Hello there, Splunk developer! If you are like us, we know you have a love of Splunk and all of the endless possibilities that present themselves! The Big Data world is exploding around us, and it always feels like a tireless battle when keeping up to date with advances in technologies, platforms, and concepts. Here, we will discuss none of those. This book is dedicated solely to Splunk and the development of applications for Splunk. Onward and upward!
All that being said, let's talk Splunk applications. A Splunk application is nothing more than a structured set of configurations and assets used to achieve an end goal of data collection, indexing, and visualization. Furthermore, in order to create a valid Splunk application, you must include the ability to navigate. Without navigation within the application, you would be working on an add-on. According to Splunk, applications:
Contain at least one navigable view
Can be opened from the Splunk Enterprise home page, from the App menu, or from the Apps section of Settings
Focus on aspects of your data
Are built around use cases
Support diverse user groups and roles
Run in tandem
Contain any number of configurations and knowledge objects
Are completely customizable, from frontend to backend
This is taken from http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/AppIntro.
Applications allow us to quickly share configurations, focus on the context of available data, limit data access to specific individuals or groups, and organize similar dashboards and views into a cohesive presentation of data within Splunk. Sharing applications can be as easy as just zipping it up and sending it out. Splunk applications could be said to be open source, due to the fact that almost all of the configurations, custom scripts, and any other knowledge object contained within the applications, are readable on the filesystem. This allows for customization for an individual instance while maintaining an overall master configuration.
To get started, we should define a few naming conventions typically used when naming applications. Note that while we will use these naming conventions as the best practice, your application can really be named anything at all, which may conflict with other applications of the same name, or violate Splunk usage agreements or publishing guidelines. In particular, the name Splunk cannot be present in your application or add-on name. Additionally, in the past, Splunk has referred to add-ons as technology add-ons, and has since moved to just add-ons. The following list of add-on types is our way to distinguish the different uses of each add-on:
Domain add-ons (DA): Domain add-ons are not full applications, rather they contain the visualizations and presentation of the data for a broader application. No other configurations should be included (extracts, tags, event types, macros, line breaking configurations, and so on). Dashboards and views are the primary objects contained within this type of add-on.
Supporting add-ons (SA): Supporting add-ons are also not full applications; these contain data definitions, such as macros, saved searches, event types, and tags. These describe how to correlate the data, normalize the data, and consolidate the data to be usable in the domain add-on.
Technology add-ons (TA): Technology add-ons provide extraction, data massage, and index-time configurations. These can also be referred to as technical add-ons. These contain the configuration options required to properly break events, extract search fields, and create timestamps, among other functions. These are the building blocks for the SA and DA add-ons, as well as full-blown applications.
Thus end the official naming conventions as normally seen in a Splunk installation. We will now discuss some other naming conventions that have been found to help in the wild west of various Splunk installations. These two naming conventions are of the author's own design, which have helped in some of his deployments:
Input add-ons (IA): Input add-ons are just that—configurations that assist in the collection of data, known as inputs. These add-ons are most likely found on a deployment server and are used to collect data from universal forwarders. One of the advantages to splitting your IAs from your TAs is a reduced size in the add-on being sent to the universal forwarder. This is especially useful if your TA contains lookups that aren't needed on the universal forwarder but are several megabytes in size.
Admin add-ons (ADMIN): This add-on is a very special add-on. It would typically contain administrative configurations that might be needed in a variety of locations. Such configurations could be the web server SSL port, deployment client information, or anything in
server.confformat. It can be used to send index information to a set of non-clustered indexers, or possibly to scale the addition of more search heads by setting all relevant settings from a central location.
While this may not be a complete list of naming conventions, it should be enough to recognize any that are seen in the wild. An additional aspect of the naming conventions that we recommend is the addition of company information. This will help your Splunk admins differentiate between Splunk add-ons and custom add-ons. Just as an example, let's say you built a TA for Cisco, specific to your company (the ACME company). Splunk's provided add-on is entitled TA-cisco, but you don't want to modify a vendor's offering. So, your new add-on's name could be A-ACME-TA-cisco. This gives you two things: an easy-to-see custom TA that relates to Cisco and the ability to override any TA-cisco settings based on application precedence.
Let's discuss application precedence for a moment. Splunk uses a merged configuration when applying configurations that are installed via the applications. The methodology that Splunk chose to implement conflict resolution is pretty simple. There are two different methods of precedence. The first is directory structure. If you have an input located in the
default folder of an application (more on
default in the later chapters), you can place a matching configuration in the
local folder of the application to override the
default configuration. The same method is applied to the applications themselves. Splunk uses the ASCII values of the names to determine precedence. On *nix, you can sort the applications in the
apps folder of Splunk using the
LC_COLLATE=C ls command. This will show you the ASCII-sorted order of the applications, and the first in the list will be highest priority. A has a higher priority than Z, but Z has a higher priority than a. So, the A at the beginning of the add-on name gives your add-on the highest precedence, so you can override any setting as needed.
So you've decided that you need an App? Congratulations! Now that you know that you need one, you need to decide on a few more items as well. It is important to do a little bit of planning, as even the simplest Apps can evolve into super-complicated Apps, with dashboards, saved searches, workflows, and more. Never assume "well, this'll just be a quick development", as, most of the time, it is not.
First and foremost, try to determine the scope of your App. Once you have the scope planned out, try to limit the amount of scope creep that occurs, if possible. You may just be trying to perform extractions on your data, and if that is your current end goal, stop there. Don't try to build a full-blown suite on your first attempt. Build the IA, then the TA, and then move on from there. Ask yourself these questions as you try to determine your scope:
What am I trying to accomplish? Search-time extractions? Index-time parsing? Dashboards to share?
What users need access to my App? Everybody? Specific roles?
What kind of information will I be presenting? Server based? Metric based?
Once you have determined the scope of the App, you will need to decide how and from where you will consume the data. Getting data into Splunk can happen in a very wide variety of ways. There is no set manner of input that will work on all data sources. You may have to develop a new script or modular input. Being aware of where your data is coming from is the key to getting it consumed correctly the first time. A few questions you may ask yourself could be:
Why do I need this data? Is it all completely relevant to my use case?
Where is the data? Cloud, SaaS provider, internal network?
How do I get the data? Do I already have a collector script, or do I need to engage an internal resource to write a collector/modular input?
What format is the data? Is it already extracted (or well known, like syslog), or do I need to write custom extractions?
There is a lot of data out in the wild, but not all of it may be relevant to your use case. You may find that of a service that has 100 endpoints available for data collection, you only need 10. Not only will you save on license usage, but your indexers will thank you for it as well.
Another key thought process in App development is how far you want to brand your App. Splunk has a very robust architecture and framework, providing you with the ability to customize your Apps extensively. You can override any individual piece of CSS and extend SplunkJS Stack to include any number of different visualizations or third-party libraries. Additional questions you might ponder on would include:
Do I want to brand anything at all, or just stay with native Splunk?
Do I need to engage an internal graphics resource to design and create App icons? App logos?
Am I going for mobile or static desktops? What desktop size is typical of incoming users?
To what extent should I customize my App? Do I just change a few colors using native Splunk options or do I override CSS?
Do I need to engage a web designer to build custom CSS or HTML layouts?
There are so many options available to brand your App, but all customizations should conform to the Splunk branding guidelines for developers. Visit http://www.splunk.com/view/SP-CAAAFT9 to read through Splunk's guidelines.
Once you have the whats and hows of the data you're going to collect, you need to figure out visualizations. How you display the information is just as important as what data you collect. Splunk comes with a variety of graphs and displays right out of the box, and can be extended quite easily to include some really cool presentations. Some of the questions posed to you might be:
Do you need a programmer to write custom modules or extend SplunkJS views and managers?
What third-party graphing or graphic libraries do you need to document, develop, or get permission to use?
Do you need to engage a statistician to determine the best and most effective way to display your data? Some stats (such as max, mean, and min) are easy, others (such as confidence intervals and trendlines) are not.
Such a small list of questions hardly precludes any other relevant discussion within your organization. The more internal discussion that can take place, the better and more thought-out your App may turn out.
As a Splunk developer, you should be aware of the three methods to install Apps. There are advantages and disadvantages to each method, but no required method. It is mostly personal preference as to which method is used by the end user, but, typically, newer Splunk users will use the Web interface, while advanced users will use the command line. Let's review those methods, just to keep them fresh in your mind.
Installing Apps via Splunk Web is simple. Once you have downloaded the App from its source, you navigate to the Manage Apps section of Splunk. You will find this at the top-left of Splunk Web, as shown in the following screenshot:
This brings you to a form that you can use to actually install the App. Simply click on the Browse button, select the file you downloaded, check the Upgrade button if this App has already been installed, and then click on Upload. That's it! Splunk takes the App, installs it, and prompts to restart if needed:
CLI holds a special place in many *nix admins' hearts. It is entirely possible to install Apps via the command line alone. Doing so requires having the following: access to the physical (or virtual) server and enough permissions to perform CLI commands with Splunk. All commands are going to be executed from
$SPLUNK_HOME, which normally defaults to
/opt/splunk. Follow these steps to install an App via CLI:
Copy the App file (either a
*.splfile) to the filesystem.
./bin/splunk install app <path_to_file>command.
Splunk will install the App. You may be prompted to restart, depending on the contents of the App. Index-time configurations require a restart, whereas search-time configurations do not.
Copy the file to
Change the file extension from
Use your favorite utility and unzip the file into the folder.
Downloading the example code
You can download the example code files from your account at http://www.packtpub.com for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
In this chapter, we covered the basic fundamentals of designing and installing Splunk Apps. Apps can be broken down into domains, each with a naming convention that allows you to quickly determine what the App can do, and what is contained within it, so that new users to your environment don't have to look for configurations. We learned how to approach App design to make sure that the App is planned beforehand, which will eliminate the need to refactor major portions of the App later, when it may already be in production. We also went over the three different methodologies available to install Apps to give a basic understanding of user experience related to the installation of any App you may build.
Now that you've acquired an understanding of what an App consists of, in the coming chapters, we will discuss creating, enhancing, and customizing them.