All Apps and Add-ons

What are the App layout best practices?

Marinus
Communicator

I've seen quite a few apps and they structure their file in different ways. Is there a best practice? For example should you place indexes, script, collected data or binaries in the App directory?

Tags (2)
1 Solution

emma
Splunk Employee
Splunk Employee

If you intend to package your app and distribute it, either on Splunkbase or within your infrastructure (using Deployment Server, for example) it's probably best to put everything pertaining to that app in the app's directory. Users, roles, indexes, inputs, scripts, views, saved searches, etc -- any custom configuration, code or knowledge objects you create specifically for that app. Anything you intend to share as a system-wide setting (users and roles who will have access to other apps, inputs and indexes for your entire install, system settings like management port and web timeout) should be in $SPLUNK_HOME/etc/system/local.

View solution in original post

emma
Splunk Employee
Splunk Employee

If you intend to package your app and distribute it, either on Splunkbase or within your infrastructure (using Deployment Server, for example) it's probably best to put everything pertaining to that app in the app's directory. Users, roles, indexes, inputs, scripts, views, saved searches, etc -- any custom configuration, code or knowledge objects you create specifically for that app. Anything you intend to share as a system-wide setting (users and roles who will have access to other apps, inputs and indexes for your entire install, system settings like management port and web timeout) should be in $SPLUNK_HOME/etc/system/local.

emma
Splunk Employee
Splunk Employee

Can you be more specific about what files you're talking about? If you are trying to package an app for other users, you can use the setup.xml to direct your users to specify where the file/directory is they'd like to index. They can set this up while installing/setting up the app. I wouldn't advise putting anything in $SPLUNK_HOME/var/log -- that's for internal Splunk logs.

0 Karma

Marinus
Communicator

Thank you Emma, what about file that you are indexing. I currently keep them in the app directory. Would you advise $SPLUNK_HOME/var/log? I've also noticed that Splunk sometimes tries to read some of these files as config files, thought it would be limited to app/[local|default].

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...