Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manage private apps on your Splunk Cloud Platform deployment

Private apps are custom apps that you create for your Splunk Cloud Platform deployment. Private apps are not publicly available on Splunkbase.

Before you can install a private app, the app must be approved by the Splunk AppInspect validation tool, which determines if the app meets Splunk Cloud Platform requirements. For more information on AppInspect, see Validate the quality of Splunk apps and add-ons using AppInspect on the Splunk developer portal.

You can install and manage private apps on your Splunk Cloud Platform deployment using the app management page in Splunk Web. For more information, see Install private apps on Splunk Cloud Platform.

You can also install private apps programmatically using the Admin Config Service (ACS) API. For more information, see Manage private apps in Splunk Cloud Platform in the Admin Config Service Manual.

You must have the sc_admin (Splunk Cloud Platform Administrator) role to install apps in Splunk Cloud Platform.

Create a private app

Prerequisites

Steps

  1. Create an app that conforms to Splunk app standards and requirements.
  2. Make sure the app package does not have any static dependencies, because only dynamic dependencies are supported.
  3. Package the app as a .tgz, .spl, or .gz file. Limit the package size to 128MB.
  4. Run the app through AppInspect and make sure it passes all app validation checks.

The file is ready to be installed on your Splunk Cloud Platform deployment. You can install and manage your private app yourself.

Install private apps on Splunk Cloud Platform

Splunk Cloud Platform supports self-service installation of private apps on search heads and indexers.

In Splunk Cloud Platform version 8.2.2106, there are two slightly different private app installation workflows that can appear in Splunk Web. Both workflows automatically run your app through AppInspect validation checks and let you view a report that shows the results of the app validation process.

The app installation workflow available to you in Splunk Web depends on your Splunk Cloud Platform Experience: Classic or Victoria. To find your deployment's Experience, in Splunk Web, click Support & Services > About.

After you determine your Experience, follow the private app installation instructions that apply to your deployment:

For more information on Splunk Cloud Platform Experience, see Determine your Splunk Cloud Platform Experience.

Install a private app on Classic Experience

If your Splunk Cloud Platform deployment is on Classic Experience, you can upload and install your private app using the Upload App workflow in Splunk Web.

Splunk Cloud Platform does not support self-service installation of private apps on IDM. If you are on Classic Experience, and your private app contains modular or scripted inputs that require installation on IDM, you must contact Splunk Support and submit a Cloud App Request to upload your app.

When you install an app using self-service app installation on Classic Experience, the app is automatically installed on all regular search heads and search head cluster members across your deployment. The app is also installed on indexers.

Classic Experience does not support self-service app installation on premium search heads, such as those running IT Service Intelligence (ITSI) or Enterprise Security (ES). If your deployment is on Classic Experience, to install any app on a premium search head, you must contact Splunk Support.

To install a private app on a Classic Experience deployment:

  1. In Splunk Web, click the Apps gear icon.
  2. Open the Uploaded Apps tab, and click Upload App.
  3. Enter your splunk.com account credentials. Splunk Cloud Platform uses these credentials to authenticate your AppInspect app validation.
  4. Select the consent check box and click Login.
  5. Select your private app package and click Upload.
    Your app appears in the Uploaded Apps table. Splunk Cloud Platform automatically runs your app through AppInspect validation to confirm that it meets Splunk Cloud Platform requirements.

    This screen image shows the Uploaded Apps view with several private apps listed, showing the different possible statuses of those apps: approved, installed, rejected, vetting, and app validation failed to complete.

  6. In the Uploaded Apps table, check the app validation status. Your app must pass all AppInspect checks and be approved before you can install it. For more information, see Check app validation status.
  7. If your app validation status is approved, click Install. If your app validation status is rejected, click View Report to determine the issues you must fix before you can install the app. For more information, see View app validation report.
  8. After you install your app, click the Apps tab to confirm that your private app is now listed in the Apps table. You can also see that the value for App Origin is Uploaded.

Check app validation status

The app validation status can be one of the following:

Status Description
Vetting The app package is in the validation process.
Approved The app package has passed all AppInspect checks, or you have chosen to acknowledge the Splunk General Terms regarding potential impact of known issues and proceed with installation.
Installed The app package is installed on your Splunk Cloud Platform deployment.
Rejected The app package did not pass AppInspect validation checks. This means that some checks failed, or manual checks were detected that might require a manual review by the Splunk AppInspect team. To see the results of AppInspect validation, click View Report. For assistance with manual app vetting, contact Splunk Support.
Failed message The app package validation did not complete due to some issues, for example, issues with the AppInspect service. Click More Info to find out why the package failed validation.
Check Status (Victoria Experience only) This appears if you log out then log back in while an app is in the vetting process, or if the logged in user does not match the user who uploaded the app. In either case, to continue the app vetting process and view the report, click Check Status and enter the appropriate credentials.

View app validation report (Classic Experience)

  1. Click View Report.
  2. Review the details of the report to determine why AppInspect rejected the package.
  3. Fix the issues specified in the report and upload your app again.

Update a private app (Classic Experience)

  1. If you are installing an earlier version, uninstall the currently installed app.
  2. Upload your private app.
  3. Verify that the app status is Approved in the Uploaded Apps table.
  4. Click Install to install an earlier version. Click Update to replace an installed app with a later version.
  5. Go to the Apps tab to see that the later version of your private app is listed in the Apps table.

Install a private app on Victoria Experience

If your Splunk Cloud Platform deployment is on Victoria Experience, you can upload and install your private app using the Install app from file workflow on the Apps page in Splunk Web.

Splunk Cloud Platform deployments on Victoria Experience do not require IDM. If your deployment is on Victoria Experience you can run apps and add-ons that contain scripted or modular inputs directly on the search head.

When you install an app using self-service app installation on Victoria Experience, the app is automatically installed on all search heads and search head cluster members across your deployment, including premium search heads running premium apps, such as Spunk IT Service Intelligence (ITSI) and Splunk Enterprise Security (ES). The app is also installed on indexers.

On Victoria Experience, you cannot update configurations on individual search heads using self-service app installation. You must instead update configurations using the UI or API requests.

To install a private app on a Victoria Experience deployment:

  1. In Splunk Web, click the Apps gear icon.
  2. Click Install app from file.
  3. Click Upload App
  4. Enter your splunk.com account credentials. Splunk Cloud Platform uses these credentials to authenticate your AppInspect app validation.
  5. Select the consent check box and click Login.
  6. Select your private app package and click Upload.
    Your app appears in the Uploaded Apps table. Splunk Cloud Platform automatically runs your app through AppInspect validation.
  7. Check the app validation status. Your app must pass all AppInspect checks and be approved before you can install it. While you only need to enter your credentials once per session, if you log out while an app is still in the vetting process, then log back in, you must click Check Status and enter your credentials again to complete the vetting process and view the app validation report. For more information, see Check app validation status.
  8. You can click "Upload App" to upload additional apps while an app is in the "vetting" process.

  9. If your app validation status shows approved, click Install. If your app validation status shows rejected, click View Report to determine the issues you must fix before you can install the app. For more information, see View app validation report.

View app validation report (Victoria Experience)

  1. Click View Report.
  2. Review the details of the app validation report to determine why AppInspect rejected the package. If your report shows Manual Checks, the Splunk AppInspect team must manually vet your app prior to installation. For assistance with manual app vetting, contact Splunk Support.
  3. Fix any issues specified in the report and and upload your app again.

Update a private app (Victoria Experience)

  1. If you are installing an earlier version, uninstall the currently installed app.
  2. Upload your private app.
  3. Verify that the app status is Approved in the Uploaded Apps table.
  4. Click Install on the later version of the app to install the later version.
  5. Go to the Apps tab to see that the later version of your private app is listed in the Apps table.

Configuration file reload triggers in app.conf

Splunk apps can contain a combination of Splunk Enterprise core configuration files and custom configuration files, such as those created by app developers for both private apps and public apps on Splunkbase. Whether these configuration files reload when you install an app or make configuration changes depends on reload trigger settings in app.conf.

Many Splunk Enterprise core configuration files reload by default on app installation or when configuration updates occur. These files have a reload setting under the [triggers] stanza in $SPLUNK_HOME/etc/system/default/app.conf, which causes them to reload automatically.

A custom configuration file is by definition any configuration file that does not have a corresponding .spec file in $SPLUNK_HOME/etc/system/README. This includes custom configuration files found in third party apps, such as aws_settings.conf, service_now.conf, eventgen.conf, and so on.

All custom configuration files reload by default, unless the file has a custom reload trigger in app.conf. For example, in the Splunk Security Essentials app, app.conf contains the following custom reload trigger: reload.ssenav = http_get /SSEResetLocalNav. When you install an app or update configurations for an app that has a custom reload trigger in app.conf, Splunk software tries to honor the custom reload trigger setting. If the custom reload trigger fails, then a rolling restart occurs.

If a custom configuration file does not have a reload trigger specified in app.conf, the default behavior is to restart for unknown configs. If a restart is not required, you can set the conf level trigger in app.conf to reload.<conf_file_name> = simple.

For detailed information on how to configure reload trigger settings for configuration files, see app.conf in the Admin Manual.

For more information on restart vs. reload behavior of Splunk Enterprise core configuration files, see Restart or reload after configuration bundle push? in the Splunk Enterprise documentation.

Stanza-level reload triggers for inputs.conf

Stanza-level reload triggers enable the reload of only those specific configuration file stanzas that change when a configuration update occurs. This lets admins perform more efficient configuration updates based on which stanzas in the configuration file will change.

Stanza-level reload currently applies to a subset of stanzas in inputs.conf only. Any inputs.conf stanza that has a reload.<conf_file_name>.<conf_stanza_prefix> entry under the [triggers] stanza in app.conf will reload when changes are made to the specified stanza. Changes made to any inputs.conf stanzas that are not specified in a stanza-level reload entry will trigger a rolling restart.

Stanza-level reload for inputs.conf applies only when pushing changes to the configuration bundle in the indexer clustering context.

The following stanzas are reloadable in inputs.conf:

.conf file name stanza prefix Reload or restart
inputs.conf http reload
inputs.conf script reload
inputs.conf monitor reload
inputs.conf <modular_input> reload
inputs.conf batch reload

For detailed information on stanza-level reload triggers, see app.conf. in the Splunk Enterprise documentation.

Disable reload triggers in app.conf

You can disable both .conf-level reload triggers and stanza-level reload triggers by specifying the value never for any reload trigger entry in app.conf. Any reload trigger entry with a value of never will trigger a rolling restart when configuration changes occur. This can be useful if for any reason you want a specific configuration change to trigger a rolling restart.

For more information on configuring reload triggers, see app.conf. in the Splunk Enterprise documentation.

For a listing of restart vs. reload behavior of frequently used apps and configuration files in Splunk Cloud Platform, see Restart versus reload behavior of common apps and .conf files.

Last modified on 04 October, 2021
PREVIOUS
Install apps on your Splunk Cloud Platform deployment
  NEXT
Manage the Splunk Product Guidance app on your Splunk Cloud Platform deployment

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2109


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters