Experience Seamless Full Ebook Downloads for Every Genre at textbookfull.

com

Splunk Developer s Guide 2nd Edition Kyle Smith

https://textbookfull.com/product/splunk-developer-s-
guide-2nd-edition-kyle-smith/

OR CLICK BUTTON

DOWNLOAD NOW

Explore and download more ebook at https://textbookfull.com

 Recommended digital products (PDF, EPUB, MOBI) that
you can download immediately if you are interested.

The Developer s Guide to Microsoft Azure Microsoft

https://textbookfull.com/product/the-developer-s-guide-to-microsoft-
azure-microsoft/

textboxfull.com

Beginning Power Apps The Non Developer s Guide to Building

Business Applications 2nd Edition Tim Leung

https://textbookfull.com/product/beginning-power-apps-the-non-
developer-s-guide-to-building-business-applications-2nd-edition-tim-
leung/
textboxfull.com

SQL Server 2016 Developer s Guide 1st Edition Dejan Sarka

https://textbookfull.com/product/sql-server-2016-developer-s-
guide-1st-edition-dejan-sarka/

textboxfull.com

Soft Skills The Software Developer s Life Manual 2nd

Edition John Sonmez

https://textbookfull.com/product/soft-skills-the-software-developer-s-
life-manual-2nd-edition-john-sonmez/

textboxfull.com
AWS Certified Developer Associate Guide Your one stop
solution to pass the AWS developer s certification 1st
Edition Vipul Tankariya
https://textbookfull.com/product/aws-certified-developer-associate-
guide-your-one-stop-solution-to-pass-the-aws-developer-s-
certification-1st-edition-vipul-tankariya/
textboxfull.com

Tom Smith s Cricket Umpiring and Scoring 2017 Code 2nd

Edition Laws Edition Tom Smith

https://textbookfull.com/product/tom-smith-s-cricket-umpiring-and-
scoring-2017-code-2nd-edition-laws-edition-tom-smith/

textboxfull.com

Implementing Splunk 7 D.

https://textbookfull.com/product/implementing-splunk-7-d/

textboxfull.com

Compact Key for Schools Teacher s Book 2nd Edition Smith

https://textbookfull.com/product/compact-key-for-schools-teacher-s-
book-2nd-edition-smith/

textboxfull.com

Women s Studies The Basics 2nd Edition Bonnie G Smith

https://textbookfull.com/product/women-s-studies-the-basics-2nd-
edition-bonnie-g-smith/

textboxfull.com
Splunk Developer's Guide
Second Edition

Learn the A to Z of building excellent Splunk

applications with the latest techniques using this
comprehensive guide

Kyle Smith

BIRMINGHAM - MUMBAI
Splunk Developer's Guide
Second Edition

Copyright © 2016 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval
system, or transmitted in any form or by any means, without the prior written
permission of the publisher, except in the case of brief quotations embedded in
critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy
of the information presented. However, the information contained in this book is
sold without warranty, either express or implied. Neither the author, nor Packt
Publishing, and its dealers and distributors will be held liable for any damages
caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the
companies and products mentioned in this book by the appropriate use of capitals.
However, Packt Publishing cannot guarantee the accuracy of this information.

First published: May 2015

Second edition: January 2016

Production reference: 1190116

Published by Packt Publishing Ltd.

Livery Place
35 Livery Street
Birmingham B3 2PB, UK.

ISBN 978-1-78588-237-1

www.packtpub.com
 Credits

Author Project Coordinator

Kyle Smith Suzanne Coutinho

Reviewer Proofreader
Marco Scala Safis Editing

Commissioning Editor Indexer

Veena Pagare Hemangini Bari

Acquisition Editor Graphics

Vinay Argekar Abhinash Sahu

Content Development Editor Production Coordinator

Amey Varangaonkar Shantanu N. Zagade

Technical Editor Cover Work

Taabish Khan Shantanu N. Zagade

Copy Editor
Trishya Hajare
 About the Author

Kyle Smith is a self-proclaimed geek and has been working with Splunk
extensively since 2010. He enjoys integrating Splunk with new sources of data and
types of visualization. He has spoken numerous times at the Splunk User Conference
(most recently in 2014 on Lesser Known Search Commands) and is an active contributor
to the Splunk Answers community and also to the #splunk IRC channel. He was
awarded membership into the SplunkTrust as a founding member. He has published
several Splunk Apps and add-ons to Splunkbase, the Splunk community's premier
Apps and add-ons platform. He has worked in both higher education and private
industry; he is currently working as an integration developer for Splunk's longest
running professional services partner. He lives in central Pennsylvania with
his family.

I'd like to thank my wife who most graciously put up with all
my BS during the writing of this book. Without her, this effort is
meaningless.
 About the Reviewer

Marco Scala has been working for more than 15 years delivering solutions to large
enterprise customers, first in the APM and J2EE fields and, since 2009, in the fields
of operational intelligence and Splunk. He has provided consultancy for big Splunk
installations for major customers, focusing on the best and most effective solutions
for each different customer's needs. Since 2012, he's also a certified Splunk trainer.

In the last few years, Marco's major focus has been to get Splunk customers to
gain the maximum value from their IT data and provide the business a better view
and insight. Big Data is another major field of interest, and his next challenge is
using Splunk to give customers useful insights and a practical implementation and
exploitation of Big Data.
 www.PacktPub.com

Support files, eBooks, discount offers, and more

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files
available? You can upgrade to the eBook version at www.PacktPub.com and as a print book
customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@
packtpub.com for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range
of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

TM

https://www2.packtpub.com/books/subscription/packtlib

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library.
Here, you can search, access, and read Packt's entire library of books.

Why subscribe?
• Fully searchable across every book published by Packt
• Copy and paste, print, and bookmark content
• On demand and accessible via a web browser

Free access for Packt account holders

If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib
today and view 9 entirely free books. Simply use your login credentials for immediate access.

Instant updates on new Packt books

Get notified! Find out when new books are published by following @PacktEnterprise on
Twitter or the Packt Enterprise Facebook page.
 Table of Contents
Preface v
Chapter 1: Application Design Fundamentals 1
What is a Splunk application? 1
Why applications? 2
Definitions 2
Designing the App 4
Identifying the use case 5
Identifying what you want to consume 5
Identifying what you want to brand 6
Identifying what you want to display 6
Installing Apps 7
Splunk Web 7
The Splunk command line 8
Unzipping using the command line 8
Summary 9
Chapter 2: Creating Applications 11
A brief clarification 11
Methods of creating applications 12
GUI 13
CLI 15
FreeForm 15
Basic application structure 18
appserver 18
bin 19
default 19
local 19
lookups 19

[i]
Table of Contents

metadata 19
static 20
Application data 20
Indexes 20
Source types 23
Sources 23
Available Splunk knowledge objects 23
Macros 24
Event types 24
Tags 25
Saved searches 25
Dashboards 26
Lookups 26
Configurations 27
Object permissions 27
The setup screen 29
The endpoint 30
The setup file 31
Summary 32
Chapter 3: Enhancing Applications 33
Workflows 33
Custom alert actions 37
Enriched data 39
Event types 39
Tags 44
Macros 46
Lookups 48
Common Information Model 53
Branding your App 53
Logos 54
Navigation 56
CSS 58
JavaScript 58
Acceleration 58
Summary indexing 58
Accelerated reports 60
Summary 61

[ ii ]
 Table of Contents

Chapter 4: Basic Views and Dashboards 63

Knowing your data 63
Available modules 64
SimpleXML dashboard 65
SimpleXML forms 68
Custom JavaScript, CSS, and Tokens 72
HTML dashboards 73
Summary 75
Chapter 5: The Splunk Web Framework 77
The HTML dashboard 77
SplunkJS Stack 81
Search-related modules 82
SearchManager 82
SavedSearchManager 83
PostProcessManager 84
View-related modules 85
ChartView 85
Display-related modules 90
CheckboxView 91
CheckboxGroupView 91
DropdownView 92
EventsViewerView 93
FooterView 94
HeaderView 94
MultiDropdownView 95
RadioGroupView 95
SearchBarView 96
SearchControlsView 97
SimpleSplunkView 97
SingleView 97
MapElement 98
TableView 99
TextInputView 100
TimeRangeView 100
TimelineView 101
Tokenization 101
Customizing Splunk dashboards using CSS 102
Customizing Splunk dashboards using JavaScript 105
Custom D3 visualization 109
External data and content 112
Data 113
Content 113
Summary 114

[ iii ]
Table of Contents

Chapter 6: Advanced Integrations and Development 115

Modular D3 visualization 115
Modular inputs 122
The spec file 124
Testing modular inputs 129
Configuring modular inputs 129
The App Key Value Store 131
When would you use the KV Store? 131
Configuring the KV Store 133
Data models 136
Version control and package managers 140
npm 141
Bower 141
Gulp 142
Git 142
Tying them all together 142
Summary 146
Chapter 7: Packaging Applications 147
Naming guidelines 147
Dos and don'ts 150
Packaging the App 151
The App packaging checklist 154
Summary 155
Chapter 8: Publishing Applications 157
Self-hosting your App 157
Splunkbase 158
Certified Applications 160
Splunk Cloud applications 162
Community 162
Answers 163
dev.splunk.com 163
Internet Relay Chat 163
Wiki 163
User groups 164
The SplunkTrust 164
Summary 165
Index 167

[ iv ]
 Preface
Splunk is awesome. Not only can you consume virtually any data with it, you can
also extend and integrate Splunk with virtually any external system. Splunk uses sets
of configurations that are referred to as applications or add-ons, which is the primary
focus of this book. Leveraging these applications and add-ons is what gives Splunk
its unique ability to extend, learn, analyze, and visualize information.

Splunk helps users to determine the root cause of a failure, a quick overview of
system health, and dive deep into SQL statements and messages, just to name a
few. The aggregation and centralization of log and event management is a growing
trend in the Big Data space. By leveraging the combined intelligence gathered
from correlating disparate sets of data, businesses or individuals can make
data-based decisions. This book will help a Splunk developer, or even just a
curious end user, to develop different methods of consuming new data, design
new types of visualization, or even just offer tips and tricks that help the software
development lifecycle.

Overview of what this book isn't

Most developer guides will tell you what their book is and/or does. We aim to
explain what this book isn't, and allow you to fill in the rest with your imagination!
Thus, proceed to this list:

• Will not cover Splunk basics

• Will not cover creating dashboards via the GUI (other than HTML)
• Will not discuss how to code in Python
• Will not discuss statistics
• Will not cover SDKs
• Will not discuss making beer

[v]
Preface

Splunk basics will not be covered. These include concepts such as searching (finding
data, using timecharts, stats, some eval commands, and so on), reporting (making
basic pie charts or line charts via the GUI), data inputs (basic file monitoring, TCP
and UDP inputs, Splunk forwarders, and so on), and configurations (GUI and web-
based configuration editing), to name a few. Creating dashboards via the GUI?
Nope. Python will be discussed and sample code will be provided, but this book will
not cover the nuances of the code, nor will it teach you Python syntax. We will not
cover statistical computation, other than how to practically apply some basic math
to create value-based visualizations. We will not cover using the SDKs (software
development kits) being used in custom Splunk applications that are external to
Splunk (for example, Angular, PHP, .NET, and others). These are out of the scope of
this book. Free as in beer? Nope, the choice of hops, starch, and oak-barrel aging for
the creation of beer will not be discussed, but rather consumed during the writing
and/or reading of this book.

Unless otherwise stated, this book uses Splunk version 6.3 as the
development environment.

What this book is

This book will guide you through many the different areas of Splunk App and add-
on creation. We will start by looking at the design aspects of an App or add-on, how
to create them, what knowledge objects are available for use within the App, ways
to enhance your App with metadata and external data, and some basic views and
dashboards. From there, we will move into the Splunk Web Framework, modular
inputs, jQuery, web framework programs, and then packaging and publishing Apps
and add-ons. At the tail end, we will highlight some areas of the Splunk community
that prove to be very useful.

Assumptions
There are a few basic assumptions that we are going to make. Having purchased or
otherwise obtained this book, we assume that you are interested in developing with
Splunk, and have a basic understanding of Splunk and how to navigate around the
software. Knowledge of saving searches, reports, and basic dashboarding is a must,
since most concepts and examples will be built upon the basics. We also assume
that you have basic knowledge of HTML, CSS, JS, and some XML. Here, XML will
be limited to the Splunk XML framework specifically. We would also recommend
you to have knowledge of, or proficiency in, Python, RequireJS, and other web
technologies such as Bower, npm, and Gulp. We will demonstrate how to use these
web technologies within a Splunk application.
[ vi ]
 Preface

What this book covers

Chapter 1, Application Design Fundamentals, discusses fundamental questions and
considerations before diving into an App or add-on configuration.

Chapter 2, Creating Applications, discusses the basic methods of App and add-on
creation, along with an explanation of the structure of an App or add-on.

Chapter 3, Enhancing Applications, discusses a few different configurations that help

to enrich your data with Splunk knowledge objects, along with some basic App and
add-on branding guidelines.

Chapter 4, Basic Views and Dashboards, goes through the basics of SimpleXML
dashboard creation and development.

Chapter 5, The Splunk Web Framework, details the various SplunkJS Stack components
and shows examples of how to use them within an HTML dashboard.

Chapter 6, Advanced Integrations and Development, reviews modular inputs, data

models, the KV Store, and modular D3 visualizations.

Chapter 7, Packaging Applications, lists the items needed to package an App or add-on,
in order to get it ready for publishing.

Chapter 8, Publishing Applications, explains step by step how to upload an App to

Splunkbase, and includes some information on the great support community.

What you need for this book

To take full advantage of all the examples and code contained within this book, you
should have the following items:

• An installed and running instance of Splunk.

• Basic knowledge of how Splunk works, including searching, basic panels,
and dashboards.
• An understanding of the various technologies that Splunk uses. These
include the following:

°° Python
°° JavaScript
°° HTML
°° CSS

[ vii ]
Preface

Who this book is for

This book will benefit both the casual Splunker and the experienced professional
alike. Whether you are just starting Splunk Apps or add-on development, or have
been developing for years, this book has tips and tricks to help with developing new
integrations and Splunk Apps and add-ons. Even for quick modular input, this book
provides quick tutorials on common integration techniques and code examples.

Conventions
In this book, you will find a number of text styles that distinguish between different
kinds of information. Here are some examples of these styles and an explanation of
their meaning.

Code words in text, database table names, folder names, filenames, file extensions,
pathnames, dummy URLs, user input, and Twitter handles are shown as follows:
"Copy the file to $SPLUNK_HOME/etc/apps."

A block of code is set as follows:

[splunk_developers_guide]
coldPath = $SPLUNK_DB\splunk_developers_guide\colddb
homePath = $SPLUNK_DB\splunk_developers_guide\db
thawedPath = $SPLUNK_DB\splunk_developers_guide\thaweddb

Any command-line input or output is written as follows:

cd $APP_HOME/default

New terms and important words are shown in bold. Words that you see on the
screen, for example, in menus or dialog boxes, appear in the text like this: "Simply
click on the Browse button."

Warnings or important notes appear in a box like this.

Tips and tricks appear like this.

[ viii ]
 Preface

Reader feedback
Feedback from our readers is always welcome. Let us know what you think about
this book—what you liked or disliked. Reader feedback is important for us as it helps
us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail feedback@packtpub.com, and mention

the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing
or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support
Now that you are the proud owner of a Packt book, we have a number of things to
help you to get the most from your purchase.

Downloading the example code

You can download the example code files from your account at http://www.
packtpub.com for all the Packt Publishing books you have purchased. If you
purchased this book elsewhere, you can visit http://www.packtpub.com/support
and register to have the files e-mailed directly to you.

Errata
Although we have taken every care to ensure the accuracy of our content, mistakes
do happen. If you find a mistake in one of our books—maybe a mistake in the text or
the code—we would be grateful if you could report this to us. By doing so, you can
save other readers from frustration and help us improve subsequent versions of this
book. If you find any errata, please report them by visiting http://www.packtpub.
com/submit-errata, selecting your book, clicking on the Errata Submission Form
link, and entering the details of your errata. Once your errata are verified, your
submission will be accepted and the errata will be uploaded to our website or added
to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to https://www.packtpub.com/books/

content/support and enter the name of the book in the search field. The required
information will appear under the Errata section.

[ ix ]
Preface

Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all
media. At Packt, we take the protection of our copyright and licenses very seriously.
If you come across any illegal copies of our works in any form on the Internet, please
provide us with the location address or website name immediately so that we can
pursue a remedy.

Please contact us at copyright@packtpub.com with a link to the suspected

pirated material.

We appreciate your help in protecting our authors and our ability to bring you
valuable content.

Questions
If you have a problem with any aspect of this book, you can contact us at
questions@packtpub.com, and we will do our best to address the problem.

[x]
 Application Design
Fundamentals
Hello there, Splunk developer! If you are like us, we know you have a love of Splunk
and all of the endless possibilities that present themselves! The Big Data world is
exploding around us, and it always feels like a tireless battle when keeping up to
date with advances in technologies, platforms, and concepts. Here, we will discuss
none of those. This book is dedicated solely to Splunk and the development of
applications for Splunk. Onward and upward!

What is a Splunk application?

All that being said, let's talk Splunk applications. A Splunk application is nothing
more than a structured set of configurations and assets used to achieve an end goal
of data collection, indexing, and visualization. Furthermore, in order to create a
valid Splunk application, you must include the ability to navigate. Without
navigation within the application, you would be working on an add-on.
According to Splunk, applications:

• Contain at least one navigable view

• Can be opened from the Splunk Enterprise home page, from the App menu,
or from the Apps section of Settings
• Focus on aspects of your data
• Are built around use cases
• Support diverse user groups and roles
• Run in tandem

[1]
Application Design Fundamentals

• Contain any number of configurations and knowledge objects

• Are completely customizable, from frontend to backend
• Can include Web assets such as HTML, CSS, and JavaScript

This is taken from http://docs.splunk.com/Documentation/

Splunk/latest/AdvancedDev/AppIntro.

Why applications?
Applications allow us to quickly share configurations, focus on the context of
available data, limit data access to specific individuals or groups, and organize
similar dashboards and views into a cohesive presentation of data within Splunk.
Sharing applications can be as easy as just zipping it up and sending it out. Splunk
applications could be said to be open source, due to the fact that almost all of the
configurations, custom scripts, and any other knowledge object contained within
the applications, are readable on the filesystem. This allows for customization for an
individual instance while maintaining an overall master configuration.

Definitions
To get started, we should define a few naming conventions typically used when
naming applications. Note that while we will use these naming conventions as
the best practice, your application can really be named anything at all, which
may conflict with other applications of the same name, or violate Splunk usage
agreements or publishing guidelines. In particular, the name Splunk cannot be
present in your application or add-on name. Additionally, in the past, Splunk has
referred to add-ons as technology add-ons, and has since moved to just add-ons.
The following list of add-on types is our way to distinguish the different uses
of each add-on:

• Applications: Applications could be named anything, as long as they are

relevant to the content of the application and don't contain the name Splunk.
• Domain add-ons (DA): Domain add-ons are not full applications, rather
they contain the visualizations and presentation of the data for a broader
application. No other configurations should be included (extracts, tags, event
types, macros, line breaking configurations, and so on). Dashboards and
views are the primary objects contained within this type of add-on.

[2]
 Chapter 1

• Supporting add-ons (SA): Supporting add-ons are also not full applications;
these contain data definitions, such as macros, saved searches, event types,
and tags. These describe how to correlate the data, normalize the data, and
consolidate the data to be usable in the domain add-on.
• Technology add-ons (TA): Technology add-ons provide extraction, data
massage, and index-time configurations. These can also be referred to as
technical add-ons. These contain the configuration options required to
properly break events, extract search fields, and create timestamps, among
other functions. These are the building blocks for the SA and DA add-ons,
as well as full-blown applications.

Follow the Splunk application design guidelines. Using a custom

naming scheme may cause conflicts.

Thus end the official naming conventions as normally seen in a Splunk installation.
We will now discuss some other naming conventions that have been found to help in
the wild west of various Splunk installations. These two naming conventions are of
the author's own design, which have helped in some of his deployments:

• Input add-ons (IA): Input add-ons are just that—configurations that assist
in the collection of data, known as inputs. These add-ons are most likely
found on a deployment server and are used to collect data from universal
forwarders. One of the advantages to splitting your IAs from your TAs is
a reduced size in the add-on being sent to the universal forwarder. This
is especially useful if your TA contains lookups that aren't needed on the
universal forwarder but are several megabytes in size.
• Admin add-ons (ADMIN): This add-on is a very special add-on. It would
typically contain administrative configurations that might be needed in a
variety of locations. Such configurations could be the web server SSL port,
deployment client information, or anything in web.conf or server.conf
format. It can be used to send index information to a set of non-clustered
indexers, or possibly to scale the addition of more search heads by setting
all relevant settings from a central location.

[3]
Application Design Fundamentals

While this may not be a complete list of naming conventions, it should be enough
to recognize any that are seen in the wild. An additional aspect of the naming
conventions that we recommend is the addition of company information. This will
help your Splunk admins differentiate between Splunk add-ons and custom add-ons.
Just as an example, let's say you built a TA for Cisco, specific to your company (the
ACME company). Splunk's provided add-on is entitled TA-cisco, but you don't want
to modify a vendor's offering. So, your new add-on's name could be A-ACME-TA-
cisco. This gives you two things: an easy-to-see custom TA that relates to Cisco and
the ability to override any TA-cisco settings based on application precedence.

Let's discuss application precedence for a moment. Splunk uses a merged configuration
when applying configurations that are installed via the applications. The
methodology that Splunk chose to implement conflict resolution is pretty simple.
There are two different methods of precedence. The first is directory structure. If you
have an input located in the default folder of an application (more on default in
the later chapters), you can place a matching configuration in the local folder of the
application to override the default configuration. The same method is applied to
the applications themselves. Splunk uses the ASCII values of the names to determine
precedence. On *nix, you can sort the applications in the apps folder of Splunk using
the LC_COLLATE=C ls command. This will show you the ASCII-sorted order of the
applications, and the first in the list will be highest priority. A has a higher priority
than Z, but Z has a higher priority than a. So, the A at the beginning of the add-on
name gives your add-on the highest precedence, so you can override any setting
as needed.

From this point forward, both Splunk applications and add-ons

will be referred to formally as Apps purely as a convenience.

Designing the App

So you've decided that you need an App? Congratulations! Now that you know that
you need one, you need to decide on a few more items as well. It is important to do
a little bit of planning, as even the simplest Apps can evolve into super-complicated
Apps, with dashboards, saved searches, workflows, and more. Never assume "well,
this'll just be a quick development", as, most of the time, it is not.

[4]
 Chapter 1

Identifying the use case

First and foremost, try to determine the scope of your App. Once you have the scope
planned out, try to limit the amount of scope creep that occurs, if possible. You may
just be trying to perform extractions on your data, and if that is your current end
goal, stop there. Don't try to build a full-blown suite on your first attempt. Build the
IA, then the TA, and then move on from there. Ask yourself these questions as you
try to determine your scope:

• What am I trying to accomplish? Search-time extractions? Index-time

parsing? Dashboards to share?
• What users need access to my App? Everybody? Specific roles?
• What kind of information will I be presenting? Server based? Metric based?
• Who is my target audience? Business users who don't understand Splunk
Search Processing Language (SPL), or technical users who will notice that I
didn't convert MB to GB properly?

These questions can help you spark an idea of what internal resources would need to
be engaged, as well as any kind of documentation and educational requirements.

Identifying what you want to consume

Once you have determined the scope of the App, you will need to decide how and
from where you will consume the data. Getting data into Splunk can happen in a
very wide variety of ways. There is no set manner of input that will work on all data
sources. You may have to develop a new script or modular input. Being aware of
where your data is coming from is the key to getting it consumed correctly the first
time. A few questions you may ask yourself could be:

• Why do I need this data? Is it all completely relevant to my use case?

• Where is the data? Cloud, SaaS provider, internal network?
• How do I get the data? Do I already have a collector script, or do I need to
engage an internal resource to write a collector/modular input?
• What format is the data? Is it already extracted (or well known, like syslog),
or do I need to write custom extractions?

There is a lot of data out in the wild, but not all of it may be relevant to your use case.
You may find that of a service that has 100 endpoints available for data collection,
you only need 10. Not only will you save on license usage, but your indexers will
thank you for it as well.

[5]
Application Design Fundamentals

Identifying what you want to brand

Another key thought process in App development is how far you want to brand your
App. Splunk has a very robust architecture and framework, providing you with the
ability to customize your Apps extensively. You can override any individual piece of
CSS and extend SplunkJS Stack to include any number of different visualizations or
third-party libraries. Additional questions you might ponder on would include:

• Do I want to brand anything at all, or just stay with native Splunk?

• Do I need to engage an internal graphics resource to design and create App
icons? App logos?
• Am I going for mobile or static desktops? What desktop size is typical of
incoming users?
• To what extent should I customize my App? Do I just change a few colors
using native Splunk options or do I override CSS?
• Do I need to engage a web designer to build custom CSS or HTML layouts?

There are so many options available to brand your App, but all customizations
should conform to the Splunk branding guidelines for developers. Visit http://
www.splunk.com/view/SP-CAAAFT9 to read through Splunk's guidelines.

Identifying what you want to display

Once you have the whats and hows of the data you're going to collect, you need
to figure out visualizations. How you display the information is just as important
as what data you collect. Splunk comes with a variety of graphs and displays
right out of the box, and can be extended quite easily to include some really cool
presentations. Some of the questions posed to you might be:

• Do you need a programmer to write custom modules or extend SplunkJS

views and managers?
• What third-party graphing or graphic libraries do you need to document,
develop, or get permission to use?
• Do you need to engage a statistician to determine the best and most effective
way to display your data? Some stats (such as max, mean, and min) are easy,
others (such as confidence intervals and trendlines) are not.

[6]
 Chapter 1

Such a small list of questions hardly precludes any other relevant discussion within
your organization. The more internal discussion that can take place, the better and
more thought-out your App may turn out.

Installing Apps
As a Splunk developer, you should be aware of the three methods to install Apps.
There are advantages and disadvantages to each method, but no required method.
It is mostly personal preference as to which method is used by the end user, but,
typically, newer Splunk users will use the Web interface, while advanced users
will use the command line. Let's review those methods, just to keep them fresh in
your mind.

Splunk Web
Installing Apps via Splunk Web is simple. Once you have downloaded the App from
its source, you navigate to the Manage Apps section of Splunk. You will find this at
the top-left of Splunk Web, as shown in the following screenshot:

Once you have clicked on Manage Apps, you will see a button to install the app
from a file. You can also browse the Splunk App store, using the first button:

[7]
Application Design Fundamentals

This brings you to a form that you can use to actually install the App. Simply click on
the Browse button, select the file you downloaded, check the Upgrade button if this
App has already been installed, and then click on Upload. That's it! Splunk takes the
App, installs it, and prompts to restart if needed:

The Splunk command line

CLI holds a special place in many *nix admins' hearts. It is entirely possible to install
Apps via the command line alone. Doing so requires having the following: access to
the physical (or virtual) server and enough permissions to perform CLI commands
with Splunk. All commands are going to be executed from $SPLUNK_HOME, which
normally defaults to /opt/splunk. Follow these steps to install an App via CLI:

1. Copy the App file (either a *.tgz or *.spl file) to the filesystem.
2. Run the ./bin/splunk install app <path_to_file> command.

Splunk will install the App. You may be prompted to restart, depending on the
contents of the App. Index-time configurations require a restart, whereas search-time
configurations do not.

Unzipping using the command line

The final methodology is to perform an unzip/untar. If the App was constructed
properly, the only steps you need to perform are as follows:

1. Copy the file to $SPLUNK_HOME/etc/apps.

2. Change the file extension from .spl to .zip.
3. Use your favorite utility and unzip the file into the folder.

[8]
 Chapter 1

Caution! This will overwrite any other settings you have

configured, including local configurations (if present in the zip
file). We will cover directory structure in the next chapter.

Downloading the example code

You can download the example code files from your account at
http://www.packtpub.com for all the Packt Publishing books
you have purchased. If you purchased this book elsewhere, you can
visit http://www.packtpub.com/support and register to have
the files e-mailed directly to you.

Summary
In this chapter, we covered the basic fundamentals of designing and installing
Splunk Apps. Apps can be broken down into domains, each with a naming
convention that allows you to quickly determine what the App can do, and what is
contained within it, so that new users to your environment don't have to look for
configurations. We learned how to approach App design to make sure that the App
is planned beforehand, which will eliminate the need to refactor major portions of
the App later, when it may already be in production. We also went over the three
different methodologies available to install Apps to give a basic understanding of
user experience related to the installation of any App you may build.

Now that you've acquired an understanding of what an App consists of, in the
coming chapters, we will discuss creating, enhancing, and customizing them.

[9]
 Creating Applications
In this chapter, we will begin covering how to build an actual application. There are
many different ways to create an App, ranging from GUI creation to manual editing
of configuration files. We will cover the structure of an application, what each folder
should contain within the application, and why this is important. Another aspect
that will be touched on will be the data that your application will consume. Setting
up the data structures beforehand may save you time and energy later on if you have
to refactor. It is crucial to get the data in correctly the first time, as any subsequent
release of your app will need to make use of the data. We will cover various methods
for data consumption, as well as the types of Splunk knowledge objects that can be
included in your application. Restricting access to your application may be a priority,
so we will also cover metadata and object permissions. Getting your application
installed may require your end user to perform some additional configuration before
it can be used, so we will review how to configure the setup screen as well.

A brief clarification
As we continue to progress through this book, we will create an App from the
ground up. The App's name is SDG (from a filesystem perspective) and the App label
will be Developer's Guide for Splunk. It will be available in its entirety on Splunkbase
at https://splunkbase.splunk.com/app/2693/. Additionally, we will be using
an API provided by meh.com, a daily deal site that was kind enough to build an API
to their website. They were chosen primarily because they fit the geek culture pretty
well, and provide a very simple-to-consume API. The data that will be consumed is
pulled from their website's API using scripted inputs located in the bin folder of the
sample SDG application.

[ 11 ]
Creating Applications

Let's recall the questions from Chapter 1, Application Design Fundamentals, that revolve
around App creation. We should answer some of them in preparation for building
our demo App:

• Identifying the use case:

°° We are building this App as a learning experience for the reader. By
providing an App at the end of this book, with all the examples from
the book contained within the App, we will give you a means to see a
final product, as well as how it was created, step by step.
°° We are building an App with visualizations and modular inputs that
will be shared with everybody—no need for role-based access.
°° The data will primarily consist of daily deals information, along with
polling information.

• Identifying what you want to consume:

°° The data is needed as an event generator for our App building demo,
and is located at an API provided by meh.com. I will consume the
data with a modular input from the API, which outputs its data
in JSON.

• Identifying what you want to brand:

°° For demonstration purposes, we will brand the App with custom
icons and some custom CSS and JavaScript. No external resources
will be needed.

• Identifying what you want to display:

°° We will be using a box plot graphic, which needs to be transformed

into a modular Splunk JavaScript library. The statistics will be
simplistic, so a mathematician is not required.

Now that we have answered some preliminary questions, we are ready to begin
creating our App. We can clearly see what is needed at the very basic level, and can
continue to add to the specification as we go ahead.

Methods of creating applications

There are two basic ways of creating applications. They are as follows, in order of
difficulty (not that any of them are hard): Splunk Web (we will call this the GUI),
and handwritten (henceforth to be recognized as FreeForm). In order to
create Apps, you, the developer, must have specific permissions within the
Splunk instance.

[ 12 ]
Exploring the Variety of Random
Documents with Different Content
entire Solar System but for some deep understanding on the part of
an alien culture.
He—Al Weston, psychoneurotic—in the position of being an
emissary!
He took the glass offered by Jasentor, lifted it to the four of them and
drained it with a gesture.
And for the first time in more than a year, the sound of Weston's
honest laughter filled the room.
Cured!
 *** END OF THE PROJECT GUTENBERG EBOOK QUEST TO
CENTAURUS ***

Updated editions will replace the previous one—the old editions will
be renamed.

Creating the works from print editions not protected by U.S.

copyright law means that no one owns a United States copyright in
these works, so the Foundation (and you!) can copy and distribute it
in the United States without permission and without paying copyright
royalties. Special rules, set forth in the General Terms of Use part of
this license, apply to copying and distributing Project Gutenberg™
electronic works to protect the PROJECT GUTENBERG™ concept
and trademark. Project Gutenberg is a registered trademark, and
may not be used if you charge for an eBook, except by following the
terms of the trademark license, including paying royalties for use of
the Project Gutenberg trademark. If you do not charge anything for
copies of this eBook, complying with the trademark license is very
easy. You may use this eBook for nearly any purpose such as
creation of derivative works, reports, performances and research.
Project Gutenberg eBooks may be modified and printed and given
away—you may do practically ANYTHING in the United States with
eBooks not protected by U.S. copyright law. Redistribution is subject
to the trademark license, especially commercial redistribution.

START: FULL LICENSE

THE FULL PROJECT GUTENBERG LICENSE
 PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK

To protect the Project Gutenberg™ mission of promoting the free

distribution of electronic works, by using or distributing this work (or
any other work associated in any way with the phrase “Project
Gutenberg”), you agree to comply with all the terms of the Full
Project Gutenberg™ License available with this file or online at
www.gutenberg.org/license.

Section 1. General Terms of Use and

Redistributing Project Gutenberg™
electronic works
1.A. By reading or using any part of this Project Gutenberg™
electronic work, you indicate that you have read, understand, agree
to and accept all the terms of this license and intellectual property
(trademark/copyright) agreement. If you do not agree to abide by all
the terms of this agreement, you must cease using and return or
destroy all copies of Project Gutenberg™ electronic works in your
possession. If you paid a fee for obtaining a copy of or access to a
Project Gutenberg™ electronic work and you do not agree to be
bound by the terms of this agreement, you may obtain a refund from
the person or entity to whom you paid the fee as set forth in
paragraph 1.E.8.

1.B. “Project Gutenberg” is a registered trademark. It may only be

used on or associated in any way with an electronic work by people
who agree to be bound by the terms of this agreement. There are a
few things that you can do with most Project Gutenberg™ electronic
works even without complying with the full terms of this agreement.
See paragraph 1.C below. There are a lot of things you can do with
Project Gutenberg™ electronic works if you follow the terms of this
agreement and help preserve free future access to Project
Gutenberg™ electronic works. See paragraph 1.E below.
1.C. The Project Gutenberg Literary Archive Foundation (“the
Foundation” or PGLAF), owns a compilation copyright in the
collection of Project Gutenberg™ electronic works. Nearly all the
individual works in the collection are in the public domain in the
United States. If an individual work is unprotected by copyright law in
the United States and you are located in the United States, we do
not claim a right to prevent you from copying, distributing,
performing, displaying or creating derivative works based on the
work as long as all references to Project Gutenberg are removed. Of
course, we hope that you will support the Project Gutenberg™
mission of promoting free access to electronic works by freely
sharing Project Gutenberg™ works in compliance with the terms of
this agreement for keeping the Project Gutenberg™ name
associated with the work. You can easily comply with the terms of
this agreement by keeping this work in the same format with its
attached full Project Gutenberg™ License when you share it without
charge with others.

1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside the
United States, check the laws of your country in addition to the terms
of this agreement before downloading, copying, displaying,
performing, distributing or creating derivative works based on this
work or any other Project Gutenberg™ work. The Foundation makes
no representations concerning the copyright status of any work in
any country other than the United States.

1.E. Unless you have removed all references to Project Gutenberg:

1.E.1. The following sentence, with active links to, or other

immediate access to, the full Project Gutenberg™ License must
appear prominently whenever any copy of a Project Gutenberg™
work (any work on which the phrase “Project Gutenberg” appears, or
with which the phrase “Project Gutenberg” is associated) is
accessed, displayed, performed, viewed, copied or distributed:
 This eBook is for the use of anyone anywhere in the United
States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it away
or re-use it under the terms of the Project Gutenberg License
included with this eBook or online at www.gutenberg.org. If you
are not located in the United States, you will have to check the
laws of the country where you are located before using this
eBook.

1.E.2. If an individual Project Gutenberg™ electronic work is derived

from texts not protected by U.S. copyright law (does not contain a
notice indicating that it is posted with permission of the copyright
holder), the work can be copied and distributed to anyone in the
United States without paying any fees or charges. If you are
redistributing or providing access to a work with the phrase “Project
Gutenberg” associated with or appearing on the work, you must
comply either with the requirements of paragraphs 1.E.1 through
1.E.7 or obtain permission for the use of the work and the Project
Gutenberg™ trademark as set forth in paragraphs 1.E.8 or 1.E.9.

1.E.3. If an individual Project Gutenberg™ electronic work is posted

with the permission of the copyright holder, your use and distribution
must comply with both paragraphs 1.E.1 through 1.E.7 and any
additional terms imposed by the copyright holder. Additional terms
will be linked to the Project Gutenberg™ License for all works posted
with the permission of the copyright holder found at the beginning of
this work.

1.E.4. Do not unlink or detach or remove the full Project

Gutenberg™ License terms from this work, or any files containing a
part of this work or any other work associated with Project
Gutenberg™.

1.E.5. Do not copy, display, perform, distribute or redistribute this

electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1 with
active links or immediate access to the full terms of the Project
Gutenberg™ License.
1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if you
provide access to or distribute copies of a Project Gutenberg™ work
in a format other than “Plain Vanilla ASCII” or other format used in
the official version posted on the official Project Gutenberg™ website
(www.gutenberg.org), you must, at no additional cost, fee or expense
to the user, provide a copy, a means of exporting a copy, or a means
of obtaining a copy upon request, of the work in its original “Plain
Vanilla ASCII” or other form. Any alternate format must include the
full Project Gutenberg™ License as specified in paragraph 1.E.1.

1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™ works
unless you comply with paragraph 1.E.8 or 1.E.9.

1.E.8. You may charge a reasonable fee for copies of or providing

access to or distributing Project Gutenberg™ electronic works
provided that:

• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt that
s/he does not agree to the terms of the full Project Gutenberg™
License. You must require such a user to return or destroy all
 copies of the works possessed in a physical medium and
discontinue all use of and all access to other copies of Project
Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project Gutenberg™

electronic work or group of works on different terms than are set
forth in this agreement, you must obtain permission in writing from
the Project Gutenberg Literary Archive Foundation, the manager of
the Project Gutenberg™ trademark. Contact the Foundation as set
forth in Section 3 below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on, transcribe
and proofread works not protected by U.S. copyright law in creating
the Project Gutenberg™ collection. Despite these efforts, Project
Gutenberg™ electronic works, and the medium on which they may
be stored, may contain “Defects,” such as, but not limited to,
incomplete, inaccurate or corrupt data, transcription errors, a
copyright or other intellectual property infringement, a defective or
damaged disk or other medium, a computer virus, or computer
codes that damage or cannot be read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except

for the “Right of Replacement or Refund” described in paragraph
1.F.3, the Project Gutenberg Literary Archive Foundation, the owner
of the Project Gutenberg™ trademark, and any other party
distributing a Project Gutenberg™ electronic work under this
agreement, disclaim all liability to you for damages, costs and
expenses, including legal fees. YOU AGREE THAT YOU HAVE NO
REMEDIES FOR NEGLIGENCE, STRICT LIABILITY, BREACH OF
WARRANTY OR BREACH OF CONTRACT EXCEPT THOSE
PROVIDED IN PARAGRAPH 1.F.3. YOU AGREE THAT THE
FOUNDATION, THE TRADEMARK OWNER, AND ANY
DISTRIBUTOR UNDER THIS AGREEMENT WILL NOT BE LIABLE
TO YOU FOR ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE OR INCIDENTAL DAMAGES EVEN IF YOU GIVE
NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.

1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you

discover a defect in this electronic work within 90 days of receiving it,
you can receive a refund of the money (if any) you paid for it by
sending a written explanation to the person you received the work
from. If you received the work on a physical medium, you must
return the medium with your written explanation. The person or entity
that provided you with the defective work may elect to provide a
replacement copy in lieu of a refund. If you received the work
electronically, the person or entity providing it to you may choose to
give you a second opportunity to receive the work electronically in
lieu of a refund. If the second copy is also defective, you may
demand a refund in writing without further opportunities to fix the
problem.

1.F.4. Except for the limited right of replacement or refund set forth in
paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO
OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.

1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of damages.
If any disclaimer or limitation set forth in this agreement violates the
law of the state applicable to this agreement, the agreement shall be
interpreted to make the maximum disclaimer or limitation permitted
by the applicable state law. The invalidity or unenforceability of any
provision of this agreement shall not void the remaining provisions.
1.F.6. INDEMNITY - You agree to indemnify and hold the
Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and distribution
of Project Gutenberg™ electronic works, harmless from all liability,
costs and expenses, including legal fees, that arise directly or
indirectly from any of the following which you do or cause to occur:
(a) distribution of this or any Project Gutenberg™ work, (b)
alteration, modification, or additions or deletions to any Project
Gutenberg™ work, and (c) any Defect you cause.

Section 2. Information about the Mission of

Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new computers.
It exists because of the efforts of hundreds of volunteers and
donations from people in all walks of life.

Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project Gutenberg™’s
goals and ensuring that the Project Gutenberg™ collection will
remain freely available for generations to come. In 2001, the Project
Gutenberg Literary Archive Foundation was created to provide a
secure and permanent future for Project Gutenberg™ and future
generations. To learn more about the Project Gutenberg Literary
Archive Foundation and how your efforts and donations can help,
see Sections 3 and 4 and the Foundation information page at
www.gutenberg.org.

Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-profit
501(c)(3) educational corporation organized under the laws of the
state of Mississippi and granted tax exempt status by the Internal
Revenue Service. The Foundation’s EIN or federal tax identification
number is 64-6221541. Contributions to the Project Gutenberg
Literary Archive Foundation are tax deductible to the full extent
permitted by U.S. federal laws and your state’s laws.

The Foundation’s business office is located at 809 North 1500 West,

Salt Lake City, UT 84116, (801) 596-1887. Email contact links and up
to date contact information can be found at the Foundation’s website
and official page at www.gutenberg.org/contact

Section 4. Information about Donations to

the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission of
increasing the number of public domain and licensed works that can
be freely distributed in machine-readable form accessible by the
widest array of equipment including outdated equipment. Many small
donations ($1 to $5,000) are particularly important to maintaining tax
exempt status with the IRS.

The Foundation is committed to complying with the laws regulating

charities and charitable donations in all 50 states of the United
States. Compliance requirements are not uniform and it takes a
considerable effort, much paperwork and many fees to meet and
keep up with these requirements. We do not solicit donations in
locations where we have not received written confirmation of
compliance. To SEND DONATIONS or determine the status of
compliance for any particular state visit www.gutenberg.org/donate.

While we cannot and do not solicit contributions from states where

we have not met the solicitation requirements, we know of no
prohibition against accepting unsolicited donations from donors in
such states who approach us with offers to donate.

International donations are gratefully accepted, but we cannot make

any statements concerning tax treatment of donations received from
outside the United States. U.S. laws alone swamp our small staff.

Please check the Project Gutenberg web pages for current donation
methods and addresses. Donations are accepted in a number of
other ways including checks, online payments and credit card
donations. To donate, please visit: www.gutenberg.org/donate.

Section 5. General Information About Project

Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could be
freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose network of
volunteer support.

Project Gutenberg™ eBooks are often created from several printed

editions, all of which are confirmed as not protected by copyright in
the U.S. unless a copyright notice is included. Thus, we do not
necessarily keep eBooks in compliance with any particular paper
edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,

including how to make donations to the Project Gutenberg Literary
Archive Foundation, how to help produce our new eBooks, and how
to subscribe to our email newsletter to hear about new eBooks.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com