Dashboards & Visualizations

App certification issues based on one app updating macros.conf of another app?

sharad06
Explorer

Hi Splunk experts!

I'm working with three Splunk apps:

  1. Dashboard App (DA)
  2. TA (TA)
  3. TA for Adaptive Response (TA-AR)

These apps receive events from a remote machine. The TA presents a setup page to the user which allows the user to specify an index from which all dashboards in the DA will pull their events. For all practical purposes, it's safe to assume that the user would edit this index config very rarely. The problem I'm trying to solve is to populate all dashboards in DA according to user config in TA setup page.

So far, I've been accomplishing this by defining a macro 'get_index' in DA and then using this macro in each dashboard search inside DA. Inside TA, any time the user updates the index field, I call the macros REST endpoint to update the macros.conf in DA. As a result, all dashboards in DA start pulling events from the new index because the underlying 'get_index' macro has been updated.

Recently, I heard that my app won't pass certification (I haven't formally submitted the app for certification yet) since one app is not allowed to modify contents of another app. I would like to know if this info is correct. If yes, what is the best approach to solving this use case? A few possible alternative strategies I can think of, are:

  1. DA and TA have separate setup pages. DA setup page asks for index info. TA setup page asks for everything else.
  2. Do away with macros and make all dashboards in DA independent of all indexes. Then, require the user to set the 'default searchable index' (for the DA app users) to be same as that entered on the TA setup page.

Thanks.

0 Karma

woodcock
Esteemed Legend

Don't deploy the macro at all. You can force people into a setup.xml that creates it on install or you can simply just refer to it and expect that until the user creates it somewhere accessible to your dashboards, that your dashboards won't work (point to this in your READMEs).

0 Karma

micahkemp
Champion

You could just move the macro to the TA. It's perfectly reasonable to have a visualization app require knowledge objects from a separate TA.

0 Karma

sharad06
Explorer

Hi micahkemp,

Thanks for your answer. So you suggest I move the macros.conf from DA to TA. But then how do the DA dashboards access the TA macros to get the index value?

Do you mean to say that I store the index value in TA (in some conf file) and then write a scripted input (which is fired on every restart) in DA that will read this index value from above conf file in TA?

Thanks.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...