Apps and add-ons: an introduction
Apps and add-ons extend Splunk Enterprise with pre-built knowledge and new capabilities. Apps contain a user interface that you often customize according to the capabilities of the app and the needs of your users. Add-ons are smaller, reusable components much like an app, but do not contain a navigable UI. Apps contain the ability to integrate with add-ons for advanced data collection.
Any member of the Splunk community can build an app or add-on and share it with other Splunk users, usually by uploading it to Splunkbase.
Before you build an app or add-on, it's a good idea to familiarize yourself with the Splunk app mental model. Splunk apps and add-ons are made of objects and configurations. Read on for a description of these data types, as well as information about app structure and permissions system.
Why apps and add-ons?
Apps and add-ons let you construct and maintain different environments on top of one Splunk Enterprise instance. One instance can run multiple apps. This way, any number of different groups can use the same instance without running into each other.
For example, you can make an app for all your helpdesk employees and a different app for your marketing department. When a user in the helpdesk role logs into Splunk Enterprise, they see a customized environment that helps track support cases. When a user from the marketing group logs in, they see the business analytics app, where they can run reports on business trends and web activity. Meanwhile, the Splunk admin can maintain all the installed apps, as well as build and install apps.
You can build apps, to create separate contexts for different groups of Splunk Enterprise users within an organization: one app for troubleshooting email servers, one app for analyzing business trends, and so on. This way, everyone uses the same Splunk Enterprise instance, but sees only data that is relevant to their interests. Some groups can access multiple apps while others may see only one. apps are highly customizable, so you get to decide who sees what and how it works.
What is an app?
At a high level, you can think of an app as a workspace that solves a specific use case. An app can extend Splunk Enterprise with new navigable views that report on particular kinds of data, can provide tools for specific use cases and technology, and are often developed for a specialized user role. For example, a helpdesk app can contain customized views and dashboards to track and diagnose support cases. Apps can range in complexity from new views or dashboards to an entirely new program using the Splunk Enterprise REST API.
A single Splunk Enterprise instance typically contains several apps, such as the Search app provided with Splunk Enterprise, an OS app (such as *nix) downloaded from Splunkbase, and custom apps that you build.
- Contain at least one navigable view.
- Can be opened from the Splunk Enterprise Home Page, from the App menu, or from the Apps section of Settings.
- Focus on aspects of your data.
- Are built around use cases.
- Support diverse user groups and roles.
- Run in tandem.
- Contain any number of configurations and knowledge objects.
- Are completely customizable, from front to back end.
What is an add-on?
An add-on is a reusable Splunk component much like an app, but does not contain a navigable view. You cannot open an add-on from the Splunk Enterprise Home Page or the App menu.
Add-ons can include any combination of custom configurations, scripts, data inputs, custom reports or views, and themes that can change the look and feel of Splunk Enterprise. A single add-on can be used in multiple apps, suites, or solutions.
What is in an app?
Apps are made up of knowledge objects and configuration, anything from custom UI to custom input scripts.
Use the Splunk app framework to make custom UIs for different users and use cases. The UI (Splunk Web) is completely customizable, so you can make small changes to a single page in Splunk Web or completely redesign the UI.
Change Splunk Web appearance
Build your own Splunk Web pages
There are several options for building your own custom pages for Splunk Web:
- Build a dashboard Dashboards are useful for presenting visual summaries of various searches. Learn more about dashboards.
- Build a form search Form searches let you restrict the search interface to present one or more search boxes with more complex searches running behind the scenes. There's more information at Introduction to forms.
- Build an advanced view Advanced views give you view customization options in Splunk Web beyond what is available in simple XML syntax. Learn more about advanced views.
Customize your app further by collecting and managing specific types of data. Add knowledge to your data to facilitate your users and use cases. Most of the configurations are now available through Splunk Web's Settings interface. Through Settings, you can:
- Add inputs and indexes to collect and store your data.
- Add knowledge through objects such as saved searches, reports and fields.
- Set permissions on apps and objects.
- Create and edit new views and navigation menus.
- Add users and roles and scope them to your app.
- And more.
Knowledge objects are all configurations within Splunk Enterprise that are permissionable and controlled using an access control layer. Knowledge objects include:
- Saved searches
- Event types
- Dashboards, form searches and other views
- Field extractions
- Search commands
To learn more about knowledge objects in general, see the Knowledge Manager manual. To learn more about how to use knowledge objects in your app, see Step 4: add objects. To learn more about setting permissions on objects, see Step 5: set permissions.
Configurations are global in scope and do not have permissions applied to them. All configurations are available at the system level. They can be managed through Manager and are only available to users with admin privileges. Configurations include:
- Distributed search
- Server settings (for example: host name, port, and other settings)
App directory structure
All apps live in a custom directory, within
$SPLUNK_HOME/etc/apps. Typically, you do most of your work within the
Default/ directory, and its subdirectories:
Put all the Splunk configuration files your app needs in Default. All Apps must have an app.conf. Some may also contain savedsearches.conf, inputs.conf, or other relevant configuration files. Read more about configuration files in Step 3: add configurations.
Default/ directory, there are more subdirectories for configuring the UI. These are contained within
$SPLUNK_HOME/etc/apps/<App_name>/default/data/UI/, and include:
This directory contains only default.xml. Use this file to build navigation for your app.
The other subdirectories in your app are:
Add images, CSS or HTML to your app in the
appserver/static directories within your app's directory. Use the static directory to store any Web resources your app requires, or if you're customizing Splunk Web.
Store any custom scripts for your app in the bin directory. For example, any search scripts you may write.
Developers don't configure anything within the local dir. It is there for app users and admins to overwrite any default configurations.
Local/ mimics the same structure as
Store app objects permissions here in the local.meta or default.meta files. Learn more about these files in Step 5: set permissions.
Example script that polls a database
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11