Manage private apps in your Splunk Cloud deployment
Private apps are Splunk apps that are private to your Splunk Cloud deployment. These apps are not publicly available on Splunkbase. Like all Splunk apps, private apps must be approved by Splunk to be installed on your Splunk Cloud deployment. Splunk uses the validation tool AppInspect to determine if apps comply with the security requirements of Splunk Cloud. For information about AppInspect, see Splunk Appinspect tool on the Splunk developer portal.
In Splunk Cloud deployments, you can use Splunk App Management to manage and install private apps. You must be a Splunk Cloud administrator to manage and install private apps in your Splunk Cloud deployment.
Create a private app
- See the Building Splunk Apps documentation on Splunkbase.
- For information about dependencies, see the Splunk Packaging Toolkit.
- For information about Appinspect, see Splunk AppInspect tool on the Splunk developer portal.
- If your private app uses Python, ensure that you use a supported version. For more details, see the Splunk Cloud section of the Python 3 Migration guide.
- Create an app that conforms to Splunk app standards and requirements.
- Make sure the app package does not have any static dependencies, because only dynamic dependencies are supported.
- Package the app as a .tgz, .spl, .zip or .gz file. Keep the package size limited to 128MB.
- Run the app through AppInspect and make sure it passes all app validation checks.
The file is ready to be installed on your Splunk Cloud deployment. You install and manage your private app yourself.
Install private apps on Splunk Cloud
In Splunk Cloud version 8.1.2101 and higher, there are two different app installation workflows that can appear in Splunk Web: One workflow that provides automated app validation, and another that requires manual app validation. The app installation workflow available to you in Splunk Web depends on the type of indexer tier assigned to your Splunk Cloud deployment.
To determine which private app installation workflow is available for your deployment, in Splunk Web, click Support & Services > About. If you are on "Experience: Classic", you can install your app using the automated app vetting workflow. Otherwise, you must install your app using the manual app vetting workflow.
To install your private app on Splunk Cloud, follow the instructions that apply to your deployment:
For more information on indexer tier assignments, contact your Splunk Cloud representative.
Install a private app with automated app vetting
You can upload and install your private app on Splunk Cloud using the Upload App workflow in Splunk Web. This workflow automatically runs your app through AppInspect validation checks. It also lets you update your app and view reports that detail issues found during the app validation process .
Upload and install a private app
To upload, validate, and install your app:
- In Splunk Web, click the Apps gear.
- Click Uploaded Apps > Upload App.
- Enter your splunk.com credentials. Splunk Cloud uses these credentials to authenticate your AppInspect app validation.
- Select the consent check box and click Login.
- Select your private app package and click Upload.
If your app uploads successfully, it appears on the Uploaded Apps page. Splunk Cloud automatically runs your app through AppInspect validation to confirm that your app meets Splunk Cloud requirements. The app validation status appears in the Uploaded Apps table. For more information, see App validation status.
- In the Uploaded Apps table, check the app validation status. Your app must pass all AppInspect checks and be approved before you can install it.
- Click Install.
- Click the Apps tab to confirm that your private app is now listed in the Apps table. You can also see that the value for App Origin is Uploaded.
This uploaded package is private to your Splunk Cloud deployment. It is stored in your Splunk Cloud deployment and not on Splunkbase.
App validation status
Based on the results of the app validation process, status can be one of the following:
- Vetting – Package is in the validation process.
- Approved – Package has passed all AppInspect checks or you have chosen to acknowledge the Splunk General Terms regarding potential impact of known issues and proceeded to allow installation.
- Installed – Package is installed on your Splunk Cloud deployment.
- Rejected – Package did not pass AppInspect checks. Issues must be addressed before installation in Splunk Cloud. Click View Report to see failures or issues.
- Failed message – Package validation did not complete due to some issues, for example, issues with the AppInspect service. Click More Info to find out why the package failed validation.
Update a private app
- If you are installing an earlier version, uninstall the currently installed app.
- Upload your private app.
- Verify that the app status is Approved in the Uploaded Apps table.
- Click Install to install an earlier version. Click Update to replace an installed app with a later version.
- Go to the Apps tab to see that the later version of your private app is listed in the Apps table.
View report of a private app
To view the AppInspect report for your app:
- Click View Report.
- Review the details of the report to determine why AppInspect rejected the package.
- Fix the issues specified in the report and upload your app again.
Install a private app with manual app vetting
Some Splunk Cloud deployments require you to validate your private apps manually before installation. These deployments let you install your apps using the Install from file workflow on the Apps page in Splunk Web. If your deployment requires you to validate your private apps manually before installation, follow these steps:
- Generate an authentication token.
- Validate your private app using Splunk AppInspect.
- Upload and install your app on Splunk Cloud.
Step 1. Generate an authentication token
Authenticate with the Splunk API service by sending an HTTP GET request to the
login/splunk endpoint. You must specify your full Splunk.com username in the request. The request output contains a JSON Web Token (JWT) that you must provide with Splunk AppInspect API requests. For example:
curl -k -u <firstname.lastname@example.org> \ --url "https://api.splunk.com/2.0/rest/login/splunk"
Step 2. Validate your private app using Splunk AppInspect
Validate that your app meets Splunk Cloud requirements using the Splunk AppInspect API. When validating your app you must specify only the
private_app tag in your request. For example:
curl -X POST \ -H "Authorization: bearer <token>" \ -H "Cache-Control: no-cache" \ -F "app_package=@</path/to/splunk/app.tgz>" \ -F "included_tags=private_app" \ --url "https://appinspect.splunk.com/v1/app/validate"
Specifying any tag other than the
private_app tag will return the following error:
You are not authorized to install this app. You must submit the app to AppInspect, and specify the same credentials as those used for AppInspect.
For complete instructions on how to validate your app using the AppInspect API, see Use the Splunk AppInspect API.
Step 3. Upload and install your private app on Splunk Cloud
After you validate your app using Splunk AppInspect, upload and install your app on Splunk Cloud as follows:
- In Splunk Web, click the Apps gear.
- Click Install app from file.
- Specify the same username and password that you provided when validating your app with AppInspect. Splunk Cloud uses these credentials to authenticate your AppInspect app validation.
- Before you can upload your app, you must validate the app, if you have not already done so. See Step 1. Validate your app using AppInspect.
- Click Choose File. Select your private app package and click Upload.
- Click Acknowledged to acknowledge Splunk's private app installation terms.
- Click Install.
Configuration file reload triggers in app.conf
Splunk apps can contain a combination of Splunk Enterprise core configuration files and custom configuration files, such as those created by app developers for both private apps and public apps on Splunkbase. Whether these configuration files reload when you install an app or make configuration changes depends on reload trigger settings in
Many Splunk Enterprise core configuration files reload by default on app installation or when configuration updates occur. These files have a reload setting under the
[triggers] stanza in
$SPLUNK_HOME/etc/system/default/app.conf, which causes them to reload automatically.
A custom configuration file is by definition any configuration file that does not have a corresponding
.spec file in
$SPLUNK_HOME/etc/system/README. This includes custom configuration files found in third party apps, such as
eventgen.conf, and so on.
All custom configuration files reload by default, unless the file has a custom reload trigger in
app.conf. For example, in the Splunk Security Essentials app,
app.conf contains the following custom reload trigger:
reload.ssenav = http_get /SSEResetLocalNav. When you install an app or update configurations for an app that has a custom reload trigger in
app.conf, Splunk software tries to honor the custom reload trigger setting. If the custom reload trigger fails, then a rolling restart occurs.
If a custom configuration file does not have a reload trigger specified in app.conf, the default behavior is to restart for unknown configs. If a restart is not required, you can set the conf level trigger in
reload.<conf_file_name> = simple.
For detailed information on how to configure reload trigger settings for configuration files, see app.conf in the Admin Manual.
For more information on restart vs. reload behavior of Splunk Enterprise core configuration files, see Restart or reload after configuration bundle push? in the Splunk Enterprise documentation.
Stanza-level reload triggers for inputs.conf
Stanza-level reload triggers enable the reload of only those specific configuration file stanzas that change when a configuration update occurs. This lets admins perform more efficient configuration updates based on which stanzas in the configuration file will change.
Stanza-level reload currently applies to a subset of stanzas in
inputs.conf only. Any
inputs.conf stanza that has a
reload.<conf_file_name>.<conf_stanza_prefix> entry under the
[triggers] stanza in
app.conf will reload when changes are made to the specified stanza. Changes made to any
inputs.conf stanzas that are not specified in a stanza-level reload entry will trigger a rolling restart.
Stanza-level reload for
inputs.conf applies only when pushing changes to the configuration bundle in the indexer clustering context.
The following stanzas are reloadable in
|.conf file name||stanza prefix||Reload or restart|
For detailed information on stanza-level reload triggers, see app.conf. in the Splunk Enterprise documentation.
Disable reload triggers in app.conf
You can disable both .conf-level reload triggers and stanza-level reload triggers by specifying the value
never for any reload trigger entry in
app.conf. Any reload trigger entry with a value of
never will trigger a rolling restart when configuration changes occur. This can be useful if for any reason you want a specific configuration change to trigger a rolling restart.
For more information on configuring reload triggers, see app.conf. in the Splunk Enterprise documentation.
For a listing of restart vs. reload behavior of frequently used apps and configuration files in Splunk Cloud, see Restart vs. reload behavior of common apps and .conf files.
Install apps in your Splunk Cloud deployment
Manage a rolling restart in Splunk Cloud
This documentation applies to the following versions of Splunk Cloud™: 8.1.2101, 8.1.2103, 8.2.2104