As we continue to progress through this book, we will create an App from the ground up. The App's name will be SDG (from a filesystem perspective) and the App "label" will be "Developer's Guide for Splunk." It will be available in its entirety on Splunk base at https://splunkbase.splunk.com/app/2693/. Additionally, we will be using an API provided by meh.com, a daily deal site that was kind enough to build an API for their website. They were chosen primarily because they fit the geek culture pretty well, and provide a very simple-to-consume API. The data that will be consumed is pulled from their website's API.

Let's recall the questions from Chapter 1, Application Design Fundamentals, that revolve around App creation. We should answer some of them in preparation for building our demo App:

There are two basic ways of creating applications. They are as follows, in the order of difficulty (not that any of them is hard): Splunk Web (we will call this the GUI), and hand-written (henceforth to be recognized as FreeForm). In order to create Apps, you must have specific permissions within the Splunk instance.

For the GUI method, the user must be an admin within Splunk; additionally, for the FreeForm method, the user must have server access to the command line with as many permissions as required by the user that runs Splunk.

Now that the App has been created, let's take a look at some of the folders that were created, what they may contain, and how they are used with the App. The folders we are going to look at come from the App that was created via Splunk Web.

Now that we have created a new App, we can start working on how we need our data indexed. Typical Apps may contain configurations for their own indexes, source types, and other input methods.

[splunk_developers_guide]
coldPath = $SPLUNK_DB\splunk_developers_guide\colddb
homePath = $SPLUNK_DB\splunk_developers_guide\db
thawedPath = $SPLUNK_DB\splunk_developers_guide\thaweddb

There are many different Splunk knowledge objects (SKOs) that can be used within an App. The only required SKO for an App is the addition of views that can be displayed to the end user. We will briefly cover the different types of SKOs that you can include within your App. To avoid any issues with "author interpretations" of the definitions of these SKOs, we will use the definitions and references from the official Splunk documentation.

Object permissions are an integral part of securing Apps and their knowledge objects. After all, we don't want the user causing issues in an App you spent hours tweaking, do we? No, that's what I thought. This is where permissions come into the picture. Splunk permissions are role-based, which means that a user needs a specific role (either assigned by Splunk or via external authentication and authorization systems) to read or write the knowledge object. Permissions are controlled within the default.meta and local.meta files in your metadata folder in the App. As per normal Splunk precedence, the local.meta file will override any setting with a matching stanza in the default.meta file.

The configuration structure within the corresponding file is as follows:

[<object_type>/<object_name>]

access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]

In this chapter, we looked at different methods of creating Splunk Apps. There are two basic methods of creating Apps: via the Web and via the CLI. We looked at the structure of the App and what each folder may contain. We also covered what kinds of objects (in a non-exhaustive list) can be included in a Splunk App.

We discussed permissions, and how to assign them in two different ways. We then went over how to set up a REST endpoint to control configuration, as well as a setup screen to allow the user to update credentials within the App. Up next, we will discuss the different aspects of enhancing your App with event types, workflows, and some acceleration techniques.