Splunk® Enterprise

Developing Views and Apps for Splunk Web

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Apps and add-ons: an introduction

Apps and add-ons extend Splunk Enterprise with pre-built knowledge and new capabilities. Apps contain a user interface that you often customize according to the capabilities of the app and the needs of your users. Add-ons are smaller, reusable components much like an app, but do not contain a navigable UI. Apps contain the ability to integrate with add-ons for advanced data collection.

Any member of the Splunk community can build an app or add-on and share it with other Splunk users, usually by uploading it to Splunkbase.

Before you build an app or add-on, it's a good idea to familiarize yourself with the Splunk app mental model. Splunk apps and add-ons are made of objects and configurations. Read on for a description of these data types, as well as information about app structure and permissions system.

Why apps and add-ons?

Apps and add-ons let you construct and maintain different environments on top of one Splunk Enterprise instance. One instance can run multiple apps. This way, any number of different groups can use the same instance without running into each other.

For example, you can make an app for all your helpdesk employees and a different app for your marketing department. When a user in the helpdesk role logs into Splunk Enterprise, they see a customized environment that helps track support cases. When a user from the marketing group logs in, they see the business analytics app, where they can run reports on business trends and web activity. Meanwhile, the Splunk admin can maintain all the installed apps, as well as build and install apps.

You can build apps, to create separate contexts for different groups of Splunk Enterprise users within an organization: one app for troubleshooting email servers, one app for analyzing business trends, and so on. This way, everyone uses the same Splunk Enterprise instance, but sees only data that is relevant to their interests. Some groups can access multiple apps while others may see only one. apps are highly customizable, so you get to decide who sees what and how it works.

What is an app?

At a high level, you can think of an app as a workspace that solves a specific use case. An app can extend Splunk Enterprise with new navigable views that report on particular kinds of data, can provide tools for specific use cases and technology, and are often developed for a specialized user role. For example, a helpdesk app can contain customized views and dashboards to track and diagnose support cases. Apps can range in complexity from new views or dashboards to an entirely new program using the Splunk Enterprise REST API.

A single Splunk Enterprise instance typically contains several apps, such as the Search app provided with Splunk Enterprise, an OS app (such as *nix) downloaded from Splunkbase, and custom apps that you build.


  • Contain at least one navigable view.
  • Can be opened from the Splunk Enterprise Home Page, from the App menu, or from the Apps section of Settings.
  • Focus on aspects of your data.
  • Are built around use cases.
  • Support diverse user groups and roles.
  • Run in tandem.
  • Contain any number of configurations and knowledge objects.
  • Are completely customizable, from front to back end.
  • Can include Web assets, such as HTML, CSS and JavaScript.

What is an add-on?

An add-on is a reusable Splunk component much like an app, but does not contain a navigable view. You cannot open an add-on from the Splunk Enterprise Home Page or the App menu.

Add-ons can include any combination of custom configurations, scripts, data inputs, custom reports or views, and themes that can change the look and feel of Splunk Enterprise. A single add-on can be used in multiple apps, suites, or solutions.

What is in an app?

Apps are made up of knowledge objects and configuration, anything from custom UI to custom input scripts.

Customizable UI

Use the Splunk app framework to make custom UIs for different users and use cases. The UI (Splunk Web) is completely customizable, so you can make small changes to a single page in Splunk Web or completely redesign the UI.

Change Splunk Web appearance

Change everything from the menu layout to background images, build your own custom HTML and JavaScript into your app. Learn more about what you can do with customization options.

Build your own Splunk Web pages

There are several options for building your own custom pages for Splunk Web:

  • Build a dashboard Dashboards are useful for presenting visual summaries of various searches. Learn more about dashboards.
  • Build a form search Form searches let you restrict the search interface to present one or more search boxes with more complex searches running behind the scenes. There's more information at Introduction to forms.
  • Build an advanced view Advanced views give you view customization options in Splunk Web beyond what is available in simple XML syntax. Learn more about advanced views.

Customizable back-end

Customize your app further by collecting and managing specific types of data. Add knowledge to your data to facilitate your users and use cases. Most of the configurations are now available through Splunk Web's Settings interface. Through Settings, you can:

  • Add inputs and indexes to collect and store your data.
  • Add knowledge through objects such as saved searches, reports and fields.
  • Set permissions on apps and objects.
  • Create and edit new views and navigation menus.
  • Add users and roles and scope them to your app.
  • And more.

Knowledge objects

Knowledge objects are all configurations within Splunk Enterprise that are permissionable and controlled using an access control layer. Knowledge objects include:

  • Saved searches
  • Event types
  • Dashboards, form searches and other views
  • Fields
  • Tags
  • Apps
  • Field extractions
  • Lookups
  • Search commands

To learn more about knowledge objects in general, see the Knowledge Manager manual. To learn more about how to use knowledge objects in your app, see Step 4: add objects. To learn more about setting permissions on objects, see Step 5: set permissions.


Configurations are global in scope and do not have permissions applied to them. All configurations are available at the system level. They can be managed through Manager and are only available to users with admin privileges. Configurations include:

  • Users
  • Roles
  • Authentication
  • Distributed search
  • Inputs
  • Outputs
  • Deployment
  • License
  • Server settings (for example: host name, port, and other settings)

To learn more about configurations in general, see the Splunk Admin Manual. To learn more about how to use configurations in your app, see Step 3: add configurations.

App directory structure

All apps live in a custom directory, within $SPLUNK_HOME/etc/apps. Typically, you do most of your work within the Default/ directory, and its subdirectories:

  • Default/

Put all the Splunk configuration files your app needs in Default. All Apps must have an app.conf. Some may also contain savedsearches.conf, inputs.conf, or other relevant configuration files. Read more about configuration files in Step 3: add configurations.

Within the Default/ directory, there are more subdirectories for configuring the UI. These are contained within $SPLUNK_HOME/etc/apps/<App_name>/default/data/UI/, and include:

  • Nav/

This directory contains only default.xml. Use this file to build navigation for your app.

  • Views/

Put all the views you create in this directory. Use views to build dashboards, form searches and other advanced views.

The other subdirectories in your app are:

  • Appserver/

Add images, CSS or HTML to your app in the appserver/static directories within your app's directory. Use the static directory to store any Web resources your app requires, or if you're customizing Splunk Web.

  • Bin/

Store any custom scripts for your app in the bin directory. For example, any search scripts you may write.

  • Local/

Developers don't configure anything within the local dir. It is there for app users and admins to overwrite any default configurations. Local/ mimics the same structure as Default/

  • Metadata/

Store app objects permissions here in the local.meta or default.meta files. Learn more about these files in Step 5: set permissions.

Last modified on 18 August, 2016
Example script that polls a database
Migration Issues

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters