Topics

| pdf version

Welcome

What to do first

Start Splunk

Meet Splunk Web and Splunk Apps

Before you configure

Add data and configure inputs

Indexing and event processing

Timestamps

Add and manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Set up forwarding and receiving

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Configuration file reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

What's an App?

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6

What's an App?

A Splunk App can be as simple as a collection of one or more event type definitions, searches, and/or saved searches. It can include new views and dashboards, completely reconfiguring the way Splunk looks. Or, it can be as complex as an entirely new program using Splunk's REST API.

When you're using Splunk, you're using an App at all times; we typically refer to that as being "in" an App.

What are Apps good for?

Apps allow you to build different environments that sit on top of one Splunk instance. You can create separate interfaces for the different communities of Splunk users within your organization; one App for troubleshooting email servers, one for Web analysis, and so on. This way, everyone can use the same Splunk instance, but see only data that is relevant to their interests.

What Apps are there?

The first time you install and log into Splunk, you'll see the App Launcher. This interface shows you the list of Apps that have been preinstalled for you. By default, one of these Apps is the Getting Started App. This App has been developed to introduce new users to Splunk's features. If you're new to Splunk, we recommend you check it out and give us your feedback!

Image:launcher.jpg

Bypass the Launcher for a single user

If you do not want the Launcher displayed every time you log into Splunk, you can configure a default App to land in instead on a per-user basis:

  • Create a file called user-prefs.conf in the user's local directory:

etc/users/<user>/user-prefs/local/user-prefs.conf

  • Put the following line in the user-prefs.conf file:

default_namespace = search

For example:

  • For the admin user the file would be in

etc/users/admin/user-prefs/local/user-prefs.conf

  • For the test user, it would be in

etc/users/test/user-prefs/local/user-prefs.conf

Bypass the Launcher for all Users

If you want search app to be the default globally you can set in default_namespace = search

in $SPLUNK_HOME/etc/apps/user-prefs/local/user-prefs.conf

NOTE: Users who do not have permission to access search apps will encounter error. Use this if all users use search.

What else you get by default

Splunk also comes with the Search App and another App to support your OS by default.

  • The Search App provides an interface that provides the core functionality of Splunk and is designed for general-purpose use. If you've used Splunk before, the Search App replaces the main Splunk Web functionality from earlier versions. In the Search App you see a search bar and a dashboard full of graphs. When you are in the Search App, you change the dashboard or view by selecting new ones from the Dashboards and Views drop-down menus in the upper left of the window.
  • The OS-specific App (Splunk for Windows or Splunk for *NIX) provides dashboards and pre-built searches to help you get the most out of Splunk on your particular platform. They are disabled by default, but you can turn them on from the Apps section of Splunk Manager.

If you want to change the App you're in, select a new one from the App drop-down menu at the top left:

Image:app_menu.jpg

You can also return to the Launcher and select another App from there.

Get more Apps

You can add other Apps to the list of apps in the Launcher or in the Apps menu. For example, if the bulk of your data operations work involves tasks related to things like change management or PCI (Payment Card Industry) compliance, you'll be happy to know that Splunk has Apps that specialize in helping you with them.

To find more apps to download, click the Browse More Apps tab in the Launcher.

How saving and sharing Splunk knowledge relates to Apps

Splunk knowledge is things like saved searches, event types, tags--items that enrich your Splunk data and make it easier to find what you need. In Splunk, these knowledge items are also known as objects.

Any user logged into Splunk Web can create and save these objects to his/her user directory under the App he or she is "in" (assuming they have sufficient permissions). This is the default behavior--any time any user saves an object, it goes into that user's directory for that App.

Once the user has saved the object for that App, it is available to that user only when they are in that App, unless they do one of the following things (and have the correct permissions to do so):

  • Share the object with other specific roles or users in that same App
  • Promote the object so that it is available to all users who have access to that App
  • Promote the object so that it is available globally to all Apps (and users)

Read more about App architecture and object ownership in this manual.

Retrieved from "http://www.splunk.com/base/Documentation/4.0.6/Admin/Whatsanapp"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.