See my previous reply for how to upload a custom app to Splunk Cloud.  If the self-service process fails then open a support request.

SSH to the HF and go to $SPLUNK_HOME/etc/apps.  Look in each directory for props.conf or transforms.conf files, especially those in 'local' directories.  Without the same settings in Splunk Cloud, any data that doesn't pass through the HF will not be processed the same and so may not yield the same results.

Ok, I believe I understood what you suggested.

Vetted our on-prem HFs and discovered 15 custom apps that don't exist on our cloud SH. I haven't gone through their props.conf or transforms.conf files yet, but highly believe they're still in use. Now, I need to figure out how to migrate these apps over...smh

Migrating the HF apps is pretty simple.  Package them and upload them to your Splunk Cloud search head (Apps->Manage Apps->Uploaded Apps then click the Upload button).  The app will be vetted.  If vetting completes successfully, click "Install" to install the app; otherwise, click "View Report" to see why vetting failed then make corrections and repeat. 

I should have been more clear. The "apps" on HF aren't full apps.  I tried uploading a few, it failed the vetting process. The failure report has some good deets on why and now another thing to figure out.

There's no such thing as a "full" app.  Apps are just collections of config files, whichever ones are needed to accomplish a given task.  For vetting purposes, only default/app.conf is required.

Once you've vetted a couple of apps, you'll have a feel for what is looked for and will be more successful at getting apps to pass on the first try.

That makes sense.

I do see the app.conf file in the default folder but it doesn't have the sections the error details pointed out. Trying to figure out how to get those pieces back.

• `Major.Minor.Revision` version is required in `[id]` or `[launcher]` section of app.conf. File: default/app.conf

Get them back using your favorite text editor and entering:

[launcher]
# This can be any 3-part number.  New uploads must always have a different version.
version = 1.0.0
# Optional field
description = <text>
author = Sam

[package]
# This is the name of the directory the app is in.
id = <folder name>
# Set this to false since Splunk won't find the app on splunkbase.
check_for_updates = false

[install]
is_configured = false

[ui]
# Set to false for TAs.  Set to true if the app has a dashboard.
is_visible = false
# The "pretty name" of the app.  Doesn't have to match the id.
label = <text>

Thank you for sticking through this with me.

*********

For the [install] section, there's an existing field of install_source_checksum = [SomeString] so I kept that entry and no more section errors. These are the errors I am now getting. Some are OSX related...SMH

check_that_splunk_app_package_does_not_contain_files_outside_of_app

• A file or folder was found outside of the app directory. Please remove this file or folder: ../._100-it_splunkcloud
• A file or folder was found outside of the app within the overall package. OR the file or folder does not have expected permission. Please remove this file or folder OR modify the permission : 100-it_splunkcloud
• A file or folder was found outside of the app within the overall package. OR the file or folder does not have expected permission. Please remove this file or folder OR modify the permission : ._100-it_splunkcloud

check_that_extracted_splunk_app_does_not_contain_prohibited_directories_or_files

• A prohibited file or directory was found in the extracted Splunk App: default/._app.conf
• A prohibited file or directory was found in the extracted Splunk App: ../._100-it_splunkcloud

Remove the checksum from app.conf.

Those errors seem self-explanatory.  The app contains files that aren't allowed.  Remove them and re-submit the app.  Apps may not contain hidden files (names starting with a dot).

Idk what I'm missing but there no dot under bar files/directories that I can find, so I'm not sure why it's still complaining about it. Super weird.

Use the ls -a command to see hidden files or just remove them using rm ._*.  (Yes, these are Linux commands.  Don't use Windows to package Splunk apps.)

Thanks for the suggestion.

I actually did a bunch of that but didn't do what I was looking for. I took it up to Reddit and people there led me to this -  https://unix.stackexchange.com/questions/9665/create-tar-archive-of-a-directory-except-for-hidden-fi...

Now it is complaining about the files in the local folder, which makes no sense to me bc I was under the impression those were critical to how the incoming data was being transformed.

Apps cannot contain a local directory because doing so would overwrite any changes made by the local admin.  Merge your local files into default.

See https://dev.splunk.com/enterprise/reference/appinspect/appinspectcheck/ to learn about the rules apps must follow.