Why do so many people call the CIM Add-On an application? From everything that I learned so far wouldn't it just be considered an Add-On instead of an application? I need to understand this for testing purposes.
The naming depends on the context.
From the Splunk "internals" point of view, an app is just a bunch of files packed together and a namespace in which those are placed. So anything you download from splunkbase or buld yourself is an app. Splunk also comes with several built-in apps like "search".
The other perspective is the traditional distinction between an "Add-On" which provides the "backend" functionality like inputs definition, extractions, calculated fields, aliases and so on and so on. And "Apps" which contain the user-facing components like reports and dashboards. But that's just a convention which is not always kept, especially by independent authors.
The Splunk Common Information Model (CIM) Add-On is often referred to as an application because it provides functionality beyond that of a typical add-on. While the CIM Add-On does function as an add-on in that it extends the capabilities of Splunk, it also provides pre-built dashboards, reports, and field extractions that are typically associated with applications.
The CIM Add-On is specifically designed to help users implement the CIM, which is a standard data model that enables users to normalize their data and correlate events across different data sources. As such, the CIM Add-On provides a set of pre-configured field extractions and tags that map to the CIM, making it easier for users to normalize their data.
In addition, the CIM Add-On also includes pre-built dashboards and reports that provide insights into security, network, and other operational data, which are features typically associated with applications.
Overall, while the CIM Add-On is technically an add-on, it is often referred to as an application because it provides a more comprehensive set of features and functionality than a typical add-on. Understanding this distinction may be important for testing purposes, particularly if you need to understand how the CIM Add-On interacts with other add-ons or applications in your Splunk environment.
Sorry, but this is just not true. CIM add-on does not on its own provide extractions nor contain any additional dashboards or reports apart from a few directly connected with the CIM state.
It provides a common (hence the name) standard to which the data should be normalized using add-ons specific for each separate types of source data.
The naming depends on the context.
From the Splunk "internals" point of view, an app is just a bunch of files packed together and a namespace in which those are placed. So anything you download from splunkbase or buld yourself is an app. Splunk also comes with several built-in apps like "search".
The other perspective is the traditional distinction between an "Add-On" which provides the "backend" functionality like inputs definition, extractions, calculated fields, aliases and so on and so on. And "Apps" which contain the user-facing components like reports and dashboards. But that's just a convention which is not always kept, especially by independent authors.