Let me confess something to you all reading this article: Splunk apps and data models (which will cover in a later article) have been two of the most complicated concepts for me to grasp in the Splunk world. Hopefully after I explain it to you, you will understand what they are and how they work, faster than me at the time 😉
App … application or something else?
The first amount of confusion that arose in my mind was: are those applications, meaning something totally independent that you could ‘run’ on a Splunk server?
No, they are not (always) or do not have to be. An app can be indeed an application in Splunk that runs more or less independently, like Splunk Enterprise Security or Splunk ITSI. But an application can also mean just a set of configuration files that are an add on on the Splunk Enterprise software.
Let’s say that, for the sake of maintenance we want to create all the indexes in one app. Can we create an app with just that configuration? Yes we can. We will need to add some mandatory files in this app as well but it’s perfectly fine to put just the index configuration in one app.
Directory structure
Let’s say that our app is called Splunk-index-configurations. Our app’s directory structure would be something like this:
kristofvandenborn@Kristofs-MacBook-Pro-2 ~ % tree Splunk-index-configurations
Splunk-index-configurations
├── default
│ ├── app.conf
│ └── indexes.conf
└── metadata
└── default.meta
3 directories, 3 filesThe file content
The app.conf and a metadata file are needed in respectively the default and the metadata directory. For what is concerned the minimum content of the app file, the below will be sufficient:
[launcher]
author = App Creator One
description = Splunk Index Configurations
[ui]
is_visible = falseThe default.meta should look something like this:
# Application-level permissions
[]
access = read : [ * ], write : [ admin ]
export = systemYour indexes.conf file might contain something like this:
[index1]
homePath = $SPLUNK_DB/hatchdb/db
coldPath = $SPLUNK_DB/hatchdb/colddb
thawedPath = $SPLUNK_DB/hatchdb/thaweddb
maxDataSize = 10000
maxHotBuckets = 10What it basically does is define an index called ‘index1’ and some of the related settings. If you deploy (means install) this app on any indexer. The indexer will have an index called ‘index1’ and it can store events in it.
Deployment and precedence of apps and configuration settings
How we are going about the installation or deployment of this app will be discussed when we talk about the different forms of app deployment. Every form of deployment has its own scenario. We will also talk about app precedence and how Splunk will handle the merging of configuration files.
