Developing a Splunk app

Developing or creating a simple Splunk application is very easy in Splunk Enterprise, but developing a Splunk app that solves a business problem specific to a use case requires the following basic process:

  1. On-boarding data on Splunk: Using various data input methods to upload data on Splunk.
  2. Analytics: Using the Splunk search query language to create meaningful insights into the data uploaded on Splunk.
  3. Visualization: Creating visualizations for better understanding of the uploaded data on Splunk.

A Splunk app can include various components of Splunk Enterprise, such as data inputs, search queries, custom dashboards, macros, custom CSS, JavaScript, and many more…

Creating the Splunk application and technology add-on

The Splunk application framework works on a directory structure. All the installed and, by default, available applications are available at $SPLUNK_HOMEetcapps.

The following procedure needs to be followed to create a sample Splunk app via the Splunk Web console which is accessible via http://localhost:8000 (this address needs to be replaced with the IP address and configured port number of the Splunk instance in case it is not accessed from the Splunk Server machine.)

The procedure to create a Splunk application and Splunk technology add-ons is almost same with just a small difference in one step. The change will be highlighted in the following steps:

  1. On the home screen which Splunk navigates to, after logging in, navigate to Apps | Manage Apps.
    Creating the Splunk application and technology add-on
  2. The screen where we navigated to after clicking on Manage Apps, click on the Create App button.
  3. Splunk Web navigates to a new page called Create App, where textboxes are given to fill the following information:
    • Name: In this field, we need to fill the name of the Splunk application or technology add-on. This will be the same name that will be visible in the app list of Splunk.
    • Folder Name: Here, we need to fill the name of the folder where all the configuration files, dashboards, saved searches, and alerts will be stored with reference to the app. The folder name mentioned here will be created at $SPLUNK_HOMEetcapp. The folder name cannot have a dot (.) character in its name. Even though users are free to keep any name for the add-on, Splunk recommends you to use TA- as a prefix to the name of the add-on folder so as to uniquely differentiate Splunk applications and add-ons.
    • Visible: If the application contains a UI (visualizations), then this field should be marked as YES. Generally, add-ons do not have a UI, so when creating an add-on, the NO option is marked.
    • Description: In this field, we need to provide the description of the Splunk application or technology add-on. This field is required in case you plan to upload the application on the Splunk app store; otherwise, this is an optional field.
    • Template: Splunk provides two templates by default: Sample_app and Barebones. The Barebones template provides a sample app directory structure, whereas Sample_app includes sample views and saved searches. In the case of a technology add-on, this is not applicable as there are no visible UIs.
    • Upload Asset: This option provides users the ability to upload any custom scripts, HTML, images, CSS, or JavaScript that may be required for the application.
  4. Save the settings by clicking on Save.

For the application to be visible in the app list of Splunk, it is required that the Splunk instance is restarted.

Now, users can navigate to the Splunk application that we created and start creating custom dashboards, visualizations, and alerts that we will be studying in the upcoming chapters in this book.

Packaging the application

Our Splunk app needs to be packed properly so that it can be redistributed to other users working on Splunk deployment. There is a specific set of instructions that needs to be followed and the app needs to be made compliant to all the instructions so that we are able to upload the Splunk app on the Splunk app store. However, making the Splunk application compliant with the Splunk app store is out of the scope of this book.

The following is the easiest and simplest method to package the Splunk app in order to install it on other Splunk deployments:

  1. Make sure that all the settings are properly configured so that the application has all the configuration files updated.
  2. Traverse to the $SPLUNK_HOMEetcapp directory on the Splunk Server and copy the Application folder to another path, say, your desktop. The folder name is the same that the user specified in the preceding section while creating the application.
  3. For our example, the Splunk app located at $SPLUNK_HOMEetcapp is TestApplication.
  4. Using any compression/decompression tool, such as 7Zip, compress the app directory into a .zip or .tar.gz file. In our case, the application after compression will become TestApplication.zip or TestApplication.tar.gz.
  5. Now, the Splunk app (TestApplication.zip or TestApplication.tar.gz) is ready for redistribution and can be installed on other Splunk deployments that are running on the compatible version of Splunk.

Installing a Splunk app via Splunk Web

Installing the Splunk app via a web interface is very simple. The following steps are required for the installation of the Splunk app:

  1. Log on to Splunk Web.
  2. Navigate to Apps | Manage Apps.
  3. Then, click on Install app from file.
  4. Click on Browse and navigate to the folder where your compressed application is available, and then choose the Splunk app.
  5. Tick on Upgrade App if you are installing an upgrade version of the already installed application; otherwise leave it unchecked.
  6. Click on Upload to install the application.
  7. After the successful installation, restart the Splunk Server to make it visible in the app list.

Installing the Splunk app manually

In deployments where the access to Splunk Web is not enabled or the user wants to manually install the application, the following procedure is to be followed:

  1. Uncompress the compressed Splunk application package (TestApplication.zip or TestApplication.tar.gz) using any decompressing tool such as 7Zip.
  2. Make sure that you have decompressed it fully so the root folder's name is that of the application's followed by the subfolders, such as default, local, and others.
  3. Copy the uncompressed application folder at $SPLUNK_HOMEetcapp, making sure that the folder copied is the root folder of the application.

    For example, in our case, the application folder path will look like $SPLUNK_HOMEetcappTestApplication.

  4. Now, restart the Splunk Server.

Yes, copying the application folder to the respective app directory and then restarting the Splunk Server installs the application on Splunk. On every restart, the Splunk Server refreshes its app list and the newly added application gets listed on the Splunk app list.

The Splunk application can be installed or updated from the command line as well. Open Command Prompt in Windows or a terminal in a Linux system and traverse to $SPLUNK_HOMEin.

Then, run the following command to install the application for Windows users:

splunk install app <app_package_filename> -update 1 -auth <username>:<password>

For Linux users, run the following command:

./splunk install app <app_package_filename> -update 1 -auth <username>:<password>

After running this command, restart Splunk Enterprise to let the changes take effect.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.220.136.165