Skip to main content
Lantern Home

 

Splunk Lantern

Developing add-ons with a Gold Standard methodology

  1. Last updated
  2. Save as PDF

 

Splunk has become the backbone of data-driven decision-making for thousands of organizations worldwide, but as its ecosystem of technology add-ons continues to grow, so do the complexities of developing and managing them. Splunk admins, developers, and partners alike frequently face hurdles—from inconsistent code quality and documentation to fractured testing approaches and inaccurate correlation of data sources with detections. Without unified quality and testing standards, these challenges slow development cycles, complicate troubleshooting, and even pose security risks.

To address these challenges, we are pleased to introduce the Splunk Gold Standard for Technology Add-ons (TAs). Built in collaboration with our internal teams and key partners, this initiative aims to provide a consistent framework and best practices for anyone creating or maintaining all Splunk Add-ons. By leveraging these guidelines, your organization can more easily develop robust, secure, and maintainable solutions that plug into the powerful Splunk platform.

In addition, we’ve launched the Community Contribution to Splunk TAs, enabling you to implement quality enhancements and CIM-related improvements directly in the source code. To foster collaboration, we allow repository sharing with Splunkers, SplunkTrust members, and partners who have signed NDAs. This encourages feedback, helps identify issues, and facilitates contributions to improve add-ons — all while leveraging the Gold Standard to ensure that every enhancement aligns with our quality guidelines.

In the sections that follow, we’ll introduce the core principles of Gold Standard covering development conventions including recommended frameworks, testing methodologies, and best practices for documentation.

The four pillars of the Splunk Gold Standard for TAs

Before starting development, it’s crucial to have a clear understanding of the business need and the necessary features your TA must deliver. After that’s established, it's time to apply the Gold Standard to guide the development process. Built on lessons learned from years of TA development, these four pillars—development, testing, maintenance and supportability, and documentation—provide a comprehensive framework to ensure that your add-on meets the highest levels of quality, security, and usability. Let’s take a closer look at what each entails.

Development

Development encompasses all the processes, tools, and coding practices that ensure your TA is both robust and future-proof. Creating a Splunk TA isn't just a bridge to ingest and prepare data from specific sources —it’s about doing so reliably, securely, and in a way that can be enhanced or adapted over time. By treating TA development like any modern software project, you minimize technical debt and establish a solid ground for future improvements.

Use of standard frameworks

  • Leveraging frameworks like the Universal Configuration Console (UCC) ensures your TA follows Splunk-recommended approaches, from handling configuration to providing a user-friendly UI.
  • UCC also provides out-of-the-box functionalities and structured REST handlers, saving you from reinventing the wheel.

Version control and CI/CD

  • Maintaining your project in a version control system and automating your build processes (via GitHub Actions, etc.) helps catch issues early and supports seamless collaboration, especially when multiple developers are involved.

Security and configuration checks

  • Incorporating security best practices (for example, password storage, up-to-date dependencies) and validating configurations from the start reduces the risk of data leaks or broken integrations.
  • Properly accounting for custom .conf files prevents unnecessary Splunk platform restarts and ensures a consistent user experience.

Testing

When your TA fails to ingest data correctly or introduces unexpected field extractions, it compromises insights, troubleshooting, and even security monitoring within the Splunk platform. Comprehensive testing ensures reliability, catching issues early so you and your internal stakeholders don’t experience nasty surprises in production.

Multiple layers of testing

  • Unit tests: Validate each code component (especially custom Python scripts or logic) independently, ensuring they behave as expected.
  • Integration/End-to-end tests: Confirm that data is ingested, processed, and presented correctly within the Splunk platform. This is important for verifying that knowledge objects, inputs, and dashboards all mesh properly.

Automated pipelines

  • Embedding tests into your CI/CD process allows for quick feedback on newly committed changes. This reduces risk because you’re not relying solely on manual testing, which can be time-consuming and prone to human error.

Compatibility and upgrade testing

  • Splunk innovates frequently—through new versions, cloud variants, and different topologies. Testing for compatibility ensures that your TA works wherever you need to deploy it, minimizing support headaches.

Maintenance and supportability

Your TA doesn’t just exist at the moment of release; it continues to serve users through Splunk platform upgrades, data source changes, and real-world usage scenarios. Good maintenance practices—like gathering feedback from the field and partners, encouraging code contributions, validating your TA with downstream apps, and adopting thoughtful support strategies—ensure it remains stable, secure, and aligned with evolving requirements.

Monitoring and alerting

  • Proactive monitoring helps you understand how the TA is performing in real time—tracking data ingestion rates, error logs, and other health metrics. This visibility empowers you to spot and correct problems quickly.

Security and compliance

  • Regular scans for vulnerabilities (OSS, SAST, DAST) and adherence to standards like FedRAMP or FIPS 140-2 are essential for TAs used in regulated industries. By taking security seriously, you protect your environment and your reputation.

Upgrade paths and long-term support

  • Splunk evolves, and so do vendor products. Your TA should anticipate changes in APIs, authentication methods, or Splunk platform updates. By providing clear upgrade paths (and possibly long-term support versions), you help transition smoothly without downtime or data loss.

Documentation

A great TA can fail to gain traction—or become a burden on support teams—if it’s poorly documented. Clear, concise, and up-to-date documentation is the bridge between your creation and the admins, developers, or security analysts who need to understand, configure, and extend it.

External, user-focused guides

  • Provide an overview of the TA’s functionality, along with how-to guides for installation, configuration, and troubleshooting.
  • Document data coverage (for example, which source types are supported, which fields map to CIM data models, etc.), so users see the immediate value.

Performance and scalability notes

  • If your TA supports large data volumes, highlight best practices for scaling. This transparency saves you from guesswork and potential performance bottlenecks.
  • Internal, developer-focused docs
  • Keep track of architectural decisions, library usage, and how the TA interacts with external systems. New contributors or maintainers will appreciate having a blueprint rather than starting from scratch.

Moreover, as part of our long term strategy, we are leveraging a docs-as-a-code workflow for TAs and have already implemented that for AWS and Microsoft Cloud Services Add-ons.

Real-world example: Splunk Add-on for Okta Identity Cloud

Okta integrations exemplify the Gold Standard by delivering robust, reliable solutions with comprehensive monitoring dashboards for real-time observability. This TA follows best practices in development and testing, ensuring high-quality user experiences and enhanced supportability.

image1.png

Extending the Gold Standard to our partners

In the initial phase we are running a Gold Standard campaign for Splunk partners as part of the Partner Enablement program, empowering them to build great integrations and ensure their TAs meet the highest standards of quality and reliability. We also collect valuable feedback from our partners to continually improve and refine our guidelines.

How to start the journey with the Gold Standard and UCC framework?

The UCC framework is a pivotal part of building Gold Standard TAs - that’s how you get the Gold Standard seal of approval! To learn more, explore our UCC framework blog, engage with the Slack community, and review the official UCC documentation.

Have ideas on how to improve UCC? Contribute your suggestions—visit the Splunk guidelines page for details.