Splunk Search

AppInspect check_indexes_conf_does_not_exist too restrictive?

Graham_Hanningt
Builder

Background to this question

I am the developer of a Splunk app, recently published on Splunkbase, that is intended for use as a sample, in the following sense:

Scope and intended use of the app
[This] app is not intended to be a fully-fledged out-of-the-box solution [...]. Instead, the app contains sample dashboards that demonstrate some example use cases for visualizing data from [proprietary product name].
The developers of [this app] anticipate that customers will examine these sample dashboards, and then perhaps copy and adapt selected visualizations into their own bespoke Splunk apps to match their own specific requirements.

A separate website (external to Splunkbase) supplies sample data for the app, so that users who want to try out the app can do so without requiring that "proprietary product".

My problem

I covet a "Splunk AppInspect Passed" badge for the app.

However, the AppInspect report includes the following failure:

[ Failure Summary ]
Failures will block the Cloud Vetting. They must be fixed.
check_indexes_conf_does_not_exist
Apps and add-ons should not create indexes. Indexes should only be defined by Splunk System Administrators to meet the data storage and retention needs of the installation. Consider using Tags or Source Types to identify data instead index location. File: default/indexes.conf

The app contains an indexes.conf file that defines an index; the app's macros.conf file defines macros that refer to that index name; searches in the app's dashboards refer to those macros.

I want users to store the sample data for this app in an index that is specifically for that purpose. I want them to be able to delete that index at will, without worrying about deleting other, "non-sample" data. I want to help inexperienced users avoid "polluting" indexes containing their "real" data with this "sample" data.

User beware? That stance might be considered unhelpful to an inexperienced Splunk user who has just inadvertently loaded sample data into an index they shouldn't have.

I anticipate that users will refer to this app as a starting point for developing their own apps that might or might not similarly constrain searches by index (I think that such constraints will be quite likely; for example, in multi-tenant environments).

My question

Is there any way I can get that "Splunk AppInspect Passed" badge without removing indexes.conf from the app?

Yes, I could remove indexes.conf, push the task of defining a specific index onto the user, and describe how to do this in documentation, but I deliberately want to minimize the number of manual setup steps for this app.

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Graham_Hannington

indexes.conf should not be in Splunk App. Here, I'm suggesting to remove indexes.conf and mention the steps of the indexes creation in the documentation. Here you have to mention where they have to create an index in the Splunk architecture.

0 Karma

tauliang
Communicator

No. The tool won't let this pass vetting if an index.config is contained in the package. It is considered to be a best practice NOT to have in an App, thus, the codified rule.

https://dev.splunk.com/enterprise/docs/releaseapps/appinspect/appinspectreferencetopics/splunkappins...

0 Karma

nickhills
Ultra Champion

Hi @Graham_Hannington I posted a related answer to your question here https://answers.splunk.com/answers/807985/is-it-best-practice-to-constrain-searches-by-index.html#an...
In that answer hopefully I explained the reason that indexes.conf should be excluded, and a work around using macros (which it seems you already use)
The path of least resistance is to invite the user to configure your application and define the contents of your index macro when you install the app.
Failing that, the next best option is documentation which explains how the user should configure it.

If my comment helps, please give it a thumbs up!
0 Karma

MaTripod
New Member

Forgive me if I am missing one or more key points here, but I am confused as to why the AppInspect tool fails with an error when the Splunk documentation (https://dev.splunk.com/enterprise/docs/planapps/cloudready/#Cloud-ready-app-guidelines-for-Splunk-Cl...)  clearly states defaults/indexes.conf files are allow within the indicated constraints. 

If I have an app that has been in used for years with an index defined and I suddenly remove it in a future update, all the users of the app that perform the upgrade will see their index (and historical data) disappear.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...