I was recently working on writing and open sourcing, and one of my goals was to make sure my code was in compliance with Splunk’s best practices at every stage of development. No one wants to get first wind of all of the issues in his or her app while they're submitting to Splunkbase, am I right?
Because a few of us were going to be working on that repo/app, automated testing was the way to go. I thought it would be great to share the experience with you, in case you'd also like to start automatically testing your Splunk content (App, TA, DA, SA).
Pan camera over to CircleCI, a CI/CD cloud service that allows you to “automate your pipeline from commit to deploy.” First, I spent a few minutes going through the "getting started" process and ended with an example job being executed on a repository. The next step was to figure out what tool to use to test Splunk automatically. Fortunately, Splunk provides AppInspect as a way for customers to automatically validate their applications. Its description: "Splunk AppInspect evaluates your Splunk app against a set of Splunk-defined criteria so that you can be assured of its quality and robustness."
The next task was to build a job to automatically run AppInspect on every pull request for our TA-osquery. This was the end result:
Here, you can see that CircleCI executes three jobs: grab appinspect, install appinspect, and run appinspect. Let's unpack these a bit:
Now, let's look at a full example configuration from the TA-OSquery repo located here: splunk/TA-osquery.
Note the validate-content job where we clone, build, and run Splunk AppInspect. There is also a publish-github-release job, which takes the inspected tarball (TA-osquery.tar.gz) and creates a Github release using ghr that includes it. Also, under the workflows section, we define a very simple process:
This allows us to only generate a release when we tag one in our code.
Mind you, this does require you to set an environmental variable in CircleCI named GITHUB_TOKEN with a Github token. The Github token must have access to post releases to your repo.
On the Github side, while not required, I highly suggest you create the following branch protection rule for all your branches (*): Require at least one reviewer for each pull request and always require that the validate-content job finishes successfully before allowing merging.
To summarize, in order to automatically test Splunk content in Github, you need to:
Using pre-commit hooks, specifically, those for linting configuration files and flake8 for python scripts, will help with the code hygiene of any project. Also, if you see yourself editing the CircleCI config file, it is good practice to use their CLI tool to validate the file:
----------------------------------------------------
Thanks!
José Enrique Hernandez
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.