In this chapter, we'll cover how to combine configuration files, scripts, knowledge objects, and reports/dashboards into packages called apps that make Splunk more useful and relevant to specific technologies or business-driven use cases. This chapter will also introduce several of the most useful (and mostly free) apps and add-ons available from Splunkbase that further extend the value of Splunk by providing optimized data collection and management functions for a wide variety of technologies, including Linux and Windows servers, databases, and various logs and metrics from AWS, to give just a few examples. Finally, we'll review the Splunk Machine Learning Toolkit, DB Connect, and Splunk's premium apps – IT Service Intelligence, Enterprise Security, and User Behavior Analytics, and see how they fit into comprehensive monitoring and situational...

Apps and add-ons extend the functionality of the Splunk platform. A Splunk app is a collection of knowledge objects, and as you know, a knowledge object is a broad term that is applied to configuration files, saved searches, macros, lookups, and so on. An app can also include scripts that are used to retrieve data from external sources and/or HTML, CSS, XML, image, and other files to create user interfaces and visualizations that expand and increase Splunk's functionality to meet user needs.

By default, the Splunk platform includes one basic app that enables you to work with your data: Search & Reporting. To expand Splunks' functionality, you can install other apps from Splunkbase or create your own. Most of the apps provided by Splunk or other users on Splunkbase are fairly sophisticated and greatly extend the functionality of the Splunk...

As we mentioned, you can create your own apps in Splunk. In practice, user-created apps—or more specifically, the app directories and their contents—are typically used as a container for your saved searches, reports, dashboards, and configuration files that pertain to the data for a specific technology, application, environment, or business unit. These apps can be as simple as a few .conf files (such as indexes.conf or inputs.conf) to configure Splunk to import and store data, or a sophisticated collection of knowledge objects, scripts, and a full-featured user interface to allow data collection, visualization, analysis, and reporting. All of the files within an app are in plain text (and can be edited) and Splunk provides full documentation on all of its .conf files—including the stanzas, attributes, and possible values—so that...

Splunkbase is a site where users post and share apps and add-ons with the Splunk community. You can browse and install apps and add-ons from Splunkbase on any running Splunk instance, or download the file to your personal computer and install it from there if the Splunk instance doesn't have internet access. Splunkbase has over 1,000 apps and add-ons from Splunk, Splunk partners, and the user community. You can get to Splunkbase from a Splunk instance by clicking Apps | Browse More Apps (or Find More Apps). If you want to get to Splunkbase from your PC, the URL is https://splunkbase.splunk.com/.

You can browse though all the available apps by category, vendor, or other groupings, or click See All Apps, which takes you to a page where you can select various filters that you can apply to narrow your search and a search field where you can enter a few keywords...

Splunk's DB Connect enables you to use scheduled input to query traditional relational databases and retrieve and store that data in indexes to be combined with other data sources in Splunk searches to provide a more comprehensive view of, and insights into, all the data across the Enterprise. You can also configure Splunk searches from other sources and use an output from DB Connect to store the tabled results in your database tables or perform lookups from database tables to add to and enrich search results from other sources. Finally, you can perform ad-hoc queries to add database records to search results.

This app is available for free on Splunkbase, and is a very common addition to most Splunk Enterprise environments, so I'll cover it in a bit more detail.

Splunk provides a number of Premium Apps, which are sophisticated value-added solutions tailored to IT operations, security, and Internet of Things environments. These are paid solutions in that they require the purchase of an additional license; you will need to talk to a Splunk salesperson to get pricing. The following is a partial list of Premium apps; I'll briefly introduce a few of them:

• Splunk IT Service Intelligence (ITSI)
• Splunk Enterprise Security (ES)
• Splunk User Behavior Analytics (Splunk UBA)
• Splunk App for PCI Compliance – Splunk Enterprise Security
• Splunk App for Microsoft Exchange

Splunk IT Service Intelligence (ITSI) is a monitoring and analytics app...

We've covered a lot in this chapter, but I think and hope that this coverage of how to create Splunk apps install and configure some of the free apps available from Splunkbase, configure permissions, and understand where and how these apps are manifested in the Splunk directory structure will help you to solidify your overall knowledge of how Splunk works. I especially hope you will install and configure the Add-on for your particular operating system(s), and work with DB Connect and the MLTK, as these are both very useful and valuable additions to your Splunk deployment.

In the next, and final, chapter, we'll cover how to monitor and troubleshoot your Splunk deployment, and introduce a few advanced topics.