Splunk App Development Tips – Which App Type to Choose
When you start with developing apps for Splunk the first big question you hit is a bit unexpected: which technology do you work with, which app type do you choose?
A bit confusingly Splunk offers three different (and largely incompatible) app stacks: Simple XML, Advanced XML and Web Framework. I am not very happy about this, there really should only be a single technology. Here is my recommendation on which type is useful for what:
As the name indicates, Simple XML offers fewer options than the other two but is easier to master. Especially since you do not have to do edit XML directly but can use the GUI to compose dashboards.
Advanced XML used to be the default choice for serious app development. uberAgent’s dashboards, for example, are built with Advanced XML. You can do much more in Advanced XML than you can in Simple XML – but you have to edit the XML source code directly with a text editor. No visual editor available here.
There is quite a bit of a learning curve. The XML syntax is arcane and much more difficult than really necessary. That means building your first dashboard will be hard. The second one will be a lot simpler. As will the third any others. Typically all you need to do is copy the first one and edit the relevant sections. But any time you need to implement a new feature you hit that steep learning curve again.
What to Choose
The Web Framework is far superior to both Simple and Advanced XML in basically any category. However, it is a relatively new technology. This is different with Simple and Advanced XML which have been around “forever”. Developers need to evaluate whether all of their potential customers have the Web Framework installed. In the case of uberAgent, we started development long before Splunk 6, and even now we do not want to force potential customers to upgrade their Splunk (5.x) infrastructure with the Web Framework component before they can try out our app. That is why we stick with Advanced XML for the time being. But Splunk 5 will reach is end of life when Splunk 7 is released and we are certainly not going to be using Advanced XML much longer than that.