Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Manage private apps in your Splunk Cloud deployment

Private apps are Splunk apps that are private to your Splunk Cloud deployment. These apps are not publicly available on Splunkbase. Like all Splunk apps, private apps must be approved by Splunk to be installed on your Splunk Cloud deployment. Splunk uses the validation tool AppInspect to determine if apps comply with the security requirements of Splunk Cloud. For information about AppInspect, see Splunk Appinspect tool on the Splunk developer portal.

In Splunk Cloud deployments, you can use Splunk App Management to manage and install private apps. You must be a Splunk Cloud administrator to manage and install private apps in your Splunk Cloud deployment.

Create a private app



  1. Create an app that conforms to Splunk app standards and requirements.
  2. Make sure the app package does not have any static dependencies, because only dynamic dependencies are supported.
  3. Package the app as a .tgz, .spl, or .gz file. Limit the package size to 128MB.
  4. Run the app through AppInspect and make sure it passes all app validation checks.

The file is ready to be installed on your Splunk Cloud deployment. You can install and manage your private app yourself.

Upload and manage private apps in Splunk Cloud deployments

In a Splunk Cloud deployment, you can upload, install, update, and view reports for your private apps.

Upload a private app

  1. In Splunk Web, click the Apps gear.
  2. Click the Uploaded Apps tab.
  3. Click Upload App.
  4. Enter your splunk.com credentials. These credentials are used to authenticate with AppInspect.
  5. Select the consent check box and click Login.
  6. Select the private app package that you created.
  7. Click Upload.

This uploaded package is private to your Splunk Cloud deployment. It is stored in your Splunk Cloud deployment and not on Splunkbase.

When the package is uploaded successfully, it appears in the table on the Uploaded Apps page. The app name and version appear only when the package passes all AppInspect checks and is approved. This screen image shows the Uploaded Apps view with several private apps listed, showing the different possible statuses of those apps: approved, installed, rejected, vetting, and app validation failed to complete.

The Uploaded Apps table provides the following information:

Column Description
App If the package is approved, the app name is displayed.
If the package is not approved, the file name of the uploaded package is displayed.
Status Displays the status of the package in the validation process.
For details, see the next section, Status.
Actions Shows what actions you can take on the package.
Date Submitted Shows when the package was uploaded.
Version If the package is approved, the app version is displayed.
If the package is not approved, N/A is displayed.


Based on the result of the app validation process, status can be one of the following:

  • Vetting – Package is in the validation process.
  • Approved – Package has passed all AppInspect checks and is ready to be installed.
  • Installed – Package is installed on your Splunk Cloud deployment.
  • Rejected – Package did not pass AppInspect checks. This means that either some checks failed, or some manual checks were detected that must be reviewed by the Splunk AppInspect team. Click View Report to see which checks failed.
  • Failed message – Package validation did not complete due to some issues, for example, issues with the AppInspect service. Click More Info to find out why the package failed validation.

Install a private app

  1. Use the Uploaded Apps table to verify that the status of your package is Approved. Your package must be approved before you can install it.
  2. Click Install to install your private app.
  3. Click the Apps tab to see that your private app is listed in the Apps table. You can also see that the value for App Origin is Uploaded.

Update a private app

  1. If you are installing an earlier version, uninstall the currently installed app.
  2. Upload your private app.
  3. Verify that the app status is Approved in the Uploaded Apps table.
  4. Click Install to install an earlier version. Click Update to replace an installed app with a later version.
  5. Go to the Apps tab to see that the later version of your private app is listed in the Apps table.

View Report of a private app

  1. Click View Report to see the AppInspect report for your package.
  2. Use this report to find out why AppInspect rejected the package.
  3. Make the required changes to the package and try uploading again.

Configuration file reload triggers in app.conf

Splunk apps can contain a combination of Splunk Enterprise core configuration files and custom configuration files, such as those created by app developers for both private apps and public apps on Splunkbase. Whether these configuration files reload when you install an app or make configuration changes, depends on reload trigger settings in app.conf.

Many Splunk Enterprise core configuration files reload by default on app installation or when configuration updates occur. These files have a reload setting under the [triggers] stanza in $SPLUNK_HOME/etc/system/default/app.conf, which causes them to reload automatically.

A custom configuration file is by definition any configuration file that does not have a corresponding .spec file in $SPLUNK_HOME/etc/system/README. This includes custom configuration files found in third party apps, for example aws_settings.conf, service_now.conf, eventgen.conf, and so on.

All custom configuration files reload by default, unless the file has a custom reload trigger in app.conf. For example, in the Splunk Security Essentials app, app.conf contains the following custom reload trigger: reload.ssenav = http_get /SSEResetLocalNav. When you install an app or update configurations for an app that includes one or more custom reload triggers, Splunk software honors those custom reload trigger settings. If a custom reload trigger in app.conf fails, a rolling restart occurs instead. If a custom configuration file does not have a reload trigger specified in app.conf then that configuration file is ignored and no restart occurs.

For detailed information on how to configure reload trigger settings for configuration files, see app.conf in the Admin Manual.

For more information on restart vs. reload behavior of Splunk Enterprise core configuration files, see Restart or reload after configuration bundle push? in the Splunk Enterprise documentation.

Stanza-level reload triggers for inputs.conf

Stanza-level reload triggers enable the reload of only those specific configuration file stanzas that change when a configuration update occurs. This lets admins perform more efficient configuration updates based on which stanzas in the configuration file will change.

Stanza-level reload currently applies to a subset of stanzas in inputs.conf only. Any inputs.conf stanza that has a reload.<conf_file_name>.<conf_stanza_prefix> entry under the [triggers] stanza in app.conf will reload when changes are made to the specified stanza. Changes made to any inputs.conf stanzas that are not specified in a stanza-level reload entry will trigger a rolling restart.

Stanza-level reload for inputs.conf applies only when pushing changes to the configuration bundle in the indexer clustering context.

The following stanzas are reloadable in inputs.conf:

.conf file name stanza prefix Reload or restart
inputs.conf http reload
inputs.conf script reload
inputs.conf monitor reload
inputs.conf <modular_input> reload
inputs.conf batch reload

For detailed information on stanza-level reload triggers, see app.conf. in the Splunk Enterprise documentation.

Disable reload triggers in app.conf

You can disable both .conf-level reload triggers and stanza-level reload triggers by specifying the value never for any reload trigger entry in app.conf. Any reload trigger entry with a value of never will trigger a rolling restart when configuration changes occur. This can be useful if for any reason you want a specific configuration change to trigger a rolling restart.

For more information on configuring reload triggers, see app.conf. in the Splunk Enterprise documentation.

For a listing of restart vs. reload behavior of frequently used apps and configuration files in Splunk Cloud, see Restart vs. reload behavior of common apps and .conf files.

Last modified on 11 August, 2021
Install apps on your Splunk Cloud Platform deployment
Manage a rolling restart in Splunk Cloud

This documentation applies to the following versions of Splunk Cloud Platform: 8.0.2007, 8.1.2009, 8.1.2011

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters