Developing for Splunk Enterprise

App development - few beginner questions


hello fellow splunker.

i am new to splunk and just starting to learn the basics about the app development.

i have a few questions and topics i would appreciate your help with and hope that somebody can help me.

  • first, i am wondering if there is no other way to "deploy" the changes i made to the app-files than calling http://localhost:8000/de-DE/debug/refresh everytime i make changes. i tried to adjust cache settings in web.conf, e.g. cacheEntriesLimit and cacheBytesLimit, which didn't happen to work.
  • second, i couldn't get a custom app-icon to work. i placed the images $SPLUNK_HOME/etc/apps/your_app_name/static/ as described here [], restarted splunk...unfortunately without success.
  • last, i am wondering how to automatically add a data-file (e.g. $SPLUNK_HOME/etc/apps/your_app_name/local/data/thedata.txt) when the app is first started. i have a custom props.conf, indexes.conf and inputs.conf with [monitor://....] in $SPLUNK_HOME/etc/apps/your_app_name/local/data, props and indexes are included in the $SPLUNK_HOME/etc/apps/your_app_name/metadata/local.meta but now i am struggeling to actually get the data, the inputs.conf, into splunk.

i appreciate every help or hint, where to find the solution.

thank you very much


Hi there!

  1. debug/refresh is a great way to reload specific items of Splunk. By appending &entity=admin/views or other similar entities, you can reload only a portion of Splunk, in this case views. I don't generally like to develop on a "non-cached" Splunk instance, it makes my page reloads too slow, a simple _bump or debug/refresh would do just find for most changes.
  2. Make sure they are PNG, and are the exact sizes listed in that table. You can also stick them in $APP_HOME/appserver/static. This is probably not needed, but IIRC, there are older versions of Splunk that look there as a back.
  3. Well, that, ... is just .... what? Ok, so you shouldn't need your app to consume a file from a location within the App. You should configure your app to have a sourcetype configuration, and instruct users to consume that file from anywhere, but with your custom sourcetype. Also, data is not part of the folder structure. You should have any conf file in $APP_HOME/default. You are making the app, put the configs in default.

If this App is intended for distribution (ie SplunkBase), then you need to read up on some best practices on app dev. If you find me on Slack (, I'm alacercogitatus, and I do app dev. We have a channel #appdev, that we can help with narrowing down your problems and help to resolve them. Thanks!

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!