What are apps and add-ons?

What are apps and add-ons?

Apps give you insight into your IT systems with dashboards, reports, data inputs and saved searches that work in your environment from the moment they install. Apps can include new views and dashboards, completely reconfiguring the way Splunk looks. Or, they can be as complex as an entirely new program using Splunk's REST API.

Add-ons let you tackle specific data problems directly. They are smaller, reusable components that can change the look and feel of Splunk, add data sources or share information between users. Add-ons can be as simple as a collection of one or more event type definitions and/or saved searches.

When you're using Splunk, you're almost always using an app; we typically refer to that as being "in" an app. The default app is the Search app.

What are apps and add-ons good for?

Apps and add-ons allow you to build different environments that sit on top of one Splunk instance. You can create separate interfaces for the different communities of Splunk users within your organization; one app for troubleshooting email servers, one for Web analysis, an add-on that connects a lookup table for the frontline support team to use, and so on. This way, everyone can use the same Splunk instance, but see only data and tools that are relevant to their interests.

What apps and add-ons are there?

The first time you install and log into Splunk, you'll see the app Launcher. This interface shows you the list of apps that have been preinstalled for you. By default, one of these apps is the Getting Started app. This app has been developed to introduce new users to Splunk's features. If you're new to Splunk, we recommend you check it out and give us your feedback!

Bypass the Launcher for a single user

If you do not want the Launcher displayed every time you log into Splunk, you can configure a default app to land in instead on a per-user basis:

• Create a file called user-prefs.conf in the user's local directory:

etc/users/<user>/user-prefs/local/user-prefs.conf

• Put the following line in the user-prefs.conf file:

default_namespace = search

For example:

• For the admin user the file would be in

etc/users/admin/user-prefs/local/user-prefs.conf

• For the test user, it would be in

etc/users/test/user-prefs/local/user-prefs.conf

Bypass the Launcher for all users

You can specify a default app for all users to land in when they log in.

For example, if you want the Search app to be the default globally, edit $SPLUNK_HOME/etc/apps/user-prefs/local/user-prefs.conf and specify:

default_namespace = search

Note: Users who do not have permission to access the Search app will see an error.

What else you get by default

Splunk also comes with the Search app and another app to support your OS by default.

• The Search app provides an interface that provides the core functionality of Splunk and is designed for general-purpose use. If you've used Splunk before, the Search app replaces the main Splunk Web functionality from earlier versions. In the Search app you see a search bar and a dashboard full of graphs. When you are in the Search app, you change the dashboard or view by selecting new ones from the Dashboards and Views drop-down menus in the upper left of the window.

• The OS-specific app (Splunk for Windows or Splunk for *NIX) provides dashboards and pre-built searches to help you get the most out of Splunk on your particular platform. They are disabled by default, but you can turn them on from the apps section of Splunk Manager.

If you want to change the app you're in, select a new one from the app drop-down menu at the top right:

You can also return to the Launcher and select another app from there.

Get more Apps

You can add other apps to the list of apps in the Launcher or in the Apps menu. For example, if the bulk of your data operations work involves tasks related to things like change management or PCI (Payment Card Industry) compliance, you'll be happy to know that Splunk has apps that specialize in helping you with them.

To find more apps to download, click the Browse More Apps tab in the Launcher.

How saving and sharing Splunk knowledge relates to apps

Splunk knowledge is things like saved searches, event types, tags--items that enrich your Splunk data and make it easier to find what you need. In Splunk, these knowledge items are also known as objects.

Any user logged into Splunk Web can create and save these objects to his/her user directory under the app he or she is "in" (assuming they have sufficient permissions). This is the default behavior--any time any user saves an object, it goes into that user's directory for that app.

Once the user has saved the object for that app, it is available to that user only when they are in that app, unless they do one of the following things (and have the correct permissions to do so):

• Share the object with other specific roles or users in that same app
• Promote the object so that it is available to all users who have access to that app
• Promote the object so that it is available globally to all apps (and users)

Read more about App architecture and object ownership in this manual.

• Was this topic useful?
• Post a comment