Splunk Apps and Add-ons
In this section, we are going to learn about the Splunk apps and add-ons, search and reporting apps, search summary view, where to find more apps and add-ons etc. It allows us to extend the Splunk platform ‘s functionality.
Application or app
An app is an application running on Project Splunk. Apps are designed to analyze and display knowledge around a particular source or set of data. An application might contain any or all of the following configurations:
- Dashboards and support searches that incorporate data source and structure information.
- Authentication and other interfaces for the management of data sources.
- An application can allow the use of one or more add-ons to facilitate data collection or configuration.
Some programs are free, and others are paid for. Examples of Free Apps include Microsoft Exchange Splunk App, AWS Splunk App, and DB Connect Splunk.
An add-on offers unique features for helping to collect, standardize, and enrich data sources. It may include the following features or all of them:
- Data source input configurations.
- Splunk Business data sorting and transformation settings for structuring the data.
- Lookup files for data enrichment.
- Supporting knowledge objects.
Examples include Splunk Add-on for Checkpoint OPSEC LEA, Splunk Add-on for Package, and Splunk Add-on for McAfee.
App and add-on support
Anyone can develop a Splunk software app or add-on. Splunk and our community members create apps and add-ons and share them with other Splunk software users on the Splunkbase online app marketplace. Splunk doesn’t support any of the Splunkbase features and add-ons.
Search and Reporting app
Splunk Enterprise provides the Search and Reporting Software by default. The framework offers Splunk Enterprise’s core features. When we first login to Splunk Site, the Splunk Home page provides a connection to the device.
Find Splunk Search and Reporting
- Click on the Splunk Logo displays on the upper right corner of the Splunk window. We on the Splunk Home.
- In Splunk Home window click on the Search & Reportingin the Apps It opens the summary screen view in the Search app.
Search Summary View
The Search Summary view contains common elements that includes the Applications menu, the Splunk bar, the Apps bar, the Search bar, and the Time Range Picker. The panels below the search box are elements which is unique to the Search Summary view: How to Search panel, What to Search panel, and Search History panel.
In the following table, we have summarized the description of the above window.
|1||Applications menu||Toggle between the applications we have built on Splunk. Search & Reporting software, the latest version, is listed here. It is in the Splunk bar.|
|2||Splunk bar||Edit our Splunk setup, display messages at the device level, and get support while using the app.|
|3||Apps bar||Navigate between the various views within the framework in which we are. The views are for the Search & Reporting app: Search, Metrics, Datasets, Reviews, Alerts, and Dashboards.|
|4||Search bar||Specify the search criteria that you want to search.|
|5||Time range picker||Specify the search time period, for example, last 30 minutes or yesterday or 24 hours.|
|6||How to search||It contains links to the search manual and guide for searches.|
|7||What to search||Shows a summary of the data uploaded to this Splunk instance and authorized for viewing.|
|8||Search history||Display a list of the searches that we have searched previously. The history of the quest will appear after our first quest is completed.|
Splunk Web configuration to open directly to an app
Splunk Web can be configured such that it bypasses Splunk Home and opens instead in a different app of our choosing. It is called default device configuration. While we recommend that this change must be implemented by roles in the Splunk, although we can also set a default app for all users or per user. For the role of that user a default app is set for a specific user to takes precedence over the standard app.
Set a default app by role
We may set a default app with a different feature for all users. For example, with the “user” function, we might send all users to an app that we made, and all admin users to the Monitoring Console.
For all users with a similar position to bypass the Splunk Home:
- In Splunk Web, click Settings > Access controls.
- Click on the Roles
- Click the name of the role which we want to configure.
- Use the Existing dropdown button to pick the current default button that appears on the top of the screen.
- Click on the Save button.
Set a default app for all users
We may choose a default app that will allow all users to land when they log in. For example, setting the Search app as the default global to:
1. Create or edit
3. For the update to take effect, restart Splunk Enterprise.
Set a default app for a single user
In most cases, the default apps should be set per function. But if we need to set a default app for a particular user in our use case, we can do this through Splunk Web.
To make a user’s Search App, the default landing app:
- In Splunk Web, click Settings > Access controls.
- Click Users.
- Click the name of the user we wish to configure.
- Under the Default app, select the app we wish to set as default.
- Click Save.
The shift takes place without a restart.
Where to find more programs and add-ons
Newer features and add-ons can be found on Splunkbase: https://splunkbase.splunk.com/.
The Splunk Enterprise dashboard also helps us to search for new features.
If we are connected to the Internet
- Click on the + sign to go directly to the web window below the last enabled web.
- We can also go to the device manager page by clicking on the gear next to Applications. Select Go to the Web window to search for more content.
Note: If Splunk Web is located behind a proxy server, the access to Splunkbase might be difficult. To solve this problem, we need to set the environment variable HTTP PROXY, as defined with a reverse proxy configuration in Using Splunk Internet.
If we are not connected to the Internet
If our Splunk Enterprise server and client are not connected to the Internet, we need to download and copy apps from Splunkbase to our computer:
- From an Internet-connected computer, browse Splunkbase for the app we want, or add-on.
- Download the app or add-on.
- Copy it into our Splunk Enterprise server once downloaded.
- Put it in our folder $SPLUNK HOME / etc / apps.
- Use a tool like tar -xvf (on * nix) or WinZip (on Windows) to untar and ungzip our app or add-on. Note that Splunk applications and add-ons are bundled with an extension of. SPL even though they are just tarred and gzipped. To recognize this extension, we may need to force our tool to.
- Based on the content of the program, or add-on, we may need to restart Splunk Enterprise.
- The software or add-on is now activated and can be found at Splunk Home.
If it has a part of the Web UI.