You might want to look at the Splunk Developer’s Guide and the associated Splunk Reference App, built by a Splunk dev team. It covers application development from getting data into Splunk Enterprise to producing custom visualizations to testing, packaging, and distributing your app. The example shows how to monitor document repositories, allowing you to see who has viewed, modified, deleted, or downloaded records.
The key element of the Splunk developer guidance is the code. The code repos are open, and you can look at the source code of the reference apps and the associated tests. In fact, you can see and replay the code in motion, as it was developed. Full documentation is available and combines design and implementation guidelines; this guidance is written by developers for developers.
If it doesn’t answer your current question you might want to bookmark it and check back occasionally. The team is committed to extending the guidance as the platform evolves to incorporate new features. An update is under development right now that extends the functionality, and takes advantage of the latest Splunk features.
If you prefer, a print copy is available from Amazon.com.