Splunk Essentials (2015)

Chapter 5. Splunk Applications

In the previous chapter, we created reports and dashboards. In this chapter, we will make a slight digression from learning how to search and produce reports in Splunk to learning about Splunk applications. We will cover the following topics:

· What are Splunk applications?

· How to find Splunk applications

· The wide range of Splunk applications

· Splunk's app environment

· How to install an app

· How to manage apps

· Splunk's Twitter application

· Installing Splunk's Twitter app

What are Splunk applications?

Splunk applications or apps are a way to extend the capabilities of Splunk. They are easy to install and use. They enable Splunk to bring in data from many sources easily and efficiently, and to quickly generate reports and dashboards using the data. The latest count from Splunk, as of late 2014, shows that there are over 630 apps available.

Exploring the different types of applications is easy and is outlined in the following sections.

How to find Splunk apps

To look for apps, take the following steps:

1. Go to the Splunk home page.

2. Click on Apps.

3. Select Find More Apps. In the resulting screen, you will see a list of all the apps. Notice that there are many pages of apps to choose from, as shown in the following screenshot:

Browse for Apps

The wide range of Splunk applications

For a complete listing of all the current apps for Splunk, you can also go to https://apps.splunk.com/. Pay attention to the versions each app will run on, as this is very important to make sure that you will be able to access and use a particular app.

Splunk classifies apps into the categories listed in the following table. Note that some apps are classified in more than one category.

Apps versus add-ons

Splunk differentiates between applications and add-ons:

· A Splunk app includes Splunk features, such as saved searches, reports, and dashboards that are built into a new graphic user interface. Many different apps (383 as of late 2014) have been developed by companies and users.

· Splunk add-ons are also numerous. Their main purpose is to provide a way to format events, including how to break data into events, how to pull out the hostname, and how to rename the sourcetypes, along with how to define field extractions. They can have several distinguishing features:

· They are generally smaller than an app

· They don't have their own GUI

· They may require extra configuration to work with Splunk

There are also a few suites for Splunk that can be either apps or add-ons. These are usually larger, integrated sets of apps that are designed, supported, and installed by Splunk or a company.

The following list shows the other ways you can search apps and add-ons:

· By category (which will be discussed next)

· By support (either the Community or Splunk itself)

· By compatibility with the version of Splunk

· By Common Information Model

· By platform (Linux, Windows, FreeBSD, Solaris, AIX, OSX, HP-UX, and other platforms)

Types of apps

Splunk sorts apps into broad categories. These categories, along with some examples of apps falling into each category, are shown in the following table:

Splunk's app environment

Developing and maintaining different apps in a large enterprise environment can be difficult. In today's world, computer and application architectures can be quite complicated. Different types of data come in from many different places, and these data files and streams need to be monitored and acted upon in many diverse ways – which is why Splunk is so useful. Splunk's app environment is a term that refers to the way that Splunk apps work with the rest of Splunk. Splunk's infrastructure allows developers to easily create apps that build on the usefulness of the Splunk platform as they integrate with it. Splunk's environment makes deploying their enterprise system with appropriate apps easy, which is one reason for its recent dramatic growth.

Creating a Splunk applications

The concept of creating an app is easy, although it may sound intimidating to new users. This is considered a great practice for a company or organization wanting to use Splunk's capabilities. A company's different business units may want to have their own apps that contain their distinctive domain data. A company-specific app can make it easier to integrate the different objects related to a Splunk search head. A Splunk search head is a Splunk Enterprise instance that controls the management of search functions by sending search requests to a set of what are called search peers (or indexers who index and respond to search head requests), and then compiling the results and sending them back to the user. This is useful in that any field extraction, search, report, or dashboard created in the context of an app stays in that app unless it is moved. So if multiple business units or departments are sharing a Splunk search head, this keeps their system tidy without having objects cluttered around in random apps. For this reason, more and more apps are being added to Splunk's copious collection all the time.

How to install an app

It is easy to install an app in Splunk. To do so, perform the following steps:

1. Go to the Splunk home page.

2. Click on Apps.

3. Select Find More Apps:

Find More Apps

4. A list of apps and add-ons will open, as shown in the following screenshot:

Browse more apps screen

5. We will install the App for Twitter Data at the end of this chapter, but if there is another one you want to install, you can select it and click Install free.

6. Follow the instructions to install the app.

7. Restart Splunk, and you should see the app installed next to your other apps on the Splunk home page.

How to manage apps

Sometimes you will need to manage your apps. To go to the page where you can do this, take the following steps:

1. Go the Splunk home page.

2. Click Apps.

3. Select Manage Apps.

A screen like the following will open up:

Apps screen, where you can manage apps

4. From this page, note that you can find more apps online, install apps, and even create apps.

5. Also notice the list of apps that you may not have realized were already installed, such as the SplunkForwarder and SplunkLightForwarder (both of which provide ways of collecting data from remote data sources).

6. Finally, notice that you are able to change permissions for the app. The following screenshot shows the Permissions screen for the Search and Reporting app:

Permissions screen

7. You will see that everyone can read files associated with the app, but only those with the role of admin or power can write anything for the app.

8. Lastly, notice that you can Enable or Disable each app, and that you can also Edit properties and View objects associated with the app. The following screenshot shows the Edit properties screen for the Search and Reporting app:

The Edit properties screen for the Search and Reporting app

Splunk's Twitter Application

There is an application for Splunk called App for Twitter Data that allows easy access to the 1 percent Twitter sample stream. This stream takes just 1 percent of the tweets available from the firehose of tweets, and lets the user bring in live tweets to Splunk. We will use version 3.0 here. More information about this app can be found at https://github.com/splunk/splunk-app-twitter.

Installing Splunk's Twitter app

In the next chapter, we will be working with Splunk's Twitter app to bring in live streams of tweets for analysis. But let's first get it set up for now.

You must start by obtaining a Twitter account, if you do not already have one.

Obtaining a Twitter account

We need to follow these steps to obtain a Twitter account:

1. Before installing this app, you must have an active Twitter account. To obtain an account, go to https://twitter.com/signup.

2. Enter your full name, email, and password.

3. Click where it says Sign up for Twitter.

4. Select a username and password.

5. Click Create My Account.

6. You should get an e-mail where you can click on the link within to begin using your account.

Obtaining a Twitter API Key

Now you will need to create a Twitter key for the Application Programming Interface or API. This key will allow you to connect to Twitter. Follow these steps to do this:

1. Go to the Twitter Create an application page: https://apps.twitter.com and select Create New App. As shown in the following screenshot, insert a name for your application (it can be almost anything), a description (it can be almost anything), and a placeholder URL (it doesn't have to be real, but it must start with http://) for the website. These can be of your own choosing. Since you won't need a website, just put something in for now; for example, http://www.holdthisbps.com:

Create an application in Twitter

2. Check Yes, I agree in the box below the terms and conditions.

3. Click Create your Twitter application. You should see a screen like the one shown as follows:

Settings Information for Twitter API

4. Navigate to the Keys and Access Tokens tab at the top of the screen:

Application Settings for API

5. Click on Create my access token below the Token Actions area at the bottom of the page. You should see a page like similar to the following screenshot:

Access Token for Twitter API

6. A new section called Your Access Token should now appear. If it doesn't, wait another minute and then reload the page.

7. Now you have the API key information you need to install the Twitter app. Keep this page open, as you will need it to access the API Key, API Secret, Access Token, and Access Token Secret when you follow the instructions in the next section.

Installing the Twitter app

To install the Twitter app, do the following:

1. Go to the Splunk home page.

2. Go to Apps.

3. Select Find More Apps.

4. In the search bar in the upper right corner, search for Twitter.

5. Select App for Twitter Data as shown in the following screenshot:

App for Twitter Data Listed with Other Apps

6. Click Install free. (In the previous picture, the app has already been installed, so it appears as Latest version installed.)

7. You will be asked to log in again with your Splunk website username (not admin, but your Splunk browser username) and password (not the one you replaced changeme with when you logged in using admin, unless you have used the same password to log in to Splunk website).

8. You will need to Restart Splunk to install the app. This will take a few minutes.

9. Log back in to Splunk with your admin credentials.

10. You will see Install successful; click Set up now.

11. Carefully enter your API Key, API Secret, Access Token, and Access Token Secret from the Twitter API Keys page from the previous set of instructions; check the Enable Twitter Input box and then click Save:

Fill in the needed information for the Twitter App for Splunk

Note

You will need to click on the Restart Splunk button to start seeing the data collected from Twitter. Anytime you want to turn off the Twitter input, you must uncheck the Enable Twitter Input box. Remember that you can only index 500,000 MB of data a day under the free license. You will need to be careful not to exceed this to avoid having your license revoked.

Now you are ready for the next chapter where we will analyze the live Twitter stream.

Summary

In this chapter, you learned what a Splunk app and add-on are, and you learned about their usefulness. We outlined the different types of applications, noted the numbers of various apps in different categories, and listed several examples of each. You learned how to find an app using Splunk's list of apps, and we discussed the ease and usefulness of developing a Splunk app for a company so that Splunk's functionalities can be used to smoothly work with the company's data. Finally, after introducing you to the Twitter app and learning about how to obtain a Twitter API key to use with it, we went through the process of installing it.

Next, we'll go on to Chapter 6, Using the Twitter App, and learn how you can use Splunk with this app to create reports and dashboards from streaming tweets.