In this chapter, we will quickly go through the process of creating an application and add-on on Splunk Enterprise. You will learn how to install and manage applications and add-ons on Splunk. You will also learn how to use different applications available on the Splunk app store to minimize your work using the already available applications for similar requirements.
The following topics will be covered in this chapter:
- Splunk apps and technology add-ons
- Developing a Splunk app
- Developing a technology add-on
- Managing Splunk apps
- Splunk apps from the app store (covers examples and usage of a few apps from the app store)
It is very easy and simple to create a basic Splunk app or technology add-on using the Splunk Web console. We will also study how Splunk apps and add-ons can be manually created and configured in the further topics.
A Splunk app is basically a collection of all the dashboards, alerts, and visualizations created for a specific use case. It is a collection of an entire use case packaged in such a way that it can be installed on any Splunk Enterprise deployment to gain specific insight from the uploader, provided that its minimum requirements are fulfilled.
Splunk apps can be configured on the basis of user roles and permissions, thus providing a level of control when deploying and sharing the application across different stakeholders of the app. A Splunk app is created taking a use case into consideration and to avoid rework in case of the same use case or data sources. Splunk apps are applications that are ready to be used once the data is on board the Splunk Enterprise server.
Splunk apps make it easier for users of Splunk Enterprise to use the same deployment for different use cases; for example, the same Splunk deployment is used for network health monitoring, security and threat detection, and many more… Each Splunk application can be used for each use case, even though it is available on the same Splunk Enterprise deployment server and has the ability to assign roles where the apps will be visible and can be used only by authenticated users of each app.
Later in this chapter, you will learn how to create Splunk apps and manage and install Splunk applications on Splunk Enterprise.
A Splunk add-on is basically a single-component, reusable application with no user interface, and it can be used in many uses cases. A Splunk add-on can be a script that is used to fetch data from a web server and upload it to Splunk. Now, this add-on can be used along with any other application and use case where one of the requirements is to fetch and upload data from a web server. In such scenarios, Splunk add-ons can reduce the rework required to do the same task.
Splunk add-ons can be bundled with one or more Splunk apps that have similar requirements. The following are a few examples of Splunk add-ons:
- Custom data parsing and field extraction before data is uploaded on Splunk
- Custom scripts to fetch data from one or more sources and then upload it on Splunk
- Creating custom macros and sourcetypes
- Reusable JavaScript and CSS
- Custom regular expression detection and data cleaning before uploading data on Splunk