Digital Resilience Pays Off
How resilient is your organization? Learn how to mature your digital resilience with this free guide.
Introducing AppInspect
By
Splunk
Yesterday at .conf2016 we announced the general availability of Splunk AppInspect, the first static and dynamic analysis tool for Splunk apps. Built and used by the team that administers the Splunk App Certification program to speed the certification process, we’re now able to share it with developers who want the same insights into their apps, whether they plan to release them to Splunkbase or not.
“AppInspect has been invaluable in bringing Splunk certification testing into our automated build environment, helping us to create Splunk Apps that are ready for App Certification on the first upload to SplunkBase.” – Kyle Smith, Aplura, LLC
All developers want to get their work done faster, with fewer errors and less debugging. Splunk AppInspect makes that possible with a suite of over 165 individual checks in 36 different areas of a Splunk app.
AppInspect evaluates a Splunk app for:
- Structure.
- Feature set.
- Security.
- Readiness for Splunk certification.
- Adherence to the guidelines for Splunk Cloud apps.
36 different technical areas are reviewed including:
- Alert Actions
- Configuration files
- Custom search commands
- Custom visualizations
- Custom workflow actions
- Data models
- Directory structure
- Deprecated files
- Modular Inputs
- Saved searches
Available as either a standalone tool that provides static analysis on a local machine, or through a RESTful API, providing both static and dynamic analysis. Splunk AppInspect is ready for all stages of the software development lifecycle, including automated unit testing, manual code reviews, and integration with continuous integration build systems.
Example – Extracting fields in transforms.conf’
Using transforms.conf to adjust data at index time is an essential tool of Splunk Apps, but anyone who has ever written a regular expression will tell you, it can tricky to get right. Let’s look at an example:
[field_eval]
FORMAT = field_parent::$2
MV_ADD = 1
REGEX = ( *[\(,\+\-\/\/\*] *|^)([a-zA-Z_'\{\}][\w'\{\}\.]++)(?!(\(| [Aa][Ss]))
SOURCE_KEY = conf_value
When we run the app through Splunk AppInspect we get the following failure message:
[ failure ] Check that all capture groups are used in transforms.conf. Groups not used for capturing should use the non-capture group syntax
The format option in [field_eval] stanza of transforms.conf did not include $1, $3
In the REGEX there are two capture groups that have not been used. It is possible that the developer has done one of two things:
- Forgotten to include the captured fields in their FORMAT string. If this is the case than the developer updates their FORMAT field.
- Captured fields that are not needed. If this is the case then the developer converts the capture groups from
( *[\(,\+\-\/\/\*] *|^)to
(?: *[\(,\+\-\/\/\*] *|^)
In either case it would be extremely time consuming to check each and every transform manually to confirm that all of the fields have been used. AppInspect accelerates this process to check in under a minute.
How to get it
We encourage you to download AppInspect, test it out, and see how your app does. View the documentation here, including an API reference. We’d love to hear from you, reach out to us at: appinspect@splunk.com
If you need help getting started with Splunk AppInspect you can email appinspect@splunk.com or ask on Splunk Answers with tag AppInspect.
----------------------------------------------------
Thanks!
Grigori Melnik
Related Articles
About Splunk
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
