Now that you've designed, implemented, and tested the main part of your app and have a good understanding of what your app needs to run, you're ready to perform some final setup activities before your app can be distributed to the general public. These include providing a setup UI for configuring the elements of your app that aren't known until runtime, making sure your app has a look-and-feel consistent with other Splunk Enterprise apps, and preparing your app for distribution.

Packaging your app

One of the last tasks you'll need to do before publishing your app is to define the Splunk Web navigation scheme. This includes ordering all the panels you've implemented and specifying menu options. After you've built views for your app, specify how to arrange them in the navigation bar in Splunk Web. You can customize this navigation to work however you want, using the instructions below. Specify the order to display your views and which menu you want to display them in. The details of how to do this are described in "Step 6: Build navigation for your app" in the Splunk app building tutorial.

As the tutorial mentions, app navigation is defined in the $SPLUNK_HOME/etc/apps/<app_name>/default/data/ui/nav/default.xml file. A RelaxNG schema is defined for the navigation XML that you can view by selecting the nav RelaxNG link on the Deployment Services page for your Splunk Enterprise instance, at http://<host>:8000/info.

Deployment Services page

Choose an installation method

You'll need to consider the possible options for installing your app's different components. Consider that the different parts might run on different hardware and that all components might not be installed at the same time, such as when only a single component of your app needs to be upgraded. The following table lists the options for installing Splunk Enterprise app components, including an estimation of the degree of difficulty of a particular approach. The approach you choose depends on your particular environment, your app complexity, and your requirements for reuse and extensibility.

Type of Installer Characteristics Ease of Development Ease of Installation

Internal installer





The main app contains information about all dependencies and installs components the first time the app is run, if they are not already installed.




A standalone installer app installs all app components and redirects to the main app when installation is complete.



External installer





An external installer installs the app components, such as a script.



Manual bulk installer





A compressed file (.zip) containing all components extracts all of the components into the /etc directory of all targets.



Manual per-dependency installer





The documentation describes how to get each app component and how to install the component on a particular target.




The main app detects if dependent apps have been installed correctly and prompts you to manually install each dependent component that is missing.



Deployment server





In a distributed Splunk Enterprise environment, deployment server distributes apps and their configuration to deployment clients.



Configuration management system





If you build a continuous deployment/delivery pipeline (with tools like Chef, Puppet, or Ansible), you can define plugins, modules, and recipes for deploying and upgrading your app's .tar files to the designated Splunk leaf nodes.



Other packaging recommendations to ensure a clean app installation include:

  • Removing any hidden files in the app, such as OS X .DS_Store files.
  • Disable inputs by default in the inputs.conf file, if they're not needed.
  • Remove any files in the $SPLUNK_HOME/etc/apps/<app>/local or $SPLUNK_HOME/etc/apps/<app>/metadata/local.meta directories.
  • Remove lookup directory files that are not static, such as generated saved searches files that are specific to the environment.
  • Ensure all XML files are valid. (See how to use the Splunk Enterprise XML validation tool.)
  • Include any third-party software licenses for libraries you might have used.

Set up the app for first run

Most apps need to be set up when they are first run to initialize user-configurable app parameters. These parameters are global in scope and need to be specified to get the app to work the first time. They usually relate to different runtime environments or custom usage requirements that are not known until the app is installed. If your app has these kinds of parameters, the app should provide a setup panel that permits the user to modify configurable settings without having to edit configuration (.conf) files.

The setup panel is implemented using the Splunk Enterprise REST API to access configuration parameters. You can use existing REST endpoints, but you can also define custom endpoints for your app. The configuration parameters can be stored in either .conf files or by using the app key value store.

When initial setup is complete, the app should be ready to run, but users should be able to return to the setup panel at any time to change the configuration parameters as needed.

You can find detailed information about how to implement a set up panel in "Step 7: Configure a setup screen" in the Splunk app building tutorial.

Additional setup activities and cautions that can make your app easier to install and use include:

  • Include a README.txt file in the root directory of your application with basic instructions.
  • Include detailed instructions on a dashboard within the application.
  • Encrypt passwords, and warn the user not to store passwords anywhere in cleartext.

The application name, version, ID, and other housekeeping information are stored in the app.conf file. The value for the ID in app.conf must match your app folder name in $SPLUNK_HOME/etc/apps, and cannot be changed. The version value can include trailing text, such as "beta."

Read Step 8: Package your app or add-on in the Splunk app building tutorial to learn more about how to package your app for distribution.

You must follow certain naming conventions, as described in Naming conventions for apps and add-ons on Splunkbase.

Now that you've fully implemented your app and made it ready for distribution, don't forget to test it one more time on a clean system.

Publishing your app

You can make your app available to everyone in the Splunk community by publishing it on Splunkbase, or distribute the app directly to your customers. You can even redirect users to your own hosting site by simply listing your app on Splunkbase without hosting it there. You can show off anything you have done to make Splunk Enterprise easier or more universal--not just views, dashboards, and saved searches, but also modular inputs, field extractions, workflow actions, lookups, custom alert actions, event types, and more. Just place your work in a dedicated directory, make sure everything is clean of personally identifiable information (such as internal server names), and works outside your unique environment (Test your app!). Then add or update your app.conf file, icon, and screenshot to show off your extension in Launcher.

BUSConsider submitting your finished app for Splunk app certification. Certified app developers receive more prominent positioning on Splunkbase, prerelease builds of new versions of Splunk Enterprise, and lists of contact information for users who have downloaded an app (and opted in to have their information released). Learn more in the App Certification documentation.

Splunkbase home page

You might also consider uploading your app code to GitHub to open source your work and reap the benefits of community collaboration.

BUSTo manage your app on Splunkbase, add /edit to the URL of your app on Splunkbase. There you can hide and share versions, update release notes and manage editors for your app. To upload a new version, go to Remember to bump the version number in app.conf as Splunkbase will not accept another submission with the same version number.

BUSOnce published, you can see usage stats by adding /stats to the URL of your app on Splunkbase. The analytics view gives you not only the number of app downloads and distribution by app versions, Splunk Enterprise versions, OS versions and geographic regions. It also provides an important metric of active installments.

Splunkbase analytics page