Introducing AppInspect

Yesterday at .conf2016 we announced the general availability of Splunk AppInspect, the first static and dynamic analysis tool for Splunk apps.  Built and used by the team that administers the Splunk App Certification program to speed the certification process, we’re now able to share it with developers who want the same insights into their apps, whether they plan to release them to Splunkbase or not.

“AppInspect has been invaluable in bringing Splunk certification testing into our automated build environment, helping us to create Splunk Apps that are ready for App Certification on the first upload to SplunkBase.” – Kyle Smith, Aplura, LLC

All developers want to get their work done faster, with fewer errors and less debugging.  Splunk AppInspect makes that possible with a suite of over 165 individual checks in 36 different areas of a Splunk app.

AppInspect evaluates a Splunk app for:

36 different technical areas are reviewed including:

  • Alert Actions
  • Configuration files
  • Custom search commands
  • Custom visualizations
  • Custom workflow actions
  • Data models
  • Directory structure
  • Deprecated files
  • Modular Inputs
  • Saved searches

Available as either a standalone tool that provides static analysis on a local machine, or through a RESTful API, providing both static and dynamic analysis.  Splunk AppInspect is ready for all stages of the software development lifecycle, including automated unit testing, manual code reviews, and integration with continuous integration build systems.

Example – Extracting fields in transforms.conf’

Using transforms.conf to adjust data at index time is an essential tool of Splunk Apps, but anyone who has ever written a regular expression will tell you, it can tricky to get right.  Let’s look at an example:
FORMAT = field_parent::$2
MV_ADD = 1
REGEX = ( *[\(,\+\-\/\/\*] *|^)([a-zA-Z_'\{\}][\w'\{\}\.]++)(?!(\(| [Aa][Ss]))
SOURCE_KEY = conf_value

When we run the app through Splunk AppInspect we get the following failure message:

[ failure ] Check that all capture groups are used in transforms.conf. Groups not used for capturing should use the non-capture group syntax
The format option in [field_eval] stanza of transforms.conf did not include $1, $3

In the REGEX there are two capture groups that have not been used. It is possible that the developer has done one of two things:

  1. Forgotten to include the captured fields in their FORMAT string.  If this is the case than the developer updates their FORMAT field.
  2. Captured fields that are not needed.  If this is the case then the developer converts the capture groups from
    ( *[\(,\+\-\/\/\*] *|^)

    (?: *[\(,\+\-\/\/\*] *|^)

    to use the non-capturing group format.

In either case it would be extremely time consuming to check each and every transform manually to confirm that all of the fields have been used.  AppInspect accelerates this process to check in under a minute.

How to get it

We encourage you to download AppInspect, test it out, and see how your app does. View the documentation here, including an API reference. We’d love to hear from you, reach out to us at:

If you need help getting started with Splunk AppInspect you can email or ask on Splunk Answers with tag AppInspect.

Grigori Melnik

Posted by