Community:Creating your first application

From Splunk Wiki

Jump to: navigation, search

Create an add-on

This page contains best-practice instructions for creating a new Splunk application or add-on. For an introduction to the Splunk Application world, check out How applications work.


Here are step-by-step instructions, with links to relevant documentation.

1. Create a template for your application

  • Create a new directory in $SPLUNK_HOME/etc/apps/ for your application. Name the directory anything you like. Read more about application directories here.
  • Within your new app directory, create the following directories:
    • default/ -- put any configuration files you're using for your application here.
    • local/ -- this directory is for custom configurations for each instance.
    • static/ -- for static content html content.
      • For example, images, non templated html files, javascript libraries.
      • You do not need to include this directory if you're not including static content.
    • bin/ -- scripts.
      • Scripts that serve their own webpage and need a new REST endpoint must be specified in restmap.conf. Learn how to search REST endpoints.
      • You do not need to include this directory if you're not including scripts.
  • Create the files for your application in the appropriate directory. You may find this list of configuration files helpful.
  • If you have saved event types, searches, fields, or other items via Splunk Web, you can find them in configuration files in $SPLUNK_HOME/etc/system/local. Just copy the relevant stanzas out to your new files in your custom directory.
  • Don't forget to alter or remove any items that reveal too much about your internal information.
  • Make a final pass over the comments in your application to make sure they're clear and people understand what changes they need to make and what each section does.

2. Develop and test application

  • Create a sandbox index so you can blow it away without losing your data. Learn more about creating and using multiple indexes.
  • For any UI changes, symlink $SPLUNK_HOME/etc/system/local/ into your new application directory so changes get into your application.
  • For a more complicated application, write the machinery first with test data. There's a sample directory located in $SPLUNK_HOME/etc/apps/samples/.
    • Debug on each step and iterate until your code is totally hooked up.

3. UI components

Include any UI components for your application. You can develop these by using Splunk Web and the Admin interface. Remember to symlink $SPLUNK_HOME/etc/system/local/ into your new application directory so changes get into your application.

  • Dashboards
  • Saved searches
  • Inputs
  • Anything else you can do through UI/admin interface

4. Back-end components

These include anything you need to configure directly in configuration files.

5. Package up your application

  • Make sure any fields, eventtypes or other information tags adhere to the application standard.
  • Versioning
    • Index the version or put it on the application's dashboard.
  • Docs/readme
    • Index the file or put it on the application's dashboard.
  • Package
    • Start at the root of the application's directory, for example $SPLUNK_HOME/etc/apps/.
    • tar and gzip the application's directory it into whatever name you want your app to have, for example $MYAPP.tar.gz.
    • Change the extension to .spl, so $MYAPP.tar.gz becomes $MYAPP.spl.
    • Upload your application to SplunkBase.
Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk