Splunk Dev

What is the preferred way to create an app?

CynthiaMhav
Explorer

I'm sorry if the question is ambiguous, but having explored Splunk tutorials, examples, and API references for two days now, I cannot even find a comparison between the alternative ways to create an app.

Ways I have so far explored:

  • CLI: $SPLUNK_HOME/etc/apps/framework/splunkdj createapp yourAppName

Referenced in several tutorials, like Tutorial: Create an app using Django Bindings

  • GUI: Splunk Home > Apps > Manage Apps > Create app

Referenced in tutorial Developing Views and Apps for Splunk Web

These two ways form a different default directory structure for the app (former one using ./django subdirectory's static folder, while latter one using ./appserver's static folder), but they both call themselves "Splunk Apps" and the static locations seem interchangeable despite how they were initialized.

So as my initial question was - which one of these is generally the preferred way?

Or if they are suited for separate use-cases what would there use-cases be?

1 Solution

apruneda_splunk
Splunk Employee
Splunk Employee

There isn't a preferred way, just additional options for developers.

The main difference is that creating an app in Splunk Web allows you to use drag-n-drop tools and a built-in UI, so you don't have to know programming. The other way that uses the CLI is for web developers who want to create a custom app using HTML and JavaScript (Django is the underlying framework, but using the Django syntax is optional).

Here are a couple of use cases:

Splunk Web (UI) app

  • You have saved reports and want to create a quick dashboard to view results using the built-in charts and visualizations.

Web developer (CLI) app

  • You want to create an app but you want to use charts and visualizations that aren't included in Splunk Web.
  • You want to customize how the app works, for example what happens when the user clicks on a table.
  • You want to create an app that does not run inside of Splunk Web, but runs on your own web server.

Put simply: if you're a web developer, use the CLI method.

View solution in original post

apruneda_splunk
Splunk Employee
Splunk Employee

Cynthia: Glad to help, let me try to answer your questions.

The two apps work the same way, but the Web Framework version (CLI) adds a /django directory for the Django web framework files and the app's page templates. Pages (aka dashboards) in Splunk Web apps are in XML format, and are in HTML for Web Framework apps.

Here's a brief summary of the different paths to customizing a Splunk Web app:

  • You want to do light tinkering, like renaming the panels or changing their properties.

    Use the drag-n-drop UI

  • You want to do deeper tinkering, like modifying chart properties that aren't exposed in the UI.

    Edit the XML source code

  • You want to modify more in the Splunk Web app, like changing the format and layout of dashboards, maybe add links or images or other HTML type things.

    Convert the individual dashboard to HTML

About that: This process turns the single dashboard (not the whole app) into an HTML file that you can edit, and you can access everything (searches, visualization, drilldown actions, etc.) programmatically using HTML+JavaScript. Drawbacks: the autogenerated code is verbose, no Django features, you can no longer use the UI editor (one-way conversion).

I think converting to HTML is a good learning tool, and useful if you just want to add HTML and don't need to modify the dashboard components, but personally I like a cleaner page (less clutter than autogenerated code) so I prefer creating pages using the Web Framework directly. Then you can also take advantage of the super simple Django syntax to work with searches and visualizations.

Actually, looking at the underlying code for each of these scenarios might help. Check out this comparison that shows the code for the same dashboard in XML, converted HTML, Django, and straightup HTML+JavaScript: Same dashboard using different components.

apruneda_splunk
Splunk Employee
Splunk Employee

I will add some docs to address the questions you brought up here. Thanks!
There's more than the /django folder. I would create a dummy Framework app, copy the /django and /appserver folders from it to your existing app, and then do a search on the dummy app name to change it to the existing app name.

CynthiaMhav
Explorer

Right, I also heard (by IRC) that simply copying folder with basic subfolders and files works as well. It is somewhat pity there's no clear distinction written in documents between these two ways of creating an app - because while Simple XML Dashboards use /search_mrsparkles/ dir templates, Django-based apps use totally different template source...

For me the Django way works better, since I need to customize beyond the things you wrote of. (E.g. "things Splunk UI isn't meant for...)

0 Karma

apruneda_splunk
Splunk Employee
Splunk Employee

There isn't a preferred way, just additional options for developers.

The main difference is that creating an app in Splunk Web allows you to use drag-n-drop tools and a built-in UI, so you don't have to know programming. The other way that uses the CLI is for web developers who want to create a custom app using HTML and JavaScript (Django is the underlying framework, but using the Django syntax is optional).

Here are a couple of use cases:

Splunk Web (UI) app

  • You have saved reports and want to create a quick dashboard to view results using the built-in charts and visualizations.

Web developer (CLI) app

  • You want to create an app but you want to use charts and visualizations that aren't included in Splunk Web.
  • You want to customize how the app works, for example what happens when the user clicks on a table.
  • You want to create an app that does not run inside of Splunk Web, but runs on your own web server.

Put simply: if you're a web developer, use the CLI method.

apruneda_splunk
Splunk Employee
Splunk Employee

I'll post a follow-up answer below, the answer comment box isn't long enough 🙂

0 Karma

CynthiaMhav
Explorer

I think this is the answer I looked for, thank you. 🙂

So otherwise there is no difference in inner workings of these two app-"types"? (I.e. the directory structure thingy, I mentioned in question..)

Also, could you please elaborate on the "available technologies" per way - like, are you still able to use Django Bindings and bare HTML/CSS/JS in Splunk Web app, or are you restraint to only drag-n-drop and XML (untill you convert it or something)?

I'll accept the answer as soon as have these are clear.. thanks again!

0 Karma

lguinn2
Legend

Well, if you are a Django developer, you might use the first way. But most people will use the second way (even Django developers).

The second way seems a lot easier, since all you have to do is log into the Splunk GUI.

a212830
Champion

What level of access does one need to create an app? Seems like power doesn't provide it, which is perplexing....

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...