I am the developer of a Splunk app, recently published on Splunkbase, that is intended for use as a sample, in the following sense:
Scope and intended use of the app
[This] app is not intended to be a fully-fledged out-of-the-box solution [...]. Instead, the app contains sample dashboards that demonstrate some example use cases for visualizing data from [proprietary product name].
The developers of [this app] anticipate that customers will examine these sample dashboards, and then perhaps copy and adapt selected visualizations into their own bespoke Splunk apps to match their own specific requirements.
A separate website (external to Splunkbase) supplies sample data for the app, so that users who want to try out the app can do so without requiring that "proprietary product".
I covet a "Splunk AppInspect Passed" badge for the app.
However, the AppInspect report includes the following failure:
[ Failure Summary ]
Failures will block the Cloud Vetting. They must be fixed.
check_indexes_conf_does_not_exist
Apps and add-ons should not create indexes. Indexes should only be defined by Splunk System Administrators to meet the data storage and retention needs of the installation. Consider using Tags or Source Types to identify data instead index location. File: default/indexes.conf
The app contains an indexes.conf
file that defines an index; the app's macros.conf
file defines macros that refer to that index name; searches in the app's dashboards refer to those macros.
I want users to store the sample data for this app in an index that is specifically for that purpose. I want them to be able to delete that index at will, without worrying about deleting other, "non-sample" data. I want to help inexperienced users avoid "polluting" indexes containing their "real" data with this "sample" data.
User beware? That stance might be considered unhelpful to an inexperienced Splunk user who has just inadvertently loaded sample data into an index they shouldn't have.
I anticipate that users will refer to this app as a starting point for developing their own apps that might or might not similarly constrain searches by index (I think that such constraints will be quite likely; for example, in multi-tenant environments).
Is there any way I can get that "Splunk AppInspect Passed" badge without removing indexes.conf
from the app?
Yes, I could remove indexes.conf
, push the task of defining a specific index onto the user, and describe how to do this in documentation, but I deliberately want to minimize the number of manual setup steps for this app.
@Graham_Hannington
indexes.conf should not be in Splunk App. Here, I'm suggesting to remove indexes.conf and mention the steps of the indexes creation in the documentation. Here you have to mention where they have to create an index in the Splunk architecture.
No. The tool won't let this pass vetting if an index.config is contained in the package. It is considered to be a best practice NOT to have in an App, thus, the codified rule.
Hi @Graham_Hannington I posted a related answer to your question here https://answers.splunk.com/answers/807985/is-it-best-practice-to-constrain-searches-by-index.html#an...
In that answer hopefully I explained the reason that indexes.conf should be excluded, and a work around using macros (which it seems you already use)
The path of least resistance is to invite the user to configure your application and define the contents of your index macro when you install the app.
Failing that, the next best option is documentation which explains how the user should configure it.
Forgive me if I am missing one or more key points here, but I am confused as to why the AppInspect tool fails with an error when the Splunk documentation (https://dev.splunk.com/enterprise/docs/planapps/cloudready/#Cloud-ready-app-guidelines-for-Splunk-Cl...) clearly states defaults/indexes.conf files are allow within the indicated constraints.
If I have an app that has been in used for years with an index defined and I suddenly remove it in a future update, all the users of the app that perform the upgrade will see their index (and historical data) disappear.