In this chapter, we'll cover how to combine configuration files, scripts, knowledge objects, and reports/dashboards into packages called apps that make Splunk more useful and relevant to specific technologies or business-driven use cases. This chapter will also introduce several of the most useful (and mostly free) apps and add-ons available from Splunkbase that further extend the value of Splunk by providing optimized data collection and management functions for a wide variety of technologies, including Linux and Windows servers, databases, and various logs and metrics from AWS, to give just a few examples. Finally, we'll review the Splunk Machine Learning Toolkit, DB Connect, and Splunk's premium apps ā IT Service Intelligence, Enterprise Security, and User Behavior Analytics, and see how they fit into comprehensive monitoring and situational-detection solutions.
Apps and add-ons extend the functionality of the Splunk platform. A Splunk app is a collection of knowledge objects, and as you know, a knowledge object is a broad term that is applied to configuration files, saved searches, macros, lookups, and so on. An app can also include scripts that are used to retrieve data from external sources and/or HTML, CSS, XML, image, and other files to create user interfaces and visualizations that expand and increase Splunk's functionality to meet user needs.
By default, the Splunk platform includes one basic app that enables you to work with your data: Search & Reporting. To expand Splunks' functionality, you can install other apps from Splunkbase or create your own. Most of the apps provided by Splunk or other users on Splunkbase are fairly sophisticated and greatly extend the functionality of the Splunk platform.
An add-on, on the other hand, is generally an app that enables the Splunk platform to collect and ingest a particular type of data from other technologies or vendors. An Add-on will typically include a script or code and related configuration files to support the data-collection process and task-specific saved searches and macros, and many do not include a user interfaceāthey play a supporting role only. Examples include the Splunk Add-on for Unix and Linux and the Add-on for Microsoft Windows, both of which collect OS-level logs and metrics, and the Splunk Add-on for Amazon Web Services, which interfaces with various AWS technologies to collect and store logs and metrics data into Splunk indexes.
To generalize, apps offer user interfaces and tools that enable you to work with your data, and they often rely on add-ons to ingest various types of data. This will all make more sense as you actually work with appsālet's get started.
![]()
As we mentioned, you can create your own apps in Splunk. In practice, user-created appsāor more specifically, the app directories and their contentsāare typically used as a container for your saved searches, reports, dashboards, and configuration files that pertain to the data for a specific technology, application, environment, or business unit. These apps can be as simple as a few .conf files (such as indexes.conf or inputs.conf) to configure Splunk to import and store data, or a sophisticated collection of knowledge objects, scripts, and a full-featured user interface to allow data collection, visualization, analysis, and reporting. All of the files within an app are in plain text (and can be edited) and Splunk provides full documentation on all of its .conf filesāincluding the stanzas, attributes, and possible valuesāso that the purpose of each configuration setting is transparent.
You can create a new Splunk app from Splunk Web yourself by going through the following steps:
- Click the Apps dropdown
- Select Manage Apps
- Click Create app
- In the form that appears, give the app a name that will be displayed in the left-hand menu, as well as a recognizable, OS-friendly folder name
- The Version can be 1.0 (it's your first one!)
- If you want your app to have an icon with its name listed on the left-hand side with all the other Splunk apps, provide a user interface for selecting reports, dashboards, and so on, and set Visible to Yesāif it is just going to be a container for some configuration files, set this to No
- Author and description are self-explanatory
The following screenshot shows an example form:
Fig 9.1: Creating a new Splunk app
Splunk uses one of two selectable Ttemplate for creating the starting structure of your new app: barebones and sample_app. You can select barebones if your app is not going to have a user interface; otherwise, choose sample_app. Finally, you can click Choose File to upload any user interface files (HTML, CSS, JS, images) to be used with your app. Then click Save.
After you have created your app, your app directory (for Linux), its subdirectories, and the general contents of each folder will be shown here as shown in the following code; if you chose the barebones template, the appserver folder will be missing:
/opt/splunk/etc/apps/mytestapp/
appserver/static # images, html, css, etc. files for the user interface
bin/ # script files that collect or manipulate data
default/ # app.conf and several other default conf files
local/ # where you and Splunk put .conf files for inputs, indexes, props, etc.
metadata/ # default.meta and local.meta files - stores access permissions
The app.conf file in .../mytestapp/default contains the entries you made when you created the appāwhether it's visible, the label, author, description, and version. If your app is going to have a user interface, then the .../appserver/static/ folder is where you can put your own image files to use in the app, as well as alter the provided application.css file to customize the look of your app; this file is nicely commented to help you find and alter its effects on the app's appearance. Also of note is a default.xml file in .../mytestapp/local/data/ui/nav/ that configures the navigation bar across the top of your app, which you can alter to suit your needs....
