Community:How applications work
From Splunk Wiki
How applications work
A Splunk application can be as simple as a collection of event types and as complex as an entirely new program that uses Splunk's REST API.
Note: Be sure to check Splunkbase to see if there's already an application there that does what you need, or is close enough that you can modify it to fit your needs.
Important: Splunk's directory structure changed between versions 3.2 and 3.3. If you are downloading an application from Splunkbase, you may need to upgrade to 3.3 or later.
Plan your application
Before you create an application, consider the following:
- It is generally a good idea to use the Splunk common information model so that your application will interact seamlessly with other Splunk applications.
- Do you intend to share this application on Splunkbase? If so, be sure to alter any internal information. You may find it useful to mark a section off in the configuration with text that explains that the user should change these values to their own internal ones.
- A complex application may require you to lay out the logic/process first.
Applications can belong to the following categories:
- General applications - The overall logic, which consists of using common information model-compliant field names, event type tags, and host tags along with the tags that you use internally. This component shouldn't interact with data from any particular technology to work within the common information model.
- Technology-specific applications - Focuses just on a particular technology (for example, sendmail), bringing it into compliance with the common information model. If necessary, an application may also have a separate section devoted to bringing the data into compliance with your own internal tagging and other standards, or you may choose to make a third application that just handles your internal needs. The two different approaches are illustrated in Figures 1 and 2.
Figure 1: Creating separate applications for a particular technology and for your internal needs can be one way of maintaining your company's settings, without having to scrub them before sharing an application with the public.
Figure 2: Creating a section for your internal settings inside an application built for a specific technology allows you to maintain things in one place, but you may have to scrub the settings to prevent sensitive internal from escaping into the wild.
And, of course, as with any code or scripting, it's always a good idea to add comments in your application as much as possible. That way, you don't have to remember why you set up a stanza the way you did, and someone else needing to change the configuration doesn't have to reverse-engineer things.
Apply the Splunk Application Standard to your data
Once you know which data sources (log files, configuration files, etc. for particular technologies) your application needs to interact with, you can look at samples of this data side by side with the Splunk common information model.
Build your application
Now you're ready to build your application. Here are some resources:
- Step-by-step process to build an applicaiton.
- Information on installing Splunk applications here.
- How configuration files work.
- The Splunk Admin Manual overview.
Test your application
Once you've built your application, test it to make sure it works as expected. If you directly edited or created configuration files, you must restart Splunk to load changes. Then, walk through the process of using the application as someone in the field would, or get a few people in the field to do so and report back their experiences and suggestions.
Share your application with the rest of the Splunk community through Splunkbase. To do so, you'll need to package it up, which means pulling all of the pieces out of your general Splunk configuration and into a collection of isolated files meant just for this application. See Step 4 in the Create an application page.
Once your application is ready to go, upload it to Splunkbase for the rest of the Splunk community to share.