Before you build an app for Splunk, it's a good idea to familiarize yourself with the Splunk app mental model. Splunk apps are made of objects and configurations. Read on for a description of these data types, as well as information about app structure and Splunk's permissions system.
Apps let you construct and maintain different environments on top of one Splunk instance. One Splunk installation can run multiple apps. This way, any number of different groups can use the same Splunk instance without running into each other.
For example, you can make an app for all your helpdesk employees and a different app for your marketing department. When a user in the helpdesk role logs into Splunk, they'll see a customized environment that helps them track their support cases. When a user from the marketing group logs in, they'll see the business analytics app, where they can run reports on business trends and web activity. Meanwhile, the Splunk admin can maintain all the installed apps, as well as build and install more.
By building apps, you can create separate contexts for the different groups of Splunk users within your organization: one app for troubleshooting your email servers, one app for analyzing business trends, and so on. This way, everyone can use the same Splunk instance, but see only data that is relevant to their interests. Some groups can access multiple apps while some may see only one. apps are highly customizable, so you get to decide who sees what and how it works.
At a high level, an app is a workspace that solves a specific use case for your company. For example, a single Splunk install can run a helpdesk app, a business analytics app, the Windows app and the Search app, all at the same time. Apps:
Apps are made up of knowledge objects and configuration, anything from custom UI to custom input scripts.
Use Splunk's app framework to make custom UIs for different users and use cases. Splunk's UI (Splunk Web) is completely customizable, so you can make small changes to a single page in Splunk Web or completely redesign Splunk's UI.
Change everything from the menu layout to background images, build your own custom HTML and JavaScript into your app. Learn more about what you can do here.
Customize your app further by collecting and managing specific types of data. Add knowledge to your data to facilitate your users and use cases. Most of Splunk's configurations are now available through Splunk Web's Manager interface. Through Splunk Manager, you can:
Knowledge objects are all configurations within Splunk that are permissionable and controlled via Splunk's access control layer. Splunk knowledge objects include:
To learn more about knowledge objects in general, see the Knowledge Manager Manual. To learn more about how to use knowledge objects in your app, see Step 4: add objects. To learn more about setting permissions on objects, see Step 5: set permissions.
Configurations are global in scope and do not have permissions applied to them. All configurations are available at the system level. They can be managed through Manager and are only available to users with admin privileges. Configurations include:
To learn more about configurations in general, see the Admin Manual. To learn more about how to use configurations in your app, see Step 3: add configurations.
All apps live in a custom directory, within $SPLUNK_HOME/etc/apps. Primarily, you will do most of your work within the Default/ directory, and its subdirectories:
Within the Default/ directory, there are more subdirectories for configuring the UI. These are contained within $SPLUNK_HOME/etc/apps/<App_name>/default/data/UI/, and include:
The other subdirectories in your app are:
appserver/static directories within your app's directory. Use the static directory to store any Web resources your app requires, or if you're customizing Splunk Web.
Local/ mimics the same structure as Default/