Splunk AppInspect: Creating in-house quality assurance for your apps

Splunk allows users to create their own apps and TAs (technology add-ons) to allow for custom configurations within Splunk. As the Splunk community grows, it's nice to have the option of evaluating apps or TAs. Brian's latest tutorial goes over a tool that helps with this evaluation, discusses what it's all about, and also includes a tutorial for creating a custom app for Cloud submission to bring things all together.



Introduction

Splunk allows users to create their own apps and TAs (technology add-ons) to allow for custom configurations within Splunk itself. Whether it be a fancy dashboard containing Javascript, to a custom API input using Python scripts, or field extractions and event tagging, it can be done through a custom app or TA. As the community of Splunk users and published apps continues to grow, Splunk has developed a tool that will allow for evaluating your app or TA. That tool is called Splunk AppInspect

Splunk AppInspect is used internally at Splunk for app certification testing, Cloud installation approval, among many other things. I wrote this document to help users understand what’s important when submitting TAs to Splunk Cloud, and to allow for a streamlined app install on Cloud instances.

Why Do I Need AppInspect?

Whenever a request for a TA or app install is sent to Splunk Cloud, one of the very first sanity/security checks is to run the app through AppInspect. This process checks for misconfigurations, Splunk Cloud security requirements, and Splunk Cloud configuration rules. As Splunk Cloud guarantees 100% uptime, it is in everyone’s best interest that nothing is installed on a Splunk Cloud instance that doesn’t meet Cloud requirements.

Obtaining/Installing Splunk AppInspect

Splunk AppInspect is free and openly available to anyone. 

For this demo, I will be installing Splunk AppInspect on MacOS v10.13 (High Sierra). 

Note: Splunk states the install has been tested on 10.12, but that it should work for other versions of OS X/macOS as well. For more details around installation requirements, visit Splunk’s development website.

Installation Prerequisites

While I’m not here to bore you with CPU/RAM listings, there are some things that we need to ensure we’re running AppInspect with that are the same settings that they will be tested with by Splunk. Step-by-step instructions are listed by Splunk here

At a high-level:

  1. Install Homebrew package manager so we can use a brew CLI to make this process easier
  2. Install LXML support
  3. Install Python 2.7.x and Pip
  4. Install virtualenv

Now we’re ready to install AppInspect. Download AppInspect from the Splunk Development site listed above. Once this is installed, you can verify it’s running by issuing the command “splunk-appspect --help”.

I’ve listed a few other prerequisites that I find useful in order to make sure the process goes smoothly:

  1. Include these config lines in  your ~/.bash_profile. This will ensure you do not include any hidden files or unwanted configs.
    • export COPYFILE_DISABLE=1
    • alias tar="tar --exclude='.*'"

Creating a Custom app for Cloud Submission

The video I am providing with this document talks through steps of stripping and packaging a custom TA. The main goal of this demo is to submit a TA to Splunk Cloud that contains field extractions, tags, any necessary lookup tables, and eventtypes so that our data is CIM compliant

The example uses the Citrix Netscaler TA which offers CIM compliance, but includes inputs that are not compatible with Splunk Cloud. Since we are running our inputs from a Heavy Forwarder on-prem, we don’t need any input configurations in the Cloud. 

I’ve included the video, as well as the associated content below.

Video Overview

The example case we used has a specific purpose: obtain field extractions, knowledge objects, and CIM compliance for Citrix Netscaler logs on a Cloud search head. With the AppInspect command, we specified that we were testing for Splunk Cloud regulations. We created a “stripped” version of Splunk_TA_citrix-netscaler in order to get our field extractions and tags, while not introducing any unnecessary options for inputs or UI elements. By removing anything except tags, eventtypes, props, transforms, and lookups, we were able to avoid any Cloud discrepancies that the TA already provided. We also changed the id attribute in app.conf’s package stanza to reflect our new TA’s name.

Submission for Installation

Now that we have a TA that has passed inspection, we are ready to submit for installation. Do this by navigating to support.splunk.com and logging into the Support Portal (using the account that is permissioned to your Splunk Licensing Entitlement).

From there, you can raise a request by clicking “Submit New Case” for your TA to be installed.

I’ve included a request example for reference that I typically use when requesting a TA for field extractions be installed on a Cloud Search Head.

Enjoy!




Close off Canvas Menu