Hello there, Splunk developer! If you are like us, we know you have a love of Splunk and all of the endless possibilities that present themselves! The Big Data world is exploding around us, and it always feels like a tireless battle when keeping up to date with advances in technologies, platforms, and concepts. Here, we will discuss none of those. This book is dedicated solely to Splunk and the development of applications for Splunk. Onwards and upwards!
Most developer guides will tell you what their book is and/or does. We aim to explain what this book isn't, and let you fill in the rest with your imagination! Thusly, please proceed to this list:
Will not cover Splunk basics
Will not cover creating dashboards via the GUI
Will not discuss how to code in Python
Will not discuss statistics
Will not discuss beer making
Splunk basics will not be covered. These include concepts such as searching (finding data, using timechart, stats, some eval commands, and so on), reporting (making basic pie charts and line charts via the GUI), data inputs (basic file monitoring, TCP and UDP inputs, Splunk forwarders), and configurations (GUI and web-based configuration editing), to name a few. Creating dashboards via the GUI? Nope. Python will be discussed, sample code will be provided, but this book will not cover the nuances of the code, nor will it teach you Python syntax. We will not cover statistical computation, other than how to practically apply some basic level of math to create value-based visualizations. Free as in beer? Nope, the choice of hops, starches, and oak-barrel aging for the creation of beer will not be discussed, but rather be consumed during the writing and/or reading of this book.
This book will guide you through many different areas of Splunk App and add-on creation. We will start by looking at the design aspects of an App or add-on, how to create them, what knowledge objects are available for use within the App, ways to enhance your App with metadata and external data, and some basic views and dashboards. From there, we will move on to the Splunk Web Framework, modular inputs, jQuery, web framework programs, and then packaging and publishing Apps and add-ons. At the tail end, we will highlight some areas of the Splunk community that prove to be very useful.
There are a few basic assumptions that we are going to make. Having purchased or otherwise obtained this book, we assume that you are interested in developing with Splunk, and have a basic understanding of Splunk and how to navigate around the software. Saving searches, reports, and basic dashboarding is a must, since most concepts and examples will be built upon the basics. We also assume that you have basic knowledge of HTML, CSS, JS, and some XML. Here, XML will be limited to the Splunk XML framework specifically. We would also recommend having the knowledge of, or proficiency in, Python, RequireJS, and other web technologies, such as Bower, npm, and gulp. We will demonstrate how to use these web technologies within a Splunk application.
All that being said, let's talk Splunk applications. A Splunk application is nothing more than a structured set of configurations and assets used to achieve the end goal of data collection, indexing, and visualization. Furthermore, in order to create a valid Splunk application, you must have included the ability to navigate. Without navigation within the application, you are now working on an add-on. According to Splunk, applications:
Contain at least one navigable view
Can be opened from the Splunk Enterprise home page, from the App menu, or from the Apps section of Settings
Focus on aspects of your data
Are built around use cases
Support diverse user groups and roles
Run in tandem
Contain any number of configurations and knowledge objects
Are completely customizable, from frontend to backend
This is available at: http://docs.splunk.com/Documentation/Splunk/6.2.2/AdvancedDev/AppIntro
Applications allow us to quickly share configurations, limit data access, or organize similar dashboards and views into a cohesive presentation of data within Splunk. Sharing applications can be as easy as just zipping it up and sending it out. Splunk applications could be said to be open source, due to the fact that almost all of the configurations, custom scripts, and any other any other knowledge object contained within the applications, are readable on the file system. This allows for customization for an individual instance while maintaining an overall "master configuration".
To get started, we should define a few "naming conventions" typically used when naming applications. Note that while we will use these naming conventions as the best practice, your application can really be named anything at all, which may conflict with other applications of the same name, or violate Splunk usage agreements or publishing guidelines. In particular, the word "Splunk" cannot be present in your application or add-on name. Additionally, in the past, Splunk has referred to add-ons as "technology add-ons", and has since moved to just "add-ons". The following list of add-on types is our way to distinguish the different uses of each add-on:
Follow the Splunk application design guidelines. Using a custom naming scheme may cause conflicts.
Domain add-ons (DA): Domain add-ons are not full applications, rather they contain the visualizations and presentation of the data for a broader application. No other configurations should be included (extracts, tags, event types, macros, line breaking configurations, and so on). Dashboards and views are the primary objects contained within this type of add-on.
Supporting add-ons (SA): Supporting add-ons are also not full applications—these contain "data definitions", such as macros, saved searches, event types, and tags. These describe how to correlate the data, normalize the data, and consolidate the data to be usable in the domain add-on.
Technical add-ons (TA): Technical add-ons provide extraction, data massage, and index-time configurations. These contain the configuration options required to properly break events, extract search fields, and timestamps (among other functions). These are the building blocks for the SA and DA add-ons, as well as full-blown applications.
Thus, end the "official" naming conventions as normally seen in a Splunk installation. We will now discuss some other naming conventions that have been found to help in the Wild West of various Splunk installations. These two naming conventions are of the author's own design, which have helped in some of his deployments:
Input add-on (IA): Input add-ons are just that—configurations that assist in the collection of data, known as inputs. These add-ons are most likely found on a deployment server and are used to collect data from universal forwarders. One of the advantages of splitting your IAs from your TAs is a reduced size in the add-on being sent to the universal forwarder. This is especially useful if your TA contains lookups that aren't needed on the universal forwarder but are several megabytes in size.
Admin add-on (ADMIN): This add-on is a very special add-on. It would typically contain "administrative" configurations that might be needed in a variety of locations. Such configurations could be the web server SSL port, deployment client information, or anything in
server.confformat. It can be used to send index information to a set of non-clustered indexers, or possibly to scale the addition of more search heads by setting all relevant settings from a central location.
While this may not be a complete list of naming conventions, it should be enough to recognize any that are seen in the wild. An additional aspect of the naming conventions that we recommend you take note of is the addition of company information. This will help your Splunk admins differentiate between Splunk add-ons and custom add-ons. Just as an example, let's say that you built a TA for Cisco, specific to your company (the ACME company). Splunk's provided add-on is entitled "TA-cisco", but you don't want to modify a vendor's offering. So, your new add-on's name could be "A-ACME-TA-cisco". This gives you two things:
An easy-to-see custom TA that relates to Cisco
The ability to override any TA-cisco settings based on application precedence
Let's discuss application precedence for a moment. Splunk uses a "merged configuration" when applying configurations that are installed via the applications. The methodology that Splunk chose to implement conflict resolution is pretty simple. There are two different methods of precedence.
The first is directory structure. If you have an input located in the
default folder of an application (more on
default in following chapters), you can place a matching configuration in the
local folder of the application to override the
default configuration. The same method is applied to the applications themselves. Splunk uses the ASCII values of the names to determine precedence. On *nix, you can sort the applications in the
apps folder of Splunk using the
LC_COLLATE=C ls command. This will show you the ASCII sorted order of the Apps, and the first in the list will be the highest priority. A has a higher priority over Z, but Z has a higher priority over a. So, the A at the beginning of the add-on name gives your add-on the highest precedence, so you can override any setting as needed.
So you've decided that you need an App? Congratulations! Now that you know that you need one, you need to decide on a few more items as well. It is important to do a little bit of planning, as even the simplest Apps can evolve into super-complicated Apps, with dashboards, saved searches, workflows, and more. Never assume "well, this'll just be a quick development", as most of the time, it is not.
First and foremost, try to determine the scope of your App. Once you have the scope planned out, try to limit the amount of scope creep that occurs, if possible. You may just be trying to perform extractions on your data, and if that is your current end goal, stop there. Don't try to build a full-blown suite on your first attempt. Build the IA, then the TA, and then move on from there. Ask yourself these questions as you try to determine your scope:
What am I trying to accomplish? Search-time extractions? Index-time parsing? Dashboards to share?
What users need access to my App? Everybody? Specific roles?
What kind of information will I be presenting? Server based? Metric based?
Once you have determined the scope of the App, you will need to decide how and from where you will consume the data. Getting data into Splunk can happen in a very wide variety of ways. There is no set manner of input that will work on all data sources. You may have to develop a new script or modular input. Being aware of where your data is coming from is the key to getting it consumed correctly the first time. A few questions you may ask yourself could be:
Why do I need this data? Is it all completely relevant to my use case?
Where is the data? Cloud, SaaS provider, internal network?
How do I get the data? Do I already have a collector script, or do I need to engage an internal resource to write a collector/modular input?
What format is the data? Is it already extracted (or well known, like syslog) or do I need to write custom extractions?
There is a lot of data out in the wild, but not all of it may be relevant to your use case. You may find that of a service that has 100 endpoints available for data collection, you only need 10. Not only will you save on license usage, but your indexers will thank you for it as well.
Another key thought process in App development is how far you want to brand your App. Splunk has a very robust architecture and framework, providing you the ability to customize your Apps extensively. You can override any individual piece of CSS and extend the SplunkJS stack to include any number of different visualizations or third-party libraries. Additional questions you might ponder on would include:
Do I want to brand anything at all, or just stay with native Splunk?
Do I need to engage an internal graphics resource to design and create App icons? App logos?
Am I going for mobile or static desktops? What desktop size is "typical" of incoming users?
To what extent should I customize my App? Do I just change a few colors using native Splunk options or do I override CSS?
Do I need to engage a web designer to build custom CSS or HTML layouts?
Once you have the whats and the hows of the data you're going to collect, you need to figure out visualizations. How you display the information is just as important as what data you collect. Splunk comes with a variety of graphs and displays right out of the box, and can be extended quite easily to include some really cool presentations. Some of the questions posed to you might be:
Do you need a programmer to write custom modules or extend SplunkJS views and managers?
What third-party graphing or graphic libraries do you need to document, develop, or get permissions to use?
Do you need to engage a statistician to determine the best and most effective way to display your data? Some stats (such as max, mean, and min) are easy, others (such as confidence intervals and trendlines) are not.
Such a small list of questions hardly precludes any other relevant discussion within your organization. The more internal discussion that can take place, the better and more thought-out your App may turn out.
As a Splunk developer, you should be aware of the three methods to install apps. There are advantages and disadvantages to each method, but no required method. It is mostly personal preference as to which method is used by the end user, but, typically, newer Splunk users will use the web interface, while advanced users will use the command line. Let's review those methods, just to keep them fresh in your mind.
Installing apps via Splunk Web is simple. Once you have downloaded the app from its source, you navigate to the Manage Apps section of Splunk. You will find this at the top-left of Splunk Web, as seen in the following screenshot:
Once you have clicked on Manage Apps, you will see a button available to install from a file. You can also browse the Splunk app store, using the first button:
This brings you to a form that you can use to actually install the App. Simply click on the Browse button, select the file you downloaded, check the Update button if this App has already been installed, and then click on Upload. That's it! Splunk takes the App, installs it, and prompts you to restart if needed.
Access to the physical (or virtual) server
Enough permissions to perform CLI commands with Splunk
All commands are going to be executed from
$SPLUNK_HOME, which normally defaults to
/opt/splunk. Follow these steps to install an App via CLI:
Copy the App file (either a
*.splfile) to the filesystem.
./bin/splunk install app <path_to_file>.
Splunk will install the App. You may be prompted to restart, depending on the contents of the App. Index-time configurations require a restart, whereas search-time configurations do not.
Downloading the example code
You can download the example code files from your account at http://www.packtpub.com for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Copy the file to
Change the file extension from
Use your favorite utility and unzip the file into the folder.
In this chapter, we covered the fundamentals of designing and installing Splunk Apps. Apps can be broken down into "domains", each with a naming convention that allows you to quickly determine what the App can do, and what is contained within it, so that new users to your environment don't have to look for configurations. We learned how to approach App design to make sure that the App is planned beforehand, which will eliminate the need to refactor major portions of the App later, when it may already be in production. We also went over the three different methodologies available to install Apps to give a basic understanding of user experience related to the installation of any App that you may build.
Now that you've acquired an understanding of what an app consists of, in the coming chapters, we will discuss creating, enhancing, and customizing them.