Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

What are apps and add-ons?

Apps offer specialized insight into your IT systems with pre-configured dashboards, reports, data inputs, and saved searches. Apps can include new views and dashboards that completely reconfigure the way Splunk looks. Or, they can be as complex as an entirely new program using Splunk's REST API. More specifically, an app is a self-service out-of-the box extension that has its own UI context and which can be selected from the App list that appears at the upper right-hand corner of Splunk Web.

Add-ons let you tackle specific data problems directly. They are smaller, reusable components that can change the look and feel of Splunk, add data sources, or share information between users. Add-ons can be as simple as a collection of one or more event type definitions or saved searches. Unlike apps, add-ons have no GUI component; they don't show up in the Home list or in the Apps menu in Splunk Web.

When you're using Splunk, you're almost always using an app; we typically refer to that as being "in" an app. The default app is the Search app.

What are apps and add-ons good for?

Apps and add-ons allow you to build different environments that sit on top of a single Splunk instance. You can create separate interfaces for the different communities of Splunk users within your organization: one app for troubleshooting email servers, another for Web analysis, an add-on that connects a lookup table for the frontline support team to use, and so on. This way, everyone can use the same Splunk instance, but see only data and tools that are relevant to their interests.

What apps and add-ons are there?

The first time you install and log into Splunk, you'll land in Splunk Home. There are two tabs at the top of the page: Welcome and Splunk Home. To see your installed apps, click on Splunk Home.

This interface shows you the list of apps that have been preinstalled for you. By default, one of these apps is the Getting Started app. This app has been developed to introduce new users to Splunk's features. If you're new to Splunk, we recommend you check it out and give us your feedback!

Splunk home.png

Bypass Splunk Home for a single user

If you do not want Splunk Home displayed every time you log into Splunk, you can configure a default app to land in. This can be done on a per-user basis. For example, to make the Search app the default landing app for a user:

1. Create a file called user-prefs.conf in the user's local directory:

  • For the admin user the file would be in:
  • For the test user, it would be in:

2. Put the following line in the user-prefs.conf file:

  default_namespace = search 

Bypass Splunk Home for all users

You can specify a default app for all users to land in when they log in. For example, if you want the Search app to be the global default, edit $SPLUNK_HOME/etc/apps/user-prefs/local/user-prefs.conf and specify:

  default_namespace = search 

Note: Users who do not have permission to access the Search app will see an error.

What you get by default

Besides the Getting Started app, Splunk comes with the Search app. The Search app interface provides the core functionality of Splunk and is designed for general-purpose use. If you've used Splunk before, the Search app replaces the main Splunk Web functionality from earlier versions. In the Search app you see a search bar and a dashboard full of graphs. When you are in the Search app, you change the dashboard or view by selecting new ones from the Dashboards and Views drop-down menus in the upper left of the window.

If you want to change the app you're in, select a new one from the App drop-down menu at the top right:

App menu 42.png

You can return to Splunk Home later and select another app from there.

Get more apps

You can download a variety of other apps. For example, if the bulk of your data operations work involves tasks related to things like change management or PCI (Payment Card Industry) compliance, you'll be happy to know that Splunk has apps designed specifically for those application areas.

Of particular value, you can download an OS-specific app (Splunk for Windows or Splunk for *NIX). These apps provide dashboards and pre-built searches to help you get the most out of Splunk on your particular platform.

To find more apps, click the Find More Apps button under the Splunk Home tab. For more information, see "Where to get more apps and add-ons".

Use Splunk Web to manage apps

You can use Splunk Manager in Splunk Web to create, download, and manage apps. Select Manager > Apps.

From this page, you can:

  • Download, install, or create apps.
  • Set permissions on installed apps.
  • Launch apps or edit their properties.
  • View objects associated with an app.

How saving and sharing Splunk knowledge relates to apps

Splunk knowledge includes objects like saved searches, event types, tags -- items that enrich your Splunk data and make it easier to find what you need. In Splunk, these are known as knowledge objects.

Any user logged into Splunk Web can create and save knowledge objects to the user's directory under the app the user's "in" (assuming sufficient permissions). This is the default behavior -- whenever a user saves an object, it goes into the user's directory in the currently running app.

Once the user has saved the object in a particular app, it is available to the user only in that app, unless they do one of the following things (and have the correct permissions to do so):

  • Share the object with other specific roles or users in that same app
  • Promote the object so that it is available to all users who have access to that app
  • Promote the object so that it is available globally to all apps (and users)

Read more about App architecture and object ownership in this manual.

Manage licenses from the CLI
Where to get more apps and add-ons

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters