list x x Check that app does not contain sourcetypes.conf as it is a machine-generated file that stores source type learning rules. props.conf should be used to define sourcetypes.
check_splunk_launch_conf_black_list x x Check that app does not contain splunk-launch.conf as it defines environment values used at startup time. System-wide environment variables should be left up to Splunk administrators.
check_static_directory_file_white_list x Check that the static/ directory contains only known file types.
check_telemetry_conf_black_list x x Check that app does not contain telemetry.conf as it controls a Splunk-internal feature that should not be configured by apps.
check_that_app_contains_any_windows_specific_components x Check that the app contains MS Windows specific components, which will not function correctly in Splunk Cloud whose OS should be Linux x64.
check_that_no_configurations_of_default_source_type_in_props_conf x x Check that the app does not contain configurations of default source type in props.conf, which will overwrite the configurations of default source types in system/default/props.conf then it will affect other apps in splunk enterprise/cloud.
check_that_passwords_conf_not_exist x x Check that the app does not have default/passwords.conf, otherwise, warn it.
check_transforms_conf_for_external_cmd x Check that transforms.conf does not contain any transforms with an external_cmd=<string> attribute.
check_user_seed_conf_black_list x x Check that app does not contain user-seed.conf as it is used to preconfigure default login and password information.
check_wmi_conf_black_list x Check that app does not contain wmi.conf is as it is prohibited in Splunk Cloud due to its ability to configure Splunk to ingest data via Windows Management Instrumentation, which should be done via forwarder. Forwarders are not permitted in Splunk Cloud.

Configuration file standards

Ensure that all configuration files located in the /default folder are well formed and valid.

Check Name splunk_appinspect cloud Description
check_config_file_parsing x Check that all config files parse cleanly- no trailing whitespace after continuations, no duplicated stanzas or options.
check_manipulation_outside_of_app_container x x Check that app conf files do not point to files outside the app container. Because hard-coded paths won't work in Splunk Cloud, we don't consider to check absolute paths.
check_no_default_stanzas x x Check that app does not contain any .conf files that create global definitions using the [default] stanza.
check_validate_no_duplicate_stanzas_in_conf_files x Check that no duplicate stanzas exist in .conf files.

Configurations that relate to running Splunk instances

When an app utilizes multiple configurations and deployment models, use thebtoolprovided by Splunk to validate .conf files.

Check Name splunk_appinspect cloud Description
check_btool_standalone_results_for_appinspect x Check that any standalone application configurations are valid, using the Splunk btool command.
check_btool_standalone_results_for_cloud x Check that any standalone application configurations are valid, using the Splunk btool command.
disable_check_btool_cluster_results x x Check that any cluster application configurations are valid, using the Splunk btool command.

Custom search command structure and standards

Custom search commands are defined in a commands.conf file in the /default directory of the app. For more, see About writing custom search commands and commands.conf.

Check Name splunk_appinspect cloud Description
check_command_conf_exists x Check that commands.conf exists at default/commands.conf.
check_command_scripts_exist x Check that custom search commands have an executable or script per stanza.
check_default_meta_exists x Check that a valid default.meta file exists when using a custom search command.
check_ignored_parameters_v1_command x Check that the custom commands attributes maxwait and maxchunksize are only used when chunked = true. Commands.conf reference
check_ignored_parameters_v2_command x Check for ignored arguments in commands.conf when chunked=true. Commands.conf reference
check_passauth_and_enableheader x Check that custom search commands using passauth have enableheader set to true.
check_requires_preop_and_streaming_preop x Check that custom search commands using requires_preop have streaming_preop set to true.
check_requires_srinfo_and_enableheader x Check that custom search commands using requires_srinfo have enableheader set to true.

Custom visualizations support checks

Custom visualizations are defined in /default/visualizations.conf file. For more, see Custom visualization API reference.

Check Name splunk_appinspect cloud Description
check_for_default_values_for_modviz x check the property defined in spec file of README/savedsearches.conf.spec if the property is defined in spec file and does not provide a default value in default/savedsearches.conf, this check should fail.
check_for_formatter_html_bad_nodes x Check appserver/static/visualizations/<viz_name>/formatter.html for bad nodes that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.
check_for_formatter_html_comments x Check appserver/static/visualizations/<viz_name>/formatter.html for comments that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.
check_for_formatter_html_css_expressions x Check appserver/static/visualizations/<viz_name>/formatter.html for css expressions from all style tags that are replaced by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.
check_for_formatter_html_inappropriate_attributes x Check appserver/static/visualizations/<viz_name>/formatter.html for inappropriate attributes that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.
check_for_formatter_html_inline_style_attributes x Check appserver/static/visualizations/<viz_name>/formatter.html for inline style attributes from all style tags that are removed by Splunk's .../search_mrsparkle/exposed/js/util/htmlcleaner.js when rendered.
check_for_matching_stanza_visualization_directory x Check that each custom visualization stanza in default/visualizations.conf has a matching directory in the appserver/static/visualizations/ directory.
check_for_required_files_for_visualization x Check that each custom visualization stanza in default/visualizations.conf has some required source files in the appserver/static/visualizations/<visualization_name>/ directory.
check_for_visualizations_directory x Check that custom visualizations have an appserver/static/visualizations/ directory.
check_for_visualizations_preview_png x Check the required file appserver/static/visualizations/<viz_name>/preview.png exists for the visualization
check_that_visualizations_conf_has_matching_default_meta_stanza x Check that each stanza in default/vizualizations.conf has a matching stanza in metadata/default.meta`.

Custom workflow actions structure and standards

Custom workflow actions are defined in a workflow_actions.conf file in the /default directory of the app. For more, see About lookups and workflow_actions.conf.

Check Name splunk_appinspect cloud Description
check_required_stanza_fields_are_specified x Check that stanzas in workflow_actions.conf.spec have the required fields, type, and label.
check_workflow_actions_conf_exists x Check that a valid workflow_actions.conf file exists at default/workflow_actions.conf.
check_workflow_actions_link_uri_does_not_use_http_protocol x x Check that for each workflow action in workflow_actions.conf the link.uri property uses the https protocol for external links. Unencrypted http is permitted for internal links.

Data model files and configurations

Data models are defined in a datamodels.conf file in the /default directory of the app. For more, see About data models and datamodels.conf.

Check Name splunk_appinspect cloud Description
check_for_datamodel_acceleration x x Check that the use of accelerated data models do not occur. If data model acceleration is required, developers should provide directions in documentation for how to accelerate data models from within the Splunk Web GUI. data model acceleration
check_validate_data_models_conf_file_in_correct_locations x Check that when using data models, the datamodels.conf file only exists in the default directory.
check_validate_no_missing_json_data x Check that each stanza in datamodels.conf has a matching JSON file in default/data/models/.

Directory structure standards

Ensure that the directories and files in the app adhere to hierarchy standards.

Check Name splunk_appinspect cloud Description
check_filenames_for_spaces x x Check that app has no .conf or dashboard filenames that contain spaces. Splunk software does not support such files.
check_for_local_meta x x Check that the file 'local.meta' does not exist. All metadata permissions should be set in 'default.meta'.
check_splunklib_dependency_under_bin_folder x x Check splunklib dependency should not be placed under app's bin folder. Please refer to https://dev.splunk.com/view/SP-CAAAER3 and https://dev.splunk.com/view/SP-CAAAEU2 for more details/examples.
check_that_app_name_config_is_valid x x Check that the app name does not start with digits
check_that_directory_name_matches_package_id x x Check that when decompressed the Splunk App directory name matches the app.conf [package] stanza's id property.
check_that_local_does_not_exist x x Check that the 'local' directory does not exist. All configuration should be in the 'default' directory.
check_that_local_passwords_conf_does_not_exist x Check that local/passwords.conf does not exist. Password files are not transferable between instances.

Documentation standards

Documentation standards

Check Name splunk_appinspect cloud Description
check_archived_files x Check that any compressed archives within the main release that need extracting are explained in the app's documentation.
check_basic_readme x Check that the app has a <APP_DIR>/README file that includes version support, system requirements, installation, configuration, troubleshooting and running of the app, or a link to online documentation.
check_custom_commands x Check that use of custom commands is explained in the app's documentation.
check_dependencies x Check that prerequisites of the app are explained in the app's documentation. All prerequisites must be either packaged with your app, or be available on Splunkbase.
check_documentation_language x Check that documentation is in English.
check_documented_included_open_source x Check that all open source components used in developing the app are listed in the app's README files with the version number and a link to the project's website.
check_editing_and_proofreading x Check that documentation is free of major editing and proofreading (spelling, grammar, punctuation) issues.
check_outputs_documented x Check that forwarding enabled in 'outputs.conf' is explained in the app's documentation.
check_search_acceleration x Check that use of report acceleration, search acceleration, or summary indexing is explained in the app's documentation.

Dynamic checks for modular inputs

Modular Inputs](https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModInputsIntro) are configured via an[inputs.conf.spec file located atREADME/inputs.conf.spec.

Check Name splunk_appinspect cloud Description
check_validate_modular_inputs_scheme x x Check that the modular input scheme arguments match the inputs.conf.spec file.
check_validate_modular_inputs_scheme_args x x Check that the modular input scheme arguments match the inputs.conf.spec file.

Dynamic checks for search exceptions

Check that app does not cause splunkd errors inside Splunk

Check Name splunk_appinspect cloud Description
check_for_splunkd_internal_error x x Check that app doesn't generate splunkd errors inside Splunk

Features impacted by Splunk Python 3 release.

The following features should not be supported in Splunk Enterprise Python 3 release.

Check Name splunk_appinspect cloud Description
check_for_advanced_xml_module_elements x Check that there is no Advanced XML, which was deprecated in Splunk Enterprise 6.3.
check_for_cherry_py_custom_controller_web_conf_endpoints x Check for the existence of custom CherryPy endpoints, which must be upgraded to be Python 3-compatible for the upcoming Splunk Enterprise Python 3 release.
check_for_existence_of_python_code_block_in_mako_template x Check for the existence of Python code block in Mako templates, which must be upgraded to be Python 3-compatible for the upcoming Splunk Enterprise Python 3 release.
check_for_python_script_existence x Check for the existence of Python scripts, which must be upgraded to be cross-compatible with Python 2 and 3 for the upcoming Splunk Enterprise Python 3 release.
check_for_removed_m2crypto_usage x Check for the existence of the M2Crypto package usage, which will be removed in the upcoming Splunk Enterprise Python 3 release.
check_for_reserved_filename_test_py x Check that there is no file named test.py, which is a reserved filename.
check_for_splunk_web_legacy_mode x Check that Splunk Web is not in Legacy Mode, which was deprecated in Splunk Enterprise 6.4.

Indexes.conf file standards

Ensure that the index configuration file located in the /default folder is well formed and valid. For more, see indexes.conf.

Check Name splunk_appinspect cloud Description
check_index_definition_has_required_options x Check that all index definitions exist all required options including: homePath, coldPath, and thawedPath.
check_indexes_conf_does_not_exist x Check that the app does not create indexes.
check_indexes_conf_properties x Check that indexes.conf only contains the required 'homePath' , 'coldPath', and 'thawedPath' properties or the optional 'frozenTimePeriodInSecs', 'disabled', 'datatype' and 'repFactor' properties. All other properties are prohibited. This check is cloud only because indexes are not allowed via check_indexes_conf_does_not_exist.
check_validate_default_indexes_not_modified x x Check that no default Splunk indexes are modified by the app.

Intellectual property standards

Intellectual property standards

Check Name splunk_appinspect cloud Description
check_splunk_logo x Check that use of the Splunk logo and name meets Splunk branding guidelines. Customers should avoid using logos that are similar to the Splunk logos including the splunk chevron. These are copyrighted items and should only be used by Splunk. Additionally apps built by 3rd parties should not have names starting with Splunk.

ITSI module file and folder structure verification

All the ITSI modules should follow the following file structure:**splunk_home/etc/apps/*module_folder* - appserver[d] - static - default[d] - data[d] - models[d] - ui[d] - panels[d] - views[d] - app.conf[f] - deep_dive_drilldowns.conf[f] - inputs.conf[f] - itsi_kpi_base_search.conf[f] - itsi_kpi_template.conf[f] - itsi_module_viz.conf[f] - itsi_service_template.conf[f] - savedsearches.conf[f] - metadata[d] - default.meta[f]Test files should not be included with the package. For example, a directory such as /etc/apps/*module_folder*/test** should not exist.

Check Name splunk_appinspect cloud Description
check_appserver_folder_exist Check that the appserver/ directory exists.
check_default_app_conf_file_exist Check that the default/app.conf file exists.
check_default_deep_dive_drilldowns_conf_file_exist Check that the default/deep_dive_drilldowns.conf file exists.
check_default_folder_exist Check that the default/ directory exists.
check_default_inputs_conf_file_exist Check that the default/inputs.conf file exists.
check_default_itsi_kpi_base_search_conf_file_exit Check that the default/itsi_kpi_base_search.conf file exists.
check_default_itsi_kpi_template_conf_file_exit Check that the default/itsi_kpi_template.conf file exists.
check_default_itsi_service_template_conf_file_exist Check that default/itsi_service_template.conf file exists.
check_default_savedsearches_conf_file_exit Check that the default/savedsearches.conf file exists.
check_metadata_folder_exist Check that the metadata/ directory exists.

Javascript file standards

Javascript file standards

Check Name splunk_appinspect cloud Description
check_for_console_log_injection_in_javascript x Check if any sensitive data leakage in console log
check_for_iframe_in_javascript x Check if the app contains possible iframe in javascript files, templates or html pages.
check_for_insecure_http_request_in_javascript x Check if the app contain possible insecure http request in javascript files.
check_for_reflected_xss_in_javascript x Check if possible reflected xss in javascript
check_for_remote_code_execution_in_javascript x Check if the app contain possible remote code execution in javascript files.
check_for_stored_xss_in_javascript x Check if possible stored xss in javascript
check_for_udp_communication_in_javascript x Check if the app contains udp communication in javascript files.
check_for_weak_encryption_and_hashing_in_javascript x x Check if any weak encryption in javascript

JSON file standards

JSON file standards

Check Name splunk_appinspect cloud Description
check_validate_json_data_is_well_formed x x Check that all JSON files are well formed.

Limits.conf file standards

Ensure that /default/limits.conf file is omitted.When included in the app, the limits.conf file changes the limits that are placed on the system for hardware use and memory consumption, which is a task that should be handled by Splunk administrators and not by Splunk app developers. For more, see limits.conf.

Check Name splunk_appinspect cloud Description
check_limits_conf x x Check that default/limits.conf has not been included.

Lookup file standards

Lookups add fields from an external source to events based on the values of fields that are already present in those events.

Check Name splunk_appinspect cloud Description
check_lookup_csv_is_valid x Check that .csv files are not empty, have at least two columns, have headers with no more than 4096 characters, do not use Macintosh-style (\\r) line endings, have the same number of columns in every row, and contain only UTF-8 characters.

Malware, viruses, malicious content, user security standards

Malware, viruses, malicious content, user security standards

Check Name splunk_appinspect cloud Description
check_authorization_credentials x Check that no plain text authorization credentials are stored in the app.
check_embedded_links x Check that embedded links included in the app are not malicious.
check_for_offensive_material x Check that the app does not include any offensive material.
check_hostnames_and_ips x x Check that no sensitive hostnames/IPs are stored in the app.

Malware/viruses, malicious content, user security standards

Malware/viruses, malicious content, user security standards

Check Name splunk_appinspect cloud Description
check_for_malicious_urls x x Check that the app does not include malicious urls.
check_for_viruses x x Check that the app does not include viruses.

Meta file standards

Ensure that all meta files located in the /metadata folder are well formed and valid.

Check Name splunk_appinspect cloud Description
check_meta_file_parsing x Check that all .meta files parse with no trailing whitespace after continuations with no duplicate stanzas or options.
check_validate_no_duplicate_stanzas_in_meta_files x Check that .meta files do not have duplicate stanzas.

Modular inputs structure and standards

Modular inputs are configured in an inputs.conf.spec file located in the /README directory of the app. For more, see Modular inputs overview, Modular inputs configuration, and Modular inputs basic example.

Check Name splunk_appinspect cloud Description
check_inputs_conf x Check that a valid inputs.conf.spec file are located in the README/ directory.
check_inputs_conf_spec_has_no_duplicate_properties x Check that modular input stanzas do not contain duplicate arguments.
check_inputs_conf_spec_has_no_duplicate_stanzas x Check that modular inputs do not have duplicate stanzas.
check_inputs_conf_spec_has_stanzas x Check that README/inputs.conf.spec contains stanzas.
check_inputs_conf_spec_stanza_args_broken_correctly x Check lines breaks are included in configuration when using a modular input.
check_inputs_conf_spec_stanzas_have_properties x Check that modular inputs specify arguments.
check_modular_inputs_scripts_exist x Check that there is a script file in bin/ for each modular input defined in README/inputs.conf.spec.

Operating system standards

Operating system standards

Check Name splunk_appinspect cloud Description
check_destructive_commands x x Check for the use of malicious shell commands in configuration files or shell scripts to corrupt the OS or Splunk instance. Other scripting languages are covered by other checks.
check_fs_writes x Check that applications only write to the following directories <SPLUNK_HOME>/etc/<APP_NAME>/local, <SPLUNK_HOME>/etc/<APP_NAME>/lookup <SPLUNK_HOME>/var/log/<APP_NAME>/<LOG_NAME>.log, <SPLUNK_HOME>/var/log/<APP_NAME>.log <SPLUNK_HOME>/var/run and OS temporary directories.
check_hard_coded_paths x Check for hard-coded filepaths in scripts relative to author's local developer environment, or absolute paths.
check_user_privileges x Check that scripts are not trying to switch into other user accounts, create new users, run sudo.

Outputs.conf file standards

Ensure that the outputs.conf file located in the /default folder of the app is well formed and valid. For more, see outputs.conf.

Check Name splunk_appinspect cloud Description
check_if_outputs_conf_exists x Check that forwarding enabled in 'outputs.conf' is failed in cloud

Platform targets and claimed supported Splunk Enterprise versions

Platform targets and claimed supported Splunk Enterprise versions

Check Name splunk_appinspect cloud Description
check_install_on_claimed_targets x Check that the app installs on all claimed target platforms.
check_setup_in_distributed_environment x x Check that the app can be setup on a distributed system after self-service. Warn if setup configures non-search-head features like inputs. This makes the app incompatible with distributed environments.
check_that_json_schema_is_applicable If json schema is 2.0.0 in app.manifest then warn it. Because schema version of 2.0.0 is not yet compatible with any versions of the Splunk Cloud. So far, all cloud stack are 7.0 and lower but Json Schema 2.0.0 is only compatible with Splunk 7.1+.

Post installation checks

Post installation checks

Check Name splunk_appinspect cloud Description
check_for_index_creation x Check that indexes defined by the app are successfully created.

Props Configuration file standards

Ensure that all props.conf files located in the default (or local) folder are wellformed and valid.- props.conf](http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf)- [transforms.conf

Check Name splunk_appinspect cloud Description
check_props_conf_has_report_option_and_transforms_conf_exist x Check that there is a 'transforms.conf' file when REPORT- options are defined in props.conf.
check_props_conf_has_report_option_and_transforms_conf_has_matching_stanza x Check that each REPORT- in props.conf has an associated stanza in transforms.conf file.
check_props_conf_has_report_option_and_transforms_conf_has_required_option x Check that REPORT- options in props.conf, have either DELIMS or REGEX options in the matching transforms.conf stanza.
check_props_conf_has_transforms_option_and_transforms_conf_exist x Check that there is a 'transforms.conf' file when TRANSFORM- options are defined in props.conf.
check_props_conf_has_transforms_option_and_transforms_conf_has_matching_stanza x Check that TRANSFORM- options in props.conf have associated stanzas in transforms.conf file.
check_props_conf_regex_stanza_name_followed_by_double_colon x Check that the props.conf stanzas (delayedrule, host, rule, or source) are followed by ::. For example: * [host::nyc*] * [rule::bar_some]

Python file standards

Python file standards

Check Name splunk_appinspect cloud Description
check_all_python_files_are_well_formed x x Check all python files are well formed under python2 standard
check_built_in_import_function x x Check that the python __import__ method is not used in a way that can be exploited (e.g., __import__(conf_setting) is at risk of code injection).
check_file_formats_module_IO x x Check for usages of python modules related to file formats
check_for_builtin_functions x x Check for builtin functions(open, eval, execfile, file) usages in python files
check_for_builtin_types x x Check for builtin types(file, memoryview, fileinput) usages in python files
check_for_circular_importing_in_python x x Check if circular importing exists in current app
check_for_compiled_python x x Check that there are no .pyc or .pyo files included in the app.
check_for_custom_python_interpreters x x Check if custom python interpreters could be used in malicious code execution
check_for_data_compression_and_archiving x x check if data compression and archiving libraries could be used to read & write files outside of app dir
check_for_data_persistence x x check for data persistence usage which could be used to invoke marshall function call
check_for_debugging_and_profiling x x Check if debugging library could be used to execute arbitrary commands
check_for_file_and_directory_access x x Check for possible file and directory access, they could be used in external file manipulation
check_for_generic_operating_system_services x x check if generic operating system modules could be used to communicate with outside services, files or systems
check_for_hidden_python_files x Check that there are no hidden python files included in the app.
check_for_importing_modules x x Check Python code for importing modules dynamically.
check_for_internet_protocols_and_support x x Check for the use of web server classes, they could be used to start a internal server in current app
check_for_interprocess_communication_and_networking x x check if networking or file manipulation exist in interprocess modules usage
check_for_ms_windows_specific_services x x Check if MS Windows specific service modules could be used to execute dangerous windows platform commands
check_for_optional_operating_system_services x x Check for operating system features that are available on selected operating systems only.
check_for_plain_text_credentials_in_python x x check for plain text credentials disclosure in python files
check_for_possible_threading x Check for the use of threading, and multiprocesses. Threading or process must be used with discretion and not negatively affect the Splunk installation as a whole.
check_for_program_frameworks x x Check if program frameworks could be used to interface with web part
check_for_python_multimedia_services x x Check if multimedia services module could be used to execute unknown-source multimedia files
check_for_python_runtime_services x x Check if python runtime services could be used to manipulate system python objects
check_for_python_udp_network_communications x x Check for UDP network communication
check_for_restricted_execution x x Check if restricted execution exist in current app
check_for_reverse_shell_and_backdoor x x check if possible reverse shell exist in python code
check_for_root_privilege_escalation x x Check possible root privilege escalation
check_for_unencrypted_network_communications x x Check that all network communications are encrypted
check_for_unix_questionable_commands x x Check for unix specific service usages
check_python_untrusted_xml_functions x x Check for untrusted xml usages in python libraries

REST endpoints and handler standards

REST endpoints are defined in a restmap.conf file in the /default directory of the app. For more, see restmap.conf.

Check Name splunk_appinspect cloud Description
check_rest_handler_scripts_exist x Check that each stanza in restmap.conf has a matching handler script. if not, fail this app.
check_rest_handler_scripts_exist_for_cloud x Check that each stanza in restmap.conf has a matching handler script. if not, throw a warning.
check_restmap_conf_exists x x Check that restmap.conf file exists at default/restmap.conf when using REST endpoints.

Saved search dynamic checks

Saved searches](http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Aboutsavingandsharingreports)are defined in a [savedsearches.conf file located at default/savedsearches.conf.

Check Name splunk_appinspect cloud Description
check_saved_searches_execute x Check that any saved searches in savedsearches.conf execute without errors.

Saved search standards

Saved searches are defined in a savedsearches.conf file located in the /default directory of the app. For more, see Save and share your reports and savedsearches.conf.

Check Name splunk_appinspect cloud Description
check_for_emails_in_saved_search x Check that email alerts (action.email.to) set in savedsearches.conf do not have a default value.
check_for_empty_saved_search_description x Check that default/savedsearches.conf has no description properties that are empty.
check_for_gratuitous_cron_scheduling x x Check that default/savedsearches.conf searches are cron scheduled reasonably. Less than five asterisks should be used.
check_for_real_time_saved_searches x Check that no real-time pre-index saved searches are being used in savedsearches.conf. Real-time per-index saved searches are extremely system intensive and should be avoided.
check_for_real_time_saved_searches_for_cloud x Check that no real-time pre-index saved searches are being used in savedsearches.conf. Real-time per-index saved searches are extremely system intensive and should be avoided.
check_for_sched_saved_searches_earliest_time x x Check that if a scheduled saved search in savedsearch.conf contains dispatch.earliest_time option, or if a scheduled saved search with auto summary enabled contains auto_summarize.dispatch.earliest_time option
check_for_sched_saved_searches_latest_time x x Check that if a savedsearch.conf stanza contains scheduling options it does contain a dispatch.latest_time
check_saved_search_conf_exists x Check that a savedsearches.conf file exists at default/savedsearches.conf.
check_saved_search_specifies_a_search x Check that saved searches have a search string specified.
check_saved_searches_are_not_disabled x Check that saved searches are enabled.

Security vulnerabilities

Security vulnerabilities

Check Name splunk_appinspect cloud Description
check_for_command_injection_through_env_vars x Check for command injection through environment variables.
check_for_environment_variable_use_in_python x x Check for environment variable manipulation and attempts to monitor sensitive environment variables.
check_for_insecure_http_calls_in_python x x Check for insecure HTTP calls in Python.
check_for_pexpect x Check for use of pexpect to ensure it is only controlling app processes.
check_for_secret_disclosure x x Check for passwords and secrets.
check_for_sensitive_info_in_url x x Check for sensitive information being exposed in transit via URL query string parameters
check_for_stacktrace_returned_to_user x Check that stack traces are not being returned to an end user.
check_for_vbs_command_injection x Check for command injection in VBS files.
check_symlink_outside_app x x Check no symlink points to the file outside this app

Server configuration file standards

Ensure that server.conf is well formed and valid.For detailed information about the server configuration file, see server.conf.

Check Name splunk_appinspect cloud Description
check_server_conf_only_contains_custom_conf_sync_stanzas_or_diag_stanza x Check that server.conf in an app is only allowed to contain: 1) conf_replication_include.<custom_conf_files> in [shclustering] stanza 2) or EXCLUDE-<class> property in [diag] stanza

Source code and binaries standards

Source code and binaries standards

Check Name splunk_appinspect cloud Description
check_for_bin_files x x Check that files outside of the bin/ and appserver/controllers directory do not have execute permissions and are not .exe files. Splunk recommends 644 for all app files outside of the bin/ directory, 644 for scripts within the bin/ directory that are invoked using an interpreter (e.g. python my_script.py or sh my_script.sh), and 755 for scripts within the bin/ directory that are invoked directly (e.g. ./my_script.sh or ./my_script).
check_for_executable_flag x x Check that files outside of the bin/ directory do not appear to be executable according to the Unix file command. From man file: files have a ``magic number'' stored in a particular place near the beginning of the file that tells the UNIX operating system that the file is a binary executable.
check_for_expansive_permissions x Check that no files have *nix write permissions for all users (xx2, xx6, xx7). Splunk recommends 644 for all app files outside of the bin/ directory, 644 for scripts within the bin/ directory that are invoked using an interpreter (e.g. python my_script.py or sh my_script.sh), and 755 for scripts within the bin/ directory that are invoked directly (e.g. ./my_script.sh or ./my_script). Since appinspect 1.6.1, check that no files have nt write permissions for all users.
check_for_hidden_files x x Check that there are no hidden files or directories.
check_for_urls_in_files x Check that URLs do not include redirect or requests from external web sites.
check_platform_specific_binaries x Check that documentation declares platform-specific binaries.
check_requires_adobe_flash x x Check that the app does not use Adobe Flash files.

Splunk app packaging standards

These checks validate that a Splunk app has been correctly packaged, and can be provided safely for package validation.

Check Name splunk_appinspect cloud Description
check_that_extracted_splunk_app_contains_default_app_conf_file x x Check that the extracted Splunk App contains a default/app.conf file.
check_that_extracted_splunk_app_contains_default_app_conf_file_with_valid_version_number x x Check that the extracted Splunk App contains a default/app.conf file that contains an [id] or [launcher] stanza with a version property that is formatted as Major.Minor.Revision.
check_that_extracted_splunk_app_does_not_contain_files_with_invalid_permissions x x Check that the extracted Splunk App does not contain any files with incorrect permissions. Files must have the owner's permissions include read and write (600).
check_that_extracted_splunk_app_does_not_contain_invalid_directories x x Check that the extracted Splunk App does not contain any directories with incorrect permissions. Directories and sub directories must have the owner's permissions set to r/w/x (700).
check_that_extracted_splunk_app_does_not_contain_prohibited_directories_or_files x x Check that the extracted Splunk App does not contain any directories or files that start with a ., or directories that start with __MACOSX.
check_that_splunk_app_package_does_not_contain_files_outside_of_app x x Check that the Splunk App package does not contain any non-app files. Files within a valid app folder or valid dependencies within a .dependencies folder are permitted, all other files are not.
check_that_splunk_app_package_extracts_to_visible_directory x x Check that the compressed artifact extracts to a directory that does not start with a . character.
check_that_splunk_app_package_has_read_permission x x Check that the Splunk app provided does not contain incorrect permissions. Packages must have have the owner's read permission set to r (400).
check_that_splunk_app_package_has_valid_static_dependencies x x Check that the Splunk App package contains only valid dependencies. Dependencies are valid if a .dependencies directory contains only valid app packages inside.
check_that_splunk_app_package_name_does_not_start_with_period x x Check that the Splunk app provided does not start with a . character.
check_that_splunk_app_package_valid_compressed_file x x Check that the Splunk app provided a valid compressed file.
check_that_splunk_app_package_with_static_dependencies_has_app_manifest x x Check that the Splunk App package with a .dependencies directory also contains an app folder with an app.manifest.
check_that_splunk_app_package_with_static_dependencies_has_exactly_one_app_folder x x Check that the Splunk App package with a .dependencies directory also contains exactly one valid app folder.

Splunk Packaging Toolkit (SLIM) validation

This group uses slim to extend the cloud checks for improved auto-vetting.

Check Name splunk_appinspect cloud Description
check_custom_confs x x Check that non-standard config files are safe to install.
check_for_modular_inputs x x Check that inputs.conf.spec does not include modular inputs that perform management tasks.
check_for_nested_apps x x Check that nested apps do not exist as they are not valid for self-service install.
check_for_nested_archives x x Check that nested archives do not exist as they are not valid for self-service install.
check_for_scripted_inputs x x Check that inputs.conf does not include scripted inputs that perform management tasks.
check_that_app_passes_slim_validation_for_appinspect x Check that apps with app.manifest are valid or apps without an app.manifest can generate one.
check_that_app_passes_slim_validation_for_cloud x Check that apps with app.manifest are valid or apps without an app.manifest can generate one.
check_that_splunk_app_package_type_is_not_zip_type x Check that the provided app package is not .zip type for SSAI purpose

Support requirements

Support requirements

Check Name splunk_appinspect cloud Description
check_link_includes_contact_info x Check that the app's documentation lists contact information and level of support for the app. Any level of support is acceptable for developer supported apps, as long as it is clearly declared in documentation. Community supported apps must be open source with a public repository. For example: * Email support during weekday business hours (US, West Coast). * Phone support 24x7 @ +1 (555) 123-4567. * This is an open source project, no support provided, public repository available.

Transforms.conf file standards

Ensure that the transforms.conf file located in the /default folder is well formed and valid. For more, see transforms.conf.

Check Name splunk_appinspect cloud Description
check_all_lookups_are_used x Check that all files in the /lookups directory are referenced in transforms.conf.
check_capture_groups_in_transforms x Check that all capture groups are used in transforms.conf. Groups not used for capturing should use the non-capture group syntax

Web.conf File Standards

Ensure that web.conf is safe for cloud deployment and that any exposedpatterns match endpoints defined by the app - apps should not expose endpointsother than their own.Including web.conf can have adverse impacts for cloud. Allow onlyendpoint:*] and [expose:*] stanzas, with expose only containing pattern=and methods= properties.- [web.conf

Check Name splunk_appinspect cloud Description
check_web_conf x x Check that web.conf only defines [endpoint:*] and [expose:*] stanzas, with [expose:*] only containing pattern= and methods=.
check_web_conf_expose_patterns_have_restmap_matches x Check that apps only expose web endpoints that are defined by the Splunk App within restmap.conf. Each web.conf [expose:*] stanza should have the property pattern= which defines a url pattern to expose. Each url pattern exposed should correspond to a stanza within restmap.conf with a url pattern defined with the match= property, or for the case of [admin:*] stanzas a combination of match= and members= properties.

XML file standards

XML file standards

Check Name splunk_appinspect cloud Description
check_that_all_xml_files_are_well_formed x x Check that all XML files are well-formed.
check_validate_no_embedded_javascript x x Check any XML files that embed JavaScript via CDATA for compliance with Splunk Cloud security policy.
check_validate_no_event_handler x Ensure that global event handlers are not used within XML files.

Deprecated features from Splunk Enterprise 5.0

The following features should not be supported in Splunk 5.0 or later.

Check Name splunk_appinspect cloud Description
check_deprecated_eventtype_autodiscovering x Check that app does not use findtypes command. This command was for eventtype auto-discovering, which is deprecated in Splunk 5.0.
check_for_savedsearches_used_in_eventtypes_conf x Check that saved searches are not used within event types. https://docs.splunk.com/Documentation/Splunk/5.0/ReleaseNotes/Deprecatedfeatures https://docs.splunk.com/Documentation/Splunk/7.2.5/Knowledge/Abouteventtypes

Deprecated features from Splunk Enterprise 6.0

The following features should not be supported in Splunk 6.0 or later.

Check Name splunk_appinspect cloud Description
check_crawl_conf_black_list x Check that app does not contain crawl.conf as it was deprecated&removed in Splunk.
check_for_viewstates_conf x Check that default/viewstates.conf does not exist in the app. (http://docs.splunk.com/Documentation/Splunk/6.0/AdvancedDev/Migration#Viewstates_are_no_longer_supported_in_simple_XML)

Deprecated features from Splunk Enterprise 6.1

The following features should not be supported in Splunk 6.1 or later.

Check Name splunk_appinspect cloud Description
check_for_datamodel_acceleration_endpoint_usage x Check that deprecated datamodel/acceleration is not used. https://docs.splunk.com/Documentation/Splunk/6.2.0/RESTREF/RESTknowledge

Deprecated features from Splunk Enterprise 6.2

The following features should not be supported in Splunk 6.2 or later. https://docs.splunk.com/Documentation/Splunk/6.2.0/ReleaseNotes/Deprecatedfeatures

Check Name splunk_appinspect cloud Description
check_for_dashboard_xml_list_element x Check Dashboard XML files for <list> element. <list> was deprecated in Splunk 6.2 and removed in Splunk 6.5.
check_for_earliest_time_and_latest_time_elements_in_dashboard_xml x Check for the deprecated <earliestTime> and <latestTime> elements in dashboard XML files. As of version 6.2 these elements are replaced by <earliest> and <latest> elements.
check_for_populating_search_element_in_dashboard_xml x Check for the deprecated <populatingSearch> and <populatingSavedSearch> elements in dashboard XML files. Use the <search> element instead.
check_for_simple_xml_row_grouping x Check for the deprecated grouping attribute of row node in Simple XML files. Use the <panel> node instead.

Deprecated features from Splunk Enterprise 6.3

These following features should not be supported in Splunk 6.3 or later. For more, see Deprecated features and Changes for Splunk App developers.

Check Name splunk_appinspect cloud Description
check_for_django_bindings x Check for use of Django bindings.
check_for_run_script_alert_action x Check for use of running a script in alert action
check_for_simple_xml_chart_element_with_deprecated_option_names x Check for Simple XML <chart> panels with deprecated options charting.axisLabelsY.majorTickSize or charting.axisLabelsY.majorLabelVisibility.
check_for_simple_xml_option_element_with_name_previewresults x Check for the deprecated in Simple XML files.
check_for_simple_xml_search_related_element x Check for the deprecated <searchTemplate>, <searchString>, <searchName>, and <searchPostProcess> element in Simple XML files. Use the <search> element instead.
check_for_simple_xml_seed_element x Check for the deprecated <seed> option in Simple XML forms. Use the <initialValue> element instead.

Deprecated features from Splunk Enterprise 6.4

The following features should not be supported in Splunk 6.4 or later. For more, see Deprecated features and Changes for Splunk App developers.

Check Name splunk_appinspect cloud Description
check_for_noninteger_height_option x Check that uses an integer for the value. Do not use .
check_for_simple_xml_single_element_with_deprecated_option_names x Check Simple XML files for <single> panels with deprecated options 'additionalClass', 'afterLabel', 'beforeLabel', 'classField', 'linkFields', 'linkSearch', 'linkView'
check_for_splunk_js_d3chartview x Checks that views are not importing d3chartview.
check_for_splunk_js_googlemapsview x Checks that views are not importing googlemapsview.
check_web_conf_for_simple_xml_force_flash_charting x Check that a web.conf does not use the property 'simple_xml_force_flash_charting'.
check_web_conf_for_simple_xml_module_render x Check that web.conf does not use the simple_xml_module_render property.

Deprecated features from Splunk Enterprise 6.5

The following features should not be supported in Splunk 6.5 or later. For more, see Deprecated features and Changes for Splunk App developers.

Check Name splunk_appinspect cloud Description
check_for_dashboard_xml_option_element_with_deprecated_attribute_value x Check Dashboard XML files for element with the deprecated option value "refresh.auto.interval" i.e.
check_for_splunk_js_header_and_footer_view x Checks that views are not importing splunkjs/mvc/headerview or splunkjs/mvc/footerrview. These are replaced by LayoutView in Splunk 6.5. LayoutView is not backwards compatible to Splunk 6.4 or earlier. Only use LayoutView if you are only targeting Splunk 6.5 or above.

Deprecated features from Splunk Enterprise 7.1

The following features should not be supported in Splunk 7.1 or later. For more, see Deprecated features and Changes for Splunk App developers.

Check Name splunk_appinspect cloud Description
check_for_input_command_usage x Check deprecated input command usage.

Deprecated features from Splunk Enterprise 7.2

The following features should not be supported in Splunk 7.2 or later. For more, see Deprecated features and Changes for Splunk App developers.

Check Name splunk_appinspect cloud Description
check_for_deprecated_literals_conf x Check deprecated literals.conf existence.

Deprecated features from Splunk Enterprise 7.3

The following features should not be supported in Splunk 7.3 or later. For more, see Deprecated features and Changes for Splunk App developers.

Check Name splunk_appinspect cloud Description
check_for_tscollect_command_usage x Check deprecated tscollect command usage.

Deprecated or removed features from Splunk Enterprise 6.6

The following features should not be supported in Splunk 6.6 or later. For more, see Deprecated features and Changes for Splunk App developers.

Check Name splunk_appinspect cloud Description
check_for_app_install_endpoint x Check apps/appinstall usages
check_for_autolb_setting_in_outputs_conf x Check removed support for setting autoLB in outputs.conf
check_for_displayrownumbers_in_simple_xml x Check existence for displayRowNumbers option in simple xml. This option is no longer supported since Splunk 6.6.