All Apps and Add-ons

What are the App layout best practices?

Marinus
Communicator

I've seen quite a few apps and they structure their file in different ways. Is there a best practice? For example should you place indexes, script, collected data or binaries in the App directory?

Tags (2)
1 Solution

emma
Splunk Employee
Splunk Employee

If you intend to package your app and distribute it, either on Splunkbase or within your infrastructure (using Deployment Server, for example) it's probably best to put everything pertaining to that app in the app's directory. Users, roles, indexes, inputs, scripts, views, saved searches, etc -- any custom configuration, code or knowledge objects you create specifically for that app. Anything you intend to share as a system-wide setting (users and roles who will have access to other apps, inputs and indexes for your entire install, system settings like management port and web timeout) should be in $SPLUNK_HOME/etc/system/local.

View solution in original post

emma
Splunk Employee
Splunk Employee

If you intend to package your app and distribute it, either on Splunkbase or within your infrastructure (using Deployment Server, for example) it's probably best to put everything pertaining to that app in the app's directory. Users, roles, indexes, inputs, scripts, views, saved searches, etc -- any custom configuration, code or knowledge objects you create specifically for that app. Anything you intend to share as a system-wide setting (users and roles who will have access to other apps, inputs and indexes for your entire install, system settings like management port and web timeout) should be in $SPLUNK_HOME/etc/system/local.

emma
Splunk Employee
Splunk Employee

Can you be more specific about what files you're talking about? If you are trying to package an app for other users, you can use the setup.xml to direct your users to specify where the file/directory is they'd like to index. They can set this up while installing/setting up the app. I wouldn't advise putting anything in $SPLUNK_HOME/var/log -- that's for internal Splunk logs.

0 Karma

Marinus
Communicator

Thank you Emma, what about file that you are indexing. I currently keep them in the app directory. Would you advise $SPLUNK_HOME/var/log? I've also noticed that Splunk sometimes tries to read some of these files as config files, thought it would be limited to app/[local|default].

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...