Splunk Cloud

Splunk Cloud User Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manage private apps in your Splunk Cloud deployment

Private apps are Splunk apps that are private to your Splunk Cloud deployment. These apps are not publicly available on Splunkbase. Like all Splunk apps, private apps must be approved by Splunk to be installed on your Splunk Cloud deployment. Splunk uses the validation tool AppInspect to determine if apps comply with the security requirements of Splunk Cloud. For information about AppInspect, see Splunk Appinspect tool on the Splunk developer portal.

In Splunk Cloud deployments, you can use Splunk App Management to manage and install private apps. You must be a Splunk Cloud administrator to manage and install private apps in your Splunk Cloud deployment.

Create a private app

Prerequisites

Steps

  1. Create an app that conforms to Splunk app standards and requirements.
  2. Make sure the app package does not have any static dependencies, because only dynamic dependencies are supported.
  3. Package the app as a .tgz, .spl, .zip or .gz file. Keep the package size limited to 128MB.
  4. Run the app through AppInspect and make sure it passes all app validation checks.

The file is ready to be installed on your Splunk Cloud deployment. You install and manage your private app yourself.

Install private apps on Splunk Cloud

In Splunk Cloud version 8.2101, there are two different app installation workflows that can appear in Splunk Web: One workflow that runs app validation automatically when you upload your app, and another that requires you to run app validation manually before you upload your app. The app installation workflow available to you in Splunk Web depends on the type of indexer tier assigned to your Splunk Cloud deployment.

To install a private app on Splunk Cloud, follow the instructions that apply to your deployment:

For more information on indexer tier assignments, contact your Splunk Cloud representative.

Install a private app with automated app vetting

You can upload and install your private app on Splunk Cloud using the Upload App workflow in Splunk Web. This workflow automatically runs your app through AppInspect validation checks. It also lets you update your app and view reports that detail issues found during the app validation process .

Upload and install a private app

To upload, validate, and install your app:

  1. In Splunk Web, click the Apps gear.
  2. Click Uploaded Apps > Upload App.
  3. Enter your splunk.com credentials. Splunk Cloud uses these credentials to authenticate your AppInspect app validation.
  4. Select the consent check box and click Login.
  5. Select your private app package and click Upload.
    If your app uploads successfully, it appears on the Uploaded Apps page. Splunk Cloud automatically runs your app through AppInspect validation to confirm that your app meets Splunk Cloud requirements. The app validation status appears in the Uploaded Apps table. For more information, see App validation status.

    This screen image shows the Uploaded Apps view with several private apps listed, showing the different possible statuses of those apps: approved, installed, rejected, vetting, and app validation failed to complete.

  6. In the Uploaded Apps table, check the app validation status. Your app must pass all AppInspect checks and be approved before you can install it.
  7. Click Install.
  8. Click the Apps tab to confirm that your private app is now listed in the Apps table. You can also see that the value for App Origin is Uploaded.
  9. This uploaded package is private to your Splunk Cloud deployment. It is stored in your Splunk Cloud deployment and not on Splunkbase.

App validation status

Based on the results of the app validation process, status can be one of the following:

  • Vetting – Package is in the validation process.
  • Approved – Package has passed all AppInspect checks or you have chosen to acknowledge the Splunk General Terms regarding potential impact of known issues and proceeded to allow installation.
  • Installed – Package is installed on your Splunk Cloud deployment.
  • Rejected – Package did not pass AppInspect checks. Issues must be addressed before installation in Splunk Cloud. Click View Report to see failures or issues.
  • Failed message – Package validation did not complete due to some issues, for example, issues with the AppInspect service. Click More Info to find out why the package failed validation.

Update a private app

  1. If you are installing an earlier version, uninstall the currently installed app.
  2. Upload your private app.
  3. Verify that the app status is Approved in the Uploaded Apps table.
  4. Click Install to install an earlier version. Click Update to replace an installed app with a later version.
  5. Go to the Apps tab to see that the later version of your private app is listed in the Apps table.

View report of a private app

To view the AppInspect report for your app:

  1. Click View Report.
  2. Review the details of the report to determine why AppInspect rejected the package.
  3. Fix the issues specified in the report and upload your app again.

Install a private app with manual app vetting

Some Splunk Cloud deployments require you to validate your private apps manually before installation. These deployments let you install your apps using the Install from file workflow on the Apps page in Splunk Web. If your deployment requires you to validate your private apps manually before installation, follow these steps:

  1. Validate your private app manually using Splunk AppInspect.
  2. Upload and install your app on Splunk Cloud.

Step 1. Validate your private app manually using Splunk AppInspect

Validate that your app meets Splunk Cloud requirements using the Splunk AppInspect API. When validating your app you must specify the private_app tag in your request. For example:

curl -X POST \
    -H "Authorization: bearer <token>" \
    -H "Cache-Control: no-cache" \
    -F "app_package=@\"/path/to/splunk/app.tgz\\"" \
    -F "included_tags=private_app" \
    --url "https://appinspect.splunk.com/v1/app/validate"

For complete instructions on how to validate your app using the AppInspect API, see Run Splunk AppInspet requests through the API.

Step 2. Upload and install your private app on Splunk Cloud

After you validate your app using Splunk AppInspect, upload and install your app on Splunk Cloud as follows:

  1. In Splunk Web, click the Apps gear.
  2. Click Install app from file.
  3. Specify the same username and password that you provided when validating your app with AppInspect. Splunk Cloud uses these credentials to authenticate your AppInspect app validation.
  4. Before you can upload your app, you must validate the app, if you have not already done so. See Step 1. Validate your app using AppInspect.
  5. Click Choose File. Select your private app package and click Upload.
  6. Click Acknowledged to acknowledge Splunk's private app installation terms.
  7. Click Install.

Configuration file reload triggers in app.conf

Splunk apps can contain a combination of Splunk Enterprise core configuration files and custom configuration files, such as those created by app developers for both private apps and public apps on Splunkbase. Whether these configuration files reload when you install an app or make configuration changes depends on reload trigger settings in app.conf.

Many Splunk Enterprise core configuration files reload by default on app installation or when configuration updates occur. These files have a reload setting under the [triggers] stanza in $SPLUNK_HOME/etc/system/default/app.conf, which causes them to reload automatically.

A custom configuration file is by definition any configuration file that does not have a corresponding .spec file in $SPLUNK_HOME/etc/system/README. This includes custom configuration files found in third party apps, such as aws_settings.conf, service_now.conf, eventgen.conf, and so on.

All custom configuration files reload by default, unless the file has a custom reload trigger in app.conf. For example, in the Splunk Security Essentials app, app.conf contains the following custom reload trigger: reload.ssenav = http_get /SSEResetLocalNav. When you install an app or update configurations for an app that has a custom reload trigger in app.conf, Splunk software tries to honor the custom reload trigger setting. If the custom reload trigger fails, then a rolling restart occurs.

If a custom configuration file does not have a reload trigger specified in app.conf, the default behavior is to restart for unknown configs. If a restart is not required, you can set the conf level trigger in app.conf to reload.<conf_file_name> = simple.

For detailed information on how to configure reload trigger settings for configuration files, see app.conf in the Admin Manual.

For more information on restart vs. reload behavior of Splunk Enterprise core configuration files, see Restart or reload after configuration bundle push? in the Splunk Enterprise documentation.

Stanza-level reload triggers for inputs.conf

Stanza-level reload triggers enable the reload of only those specific configuration file stanzas that change when a configuration update occurs. This lets admins perform more efficient configuration updates based on which stanzas in the configuration file will change.

Stanza-level reload currently applies to a subset of stanzas in inputs.conf only. Any inputs.conf stanza that has a reload.<conf_file_name>.<conf_stanza_prefix> entry under the [triggers] stanza in app.conf will reload when changes are made to the specified stanza. Changes made to any inputs.conf stanzas that are not specified in a stanza-level reload entry will trigger a rolling restart.

Stanza-level reload for inputs.conf applies only when pushing changes to the configuration bundle in the indexer clustering context.

The following stanzas are reloadable in inputs.conf:

.conf file name stanza prefix Reload or restart
inputs.conf http reload
inputs.conf script reload
inputs.conf monitor reload
inputs.conf <modular_input> reload
inputs.conf batch reload

For detailed information on stanza-level reload triggers, see app.conf. in the Splunk Enterprise documentation.

Disable reload triggers in app.conf

You can disable both .conf-level reload triggers and stanza-level reload triggers by specifying the value never for any reload trigger entry in app.conf. Any reload trigger entry with a value of never will trigger a rolling restart when configuration changes occur. This can be useful if for any reason you want a specific configuration change to trigger a rolling restart.

For more information on configuring reload triggers, see app.conf. in the Splunk Enterprise documentation.

For a listing of restart vs. reload behavior of frequently used apps and configuration files in Splunk Cloud, see Restart vs. reload behavior of common apps and .conf files.

Last modified on 29 April, 2021
PREVIOUS
Install apps in your Splunk Cloud deployment
  NEXT
Manage a rolling restart in Splunk Cloud

This documentation applies to the following versions of Splunk Cloud: 8.1.2101, 8.1.2103, 8.2.2104


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters