Dashboards & Visualizations

App certification issues based on one app updating macros.conf of another app?

sharad06
Explorer

Hi Splunk experts!

I'm working with three Splunk apps:

  1. Dashboard App (DA)
  2. TA (TA)
  3. TA for Adaptive Response (TA-AR)

These apps receive events from a remote machine. The TA presents a setup page to the user which allows the user to specify an index from which all dashboards in the DA will pull their events. For all practical purposes, it's safe to assume that the user would edit this index config very rarely. The problem I'm trying to solve is to populate all dashboards in DA according to user config in TA setup page.

So far, I've been accomplishing this by defining a macro 'get_index' in DA and then using this macro in each dashboard search inside DA. Inside TA, any time the user updates the index field, I call the macros REST endpoint to update the macros.conf in DA. As a result, all dashboards in DA start pulling events from the new index because the underlying 'get_index' macro has been updated.

Recently, I heard that my app won't pass certification (I haven't formally submitted the app for certification yet) since one app is not allowed to modify contents of another app. I would like to know if this info is correct. If yes, what is the best approach to solving this use case? A few possible alternative strategies I can think of, are:

  1. DA and TA have separate setup pages. DA setup page asks for index info. TA setup page asks for everything else.
  2. Do away with macros and make all dashboards in DA independent of all indexes. Then, require the user to set the 'default searchable index' (for the DA app users) to be same as that entered on the TA setup page.

Thanks.

0 Karma

woodcock
Esteemed Legend

Don't deploy the macro at all. You can force people into a setup.xml that creates it on install or you can simply just refer to it and expect that until the user creates it somewhere accessible to your dashboards, that your dashboards won't work (point to this in your READMEs).

0 Karma

micahkemp
Champion

You could just move the macro to the TA. It's perfectly reasonable to have a visualization app require knowledge objects from a separate TA.

0 Karma

sharad06
Explorer

Hi micahkemp,

Thanks for your answer. So you suggest I move the macros.conf from DA to TA. But then how do the DA dashboards access the TA macros to get the index value?

Do you mean to say that I store the index value in TA (in some conf file) and then write a scripted input (which is fired on every restart) in DA that will read this index value from above conf file in TA?

Thanks.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...