What are Splunk Apps and Add-Ons ?

If you have ever uploaded a contribution to Splunk Apps you’ll see the following option :   But what does this really mean ? What is the difference between an App and an Add-on ? Both are packaged and uploaded to Splunk Apps as SPL files and then to install them in your Splunk instance you simply untar the SPL file into etc/apps .But the content and purpose of Apps and Add-ons certainly differ from one another.

Add-ons

An Add-on is typically a single component that you can develop that can be re-used across a number of different use cases.It is usually not specific to any one single use case.It also won’t contain a navigable user interface.You cannot open an Add-on from the Splunk Enterprise Home Page or the App menu. An example of an Add-On might be :

• a custom search command
• a modular input
• a data model definition
• a custom rest endpoint
• some custom field extractions, sourcetype definitions or macros
• some reusable javascript/CSS such as a custom D3 visualization

You could potentially use an Add-on on its own or bundle them together to form the basis of a Splunk App. In this respect they can lend themselves to reuse and modularity so that you can more rapidly construct your Apps.

Apps

Apps are more comprehensive offerings that will contain a navigable user interface, possibly a setup screen and will be comprised of many different Splunk knowledge objects(lookups , tags, eventtypes, savedsearches etc…) , data inputs and perhaps also incorporate other reusable Add-ons . An App will also typically serve a particular use case, target a specific type of user or target a specific domain of operational visibility ie: Splunk for Websphere App , Splunk Enterprise Security App, Splunk for Unix and Linux. You can also apply user/role based permissions and access controls to Apps , thus providing for a level of control when you are deploying and sharing apps across your organization. Apps can be opened from the Splunk Enterprise Home Page, from the App menu, or from the Apps section of Settings.

Developing the User Interface for your App , what are your options ?

So one of the key differentiators between Apps and Add-ons is the presentation of a user interface. And we are somewhat spoiled with choice now in Splunk 6 with so many options to consider for developing the UI. So here is a brief overview of the options and why you might choose one over another.

Splunk Web Form Editor

If you are not a developer , and are not familiar with scripting Simple XML directly , Splunk Web makes it easy to create a UI in a simple point and click manner.

Edit Simple XML Directly

If you have some familiarity with Simple XML, but you are not a developer per say , and you want to create/customize your dashboards beyond want you can do in the Splunk Web editor , then you can hack away on the XML using your favorite text editor or in browser with Splunk Web.

Convert Simple XML to HTML/JS

So you are a developer , and you want to see the underlying JS/HTML behind the Simple XML dashboard. Or perhaps you want to code some custom UI behavior above what Simple XML provides or use some other JS/CSS , then this is a good option for you.

Simple XML JS Import

<dashboard script=”custom_chart.js, autodiscover.js”stylesheet=”custom_chart.css”> … </dashboard>

This is closely related to the previous option , but perhaps you still want Splunk Web dashboard editing and  PDF export functionality which you’ll lose if you convert your dashboards to HTML.

The Splunk 6.x Dashboard Examples App has lots of examples for you to follow.

Django

In addition to the previous benefits of being able to get under the hood and work with JS/HTML/CSS directly,  you may want to use the Django Bindings component of the Web Framework to leverage reusable Django tags for Splunk  components or perform some custom server side processing by utilizing Django views (it’s not always a good idea to work in the browser !!)

The Splunk Web Framework Toolkit is  a great app packed with examples to get you up to speed here.

Advanced XML Module System

Prior to Splunk 6 , custom advanced UIs were typically created using Splunk’s Advanced XML Module System.This is still available in the product , and partners such as Sideview create some great Apps using this approach. But if you are a new developer I would certainly recommend using the newer , open standard based approaches that simply rely on you knowing common place web technologies such as JS , HTML , CSS etc…

----------------------------------------------------
Thanks!
Damien Dallimore