Splunk apps and add-ons: what & why?

Splunk apps allow developers to extend data ingestion and processing capabilities of Splunk Enterprise for your specific needs. Apps facilitate more efficient completion of domain-specific tasks by the end user.

High-level perspective

A Splunk app is a prebuilt collection of additional capabilities packaged for a specific technology, or use cases, which allows a more effective usage of Splunk Enterprise. You can use Splunk apps to gain the specific insights you need from your machine data.

Depending on the type and complexity of those use cases, and also whether the developer wants certain app parts to be configured or distributed separately (potentially by a third party), an app may rely on various add-ons.

An add-on is a technical component that can be re-used across a number of different use cases and packaged with one or more Splunk apps. Add-ons may contain one or more knowledge objects, which encapsulate a specific functionality focused on a single concern and its configuration. Using an add-on should help to reduce the technical risk and cost of building an app. 

Many add-ons provide data ingestion capabilities, in other words, they feed the data into Splunk Enterprise.

ARCHFeeding data via a data provider isn't always required, because many data sources are easily captured with a file or network input, or through another app like DB Connect.

If preparsing is required, such as for large XML files, or a modular input is needed, such as for API derived data, the add-on is the place for that work. All such add-ons should also provide the field extractions, lookups, and event types needed to map data to the Common Information Model (CIM). This allows customers to easily use the new data source in data models, pivots, and CIM-based apps like Enterprise Security.

Other add-ons are used to extend the Splunk Enterprise platform across the board. They could consist of custom search commands, macros, custom REST endpoints, custom alert actions, or reusable JavaScript or Python libraries.

Apps and add-ons can be combined into a comprehensive solution.

You can also apply user/role-based permissions and access controls to Splunk apps and add-ons, thus providing a level of control when you are deploying and sharing apps across your organization.

The apps and add-ons, that Splunk partners provide, enrich the overall Splunk Enterprise platform.

As a solution evolves and supports an ever larger set of capabilities, it can itself become a chassis that supports the building of new apps. An example of such a chassis is Splunk Enterprise Security.

Low-level technical perspective

When you want to extend Splunk Enterprise with new functionality, such as new types of data visualizations or support for consuming new types of data sources, you configure Splunk Enterprise with these new extensions by adding knowledge objects. Knowledge objects are collected and packaged together in modular units called apps. For simple extensions of Splunk Enterprise, it is sufficient to put all objects into the same app. However, it is sometimes convenient or necessary to partition the knowledge objects to reside in multiple apps.

For example, if you have a distributed Splunk Enterprise deployment, the knowledge objects related to data ingestion need to be deployed on Splunk Enterprise instances in the forwarder role. The knowledge objects related to dashboards need to be deployed on the Splunk Enterprise instances in the search head role. Therefore, it is convenient to package the objects into two apps, one for the forwarder and one for the search head.

Another example of why you would want to decompose your knowledge objects into separate apps is if you want to enable the use of plugin-like functionality. Consider an app that displays flight traffic information from multiple flight traffic systems. A primary app could be written to look for other subordinate apps that each provides support for a specific flight traffic system.

When partitioning knowledge objects into various apps in the preceding fashion, you end up with several different apps, as shown in the figure above. The primary app is often just called the app by customers because it is the one most visible to them, and the others apps are sometimes called add-ons because they are not generally visible. In this sense an app can serve the role of an app or an add-on when talking to customers.

Physically, knowledge objects are declared and configured in .conf files that reside in the file system. These .conf files are organized into a particular directory layout that forms an app. These app directories are deployed to an individual Splunk Enterprise instance in the $SPLUNK_HOME/etc/apps directory.

Because Splunk Enterprise is a data platform, a very common type of add-on is one that provides access to new data sources.

ARCHIn the PAS Reference app (see Journey) we call this type of add-ons data providers.

These must specify an API to communicate with other apps. This API takes a different form than in many other kinds of development, in that the API is not comprised of classes and functions. Instead, the API is exposed in the form of the code that ingests data in a well-defined format that can be queried by searches in other apps. This kind of API is sometimes called a data API.

DEVAPIs always have to be well-defined in order to work, but they should be ideally documented as well. 

Why build Splunk apps? 

Building Splunk apps, add-ons, and solutions and contributing to the larger community of Splunk partners and developers has a number benefits, including:

Driving your business

Listing apps and add-ons on Splunkbase exposes your business to thousands of Splunk Enterprise customers worldwide. Even though there are hundreds of apps available now, there are countless technologies, data sources, use cases, and industry verticals still to address.

You can offer your Splunk app with a freemium model, upselling customers on features and functionality for direct revenue opportunities. Offering Splunk apps and add-ons can generate license revenue or service revenue if you are a Splunk reseller/partner.

Contributing to a large, growing community

Become part of the growing Splunk ecosystem and interact with developers around the world who are working with the power of the Splunk Enterprise platform to build new, innovative data solutions. Connect with other Splunk Enterprise developers online at Splunk > Answers and the Splunk IRC channel (#splunk channel on EFNET) and catch up with Splunk Enterprise developers in person at local meetups, developer conferences and our flagship conference--the .conf.

Building valuable skills

Learning to build Splunk apps and add-ons exposes you to a rich landscape of software development and IT concepts that will add to your development skill set. Working with the Splunk Enterprise platform involves web development, backend development, APIs, networking concepts, Big Data concepts, OS skills, statistics, math, and more.

Perspective of a System Integrator, Conducive Consulting

Building a Splunk app is a great way to:

  • Engage business users in the process of designing and building a solution that is user friendly and not dependent on the IT team after it is deployed.
  • Demonstrate the power of Splunk Enterprise as a platform and flexible framework for creating specific solutions within in any industry.
  • Better understand the flexibility that Splunk Enterprise offers to convert raw data from disparate sources into valuable business information and operational intelligence.
  • Integrate and extend the power of Splunk Enterprise beyond IT Operations department into virtually any area of the business.
  • Showcase the ability of the Splunk Enterprise to communicate complex data in a visually intuitive manner, making the information valuable and usable to the business user.
  • Leverage the Splunk Enterprise framework and app ecosystem to reduce costs as compared to building a stand-alone application.

App certification

Splunk offers optional free certification for apps and add-ons created by developers in our community. During certification Splunk performs a review of your source code for security vulnerabilities and examines it to ensure it conforms to Splunk development recommended practices. This gives your users the additional confidence of knowing that Splunk has reviewed your code.

BUSCertified apps not only get special recognition on Splunkbase, your team could receive access to pre-release builds of Splunk Enterprise (contingent on having an NDA in place).

Refer to the App certification criteria for details on requirements for certification.