Splunk AppInspect is used internally at Splunk for app certification testing, Cloud installation approval, among many other things. I wrote this document to help users understand what’s important when submitting TAs to Splunk Cloud, and to allow for a streamlined app install on Cloud instances.
Why Do I Need AppInspect?
Whenever a request for a TA or app install is sent to Splunk Cloud, one of the very first sanity/security checks is to run the app through AppInspect. This process checks for misconfigurations, Splunk Cloud security requirements, and Splunk Cloud configuration rules. As Splunk Cloud guarantees 100% uptime, it is in everyone’s best interest that nothing is installed on a Splunk Cloud instance that doesn’t meet Cloud requirements.
Obtaining/Installing Splunk AppInspect
Splunk AppInspect is free and openly available to anyone.
For this demo, I will be installing Splunk AppInspect on MacOS v10.13 (High Sierra).
Note: Splunk states the install has been tested on 10.12, but that it should work for other versions of OS X/macOS as well. For more details around installation requirements, visit Splunk’s development website.
While I’m not here to bore you with CPU/RAM listings, there are some things that we need to ensure we’re running AppInspect with that are the same settings that they will be tested with by Splunk. Step-by-step instructions are listed by Splunk here.
At a high-level:
- Install Homebrew package manager so we can use a brew CLI to make this process easier
- Install LXML support
- Install Python 2.7.x and Pip
- Install virtualenv
Now we’re ready to install AppInspect. Download AppInspect from the Splunk Development site listed above. Once this is installed, you can verify it’s running by issuing the command “splunk-appspect –help”.
I’ve listed a few other prerequisites that I find useful in order to make sure the process goes smoothly:
- Include these config lines in your ~/.bash_profile. This will ensure you do not include any hidden files or unwanted configs.
- export COPYFILE_DISABLE=1
- alias tar=”tar –exclude=’.*'”
Creating a Custom app for Cloud Submission
The video I am providing with this document talks through steps of stripping and packaging a custom TA. The main goal of this demo is to submit a TA to Splunk Cloud that contains field extractions, tags, any necessary lookup tables, and eventtypes so that our data is CIM compliant.
The example uses the Citrix Netscaler TA which offers CIM compliance, but includes inputs that are not compatible with Splunk Cloud. Since we are running our inputs from a Heavy Forwarder on-prem, we don’t need any input configurations in the Cloud.
I’ve included the video, as well as the associated content below.