Chapter 2. Presenting Data to Users as a Splunk App

This book assumes that you have already used Splunk in the past and are familiar with searching and administration of the application. So by now you have most likely seen how Splunk is able to visualize your searches into graphs and reports. Although Splunk indexing and searching is a major aspect of the application, the visualization is where Splunk takes things to the next level as it means that you can save reports and tailor graphs to allow non-Splunk users to simply access and see the results they need without having to know the inner workings of how the data is transferred to Splunk and how the search requests are constructed.

In this chapter, we will continue to develop our knowledge of the Splunk Web Framework and learn the following:

• What Splunk Apps are and why is it important for us to use them
• How to create Splunk App from the web interface and the command line
• The basic Splunk App file structure
• Creating dashboards and panels within our Splunk App and starting to create visualizations of our data
• How to create and design tools that are catered specifically to your user
• Further our working knowledge of Git

A Splunk app is the first part in controlling your visual interface and segregating relevant data into a logical area that users will know has the data and reports that they need. A Splunk app also allows developers to more closely follow a development process as discussed in the previous chapter as your development will be centered around a specific aspect of an app, segregated away from the rest of Splunk, where development and testing can continue uninterrupted.

If you want to break things down into its simplest terms, a Splunk app is a container. The following diagram gives a rough idea of a Splunk app in this mindset, with a bottle as our container with many dashboards, charts, and visualizations. You may have one dashboard or report, or you may have many. Ultimately, you could simply have a Splunk app that has nothing inside it. The main search interface of Splunk is, in itself, a Splunk app.

Note

Is a Splunk Add-on the same as a Splunk app? The simple answer is no. A Splunk Add-on is similar to a Splunk app as it is a stand alone piece of code that is installed on your system in a similar way to a Splunk app, but instead it provides different functionality. A Splunk Add-on runs on the platform but provides a specific capability to other Splunkapps, such gathering or collecting data or processing it or mapping extra data and usually does not run as a standalone application. In this book, as we are focusing on the visual aspects of Splunk we will not be doing any specific work on create Splunk Add-on's. For more information on the difference between an app and an Add-on, please refer to the Splunk developers guide at the following URL:  http://dev.splunk.com/view/dev-guide/SP-CAAAE28.

Just before we move a little further, I just want to make sure we are clear about some definitions about the explanation of a Splunk app. We stated that a Splunk app is a container for dashboards. A Dashboard is a collection of panels grouped together to provide a user interface to the user. Panels are individual items including graphs, charts, or visualization items that present a single set of information within the dashboard. This is usually in the form of a saved search or the result of a report.