Splunk App Development Tips - Which App Type to Choose

Logs & Metrics
Published Jul 16, 2014 Updated Apr 19, 2025

When you start with developing apps for Splunk the first big question you hit is a bit unexpected: which technology do you work with, which app type do you choose?

A bit confusingly Splunk offers three different (and largely incompatible) app stacks: Simple XML, Advanced XML and Web Framework. I am not very happy about this, there really should only be a single technology. Here is my recommendation on which type is useful for what:

Kodak Advance Enlarger 1940 by Nesster under CC

Simple XML

As the name indicates, Simple XML offers fewer options than the other two but is easier to master. Especially since you do not have to do edit XML directly but can use the GUI to compose dashboards.

Advanced XML

Advanced XML used to be the default choice for serious app development. uberAgent’s dashboards, for example, are built with Advanced XML. You can do much more in Advanced XML than you can in Simple XML - but you have to edit the XML source code directly with a text editor. No visual editor available here.

There is quite a bit of a learning curve. The XML syntax is arcane and much more difficult than really necessary. That means building your first dashboard will be hard. The second one will be a lot simpler. As will the third any others. Typically all you need to do is copy the first one and edit the relevant sections. But any time you need to implement a new feature you hit that steep learning curve again.

Web Framework

The Web Framework has been introduced as a native component with Splunk 6, but it is available as a separate download for Splunk 5. It enables you to use technologies familiar to any web developer: HTML, JavaScript, and (optionally) Django. With that, the developer base broadens considerably which simplifies initial development and ongoing maintenance a lot.

What to Choose

The Web Framework is far superior to both Simple and Advanced XML in basically any category. However, it is a relatively new technology. This is different with Simple and Advanced XML which have been around “forever”. Developers need to evaluate whether all of their potential customers have the Web Framework installed. In the case of uberAgent, we started development long before Splunk 6, and even now we do not want to force potential customers to upgrade their Splunk (5.x) infrastructure with the Web Framework component before they can try out our app. That is why we stick with Advanced XML for the time being. But Splunk 5 will reach is end of life when Splunk 7 is released and we are certainly not going to be using Advanced XML much longer than that.

Advanced XML App Development Logs & Metrics Simple XML Splunk Web Framework

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Splunk Accelerated Data Models - Part 3

Splunk Accelerated Data Models - Part 3

This article is based on my Splunk .conf 2015 session and is the second in a mini-series on Splunk data model acceleration. Make sure to read parts 1 and 2 first.

Why Sizing for Averages is a Bad Idea

Why Sizing for Averages is a Bad Idea

When sizing a new environment it is tempting to use averages. It seems the logical thing to do. But it also guarantees a bad user experience. Example: Sizing an RDS or XenApp Farm Let’s say you’re tasked with building a new Citrix XenApp farm. Being a diligent IT person you set up a pilot: one or two machines with all the right software and settings. Then you carefully select a group of pilot users in such a way that they represent the organization’s employee types statistically correctly. Then you let them work on the new platform, ironing out bugs and such. At the end of that period, you have a great new platform. But there is one big question left: how many servers to buy?!

Splunk App Development Tips - Working with Splunk

Splunk App Development Tips - Working with Splunk

This is a collection of useful tips and resources for developing Splunk apps. For an explanation of the available app types please see my earlier article on the topic. Splunk Search References and Guides Splunk publishes two excellent resources for learning and working with its search processing language (SPL):

Splunk Accelerated Data Models - Part 1

Splunk Accelerated Data Models - Part 1

This article is based on my Splunk .conf 2015 session and is the first in a mini-series on Splunk data model acceleration. Why Accelerate? Have you ever seen this? Splunk is great and very fast with needle in a haystack searches, e.g. find a specific keyword in millions of events. It is not so fast with searches that perform calculations on millions of events, e.g. the sum or average of fields.

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Scripted WordPress to Hugo Migration

Scripted WordPress to Hugo Migration

After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.

Mitsubishi Heat Pump Data in Home Assistant via Modbus

Mitsubishi Heat Pump Data in Home Assistant via Modbus

This article shows how to get detailed information about your Mitsubishi heat pump’s status and operations into Home Assistant. Prerequisites You’ll need a Mitsubishi Modbus interface, either the older A1M (serial Modbus/RTU via RS-485 only) or the newer A1M+ (Modbus/TCP via Ethernet in addition to Modbux/RTU). I’m using the Ethernet variant.

Home Automation, Networking & Self-Hosting