Splunk® Add-on Builder

Splunk Add-on Builder User Guide

Download manual as PDF

Download topic as PDF

What's new

Here's what's new in each version of the Splunk Add-on Builder.

Version 2.2.0

What's new in this release:

  • The Add-on Builder allows you to map your data events to any data model which follows the Splunk Add-on Builder standard. For details, see Map to data model.
  • The Add-on Builder allows you to manage source types and extract fields of the other apps and add-ons which were not created using Add-on Builder.
  • The Add-on Builder provides you three ways to do the field extractions: assisted extractions, manual extractions, and manual transformation. For details, see Extract fields.
  • You can now import and export project on Splunk Web or by using the migration scripts. For details, see Import and export an add-on project.
  • Improvements have been made to Manage source type page. For details, see Manage source types.
  • The documentation now provides guidance for what third-party libraries to credit in the add-ons you create with Add-on Builder. See Credit third-party libraries.

Version 2.1.2

What's new in this release:

Version 2.1.1

What's new in this release:

Version 2.1.0

What's new in this release:

  • The Add-on Builder has a new and enhanced setup library consistent with modern Splunk-built add-ons.
  • The Add-on Builder no longer requires you to restart Splunk Enterprise when building new data inputs, creating a new add-on, or any other step.
  • The Add-on Builder home page has been updated and improved.
  • You can now import and export add-on projects, allowing you to work on an add-on on different computers and share projects with others. For details, see Import and export add-on projects.
  • You can now use the Add-on Builder to add CIM mapping to apps and add-ons that were not created using Add-on Builder. For details, see Work with other apps and add-ons.
  • When you configure data inputs using a REST API, you can now add checkpointing for incremental data collection and set JSON event breaking. For details, see Add a data input using a REST API.
  • Improvements have been made to the CIM mapping UI. For details, see Map to CIM.
  • Changes have been made to the way global accounts are implemented in the setup page for an add-on. For details, see Create a setup page.


Upgrade add-ons from earlier versions

When you open an add-on project that was created in an earlier version of Add-on Builder, the add-on is automatically upgraded. Note the following changes:

  • Any UI or dashboards that were created outside of Add-on Builder will no longer be available.
  • If you made any changes outside of Add-on Builder to configuration files, review these files in case your changes were not migrated.
  • Setup pages have changed in version 2.1.0 and are upgraded to the new style. Due to changes between these styles, review your setup pages and verify the text appears correctly. Ensure that display labels for input fields are unique.
  • If you created data inputs with Python code in Add-on Builder 2.0.0, you must upgrade your code for version 2.1.0.
Replace: def collect_events(helper, inputs, ew):
With:def collect_events(helper, ew):

Version 2.0.0

What's new in this release:

  • The validation process has been enhanced to include App Certification readiness. This validation process can also be performed on apps and add-ons that were created outside of Add-on Builder. For details, see About Splunk App Certification.
  • You can now create alert actions for your add-ons using the Add-on Builder. For details, see Create alert actions.
  • You can now create adaptive response actions for use with Splunk Enterprise Security. For details, see Create an adaptive response action for Enterprise Security.
  • The Add-on Builder is easier to use with a new workflow and enhanced UI.
  • Bug fixes. For details, see Fixed issues.

Version 1.1.0

What's new in this release:

  • Additional data formats (JSON, XML, and tabular) are now supported, improving field extraction.
  • Adding sample data is easier, with the option to upload sample data files and indexed data from Splunk Enterprise.
  • Support for field extraction and CIM mapping has been added for indexed data in Splunk Enterprise.
  • The framework for modular inputs has changed. See below for details about migrating your code.
  • Bug fixes. For details, see Fixed issues.

Migrating modular input code from an earlier release

The framework for modular inputs has changed. If you are upgrading the Add-on Builder app from a previous release, update your Python code for any modular inputs you created as described below.

Create events

Use the self.new_event method to create events for modular inputs rather than creating an event directly using smi.Event. The arguments are the same.

For example, in the auto-generated code for modular inputs, you would update the sample code as follows.

1. Find this line:

event = smi.Event(source=self.input_name, index=self.output_index, sourcetype=self.output_sourcetype, data=data)

2. Replace it with this line:

event = self.new_event(source=self.get_input_name(), index=self.get_output_index(), sourcetype=self.get_sourcetype(), data=data)

Read configurations from setup pages

The following example code, also included in the auto-generated code for modular inputs, shows how to read configurations from setup pages in the new framework for version 1.1.0:

arg_value = self.get_arg('arg_name')
proxy_settings = self.get_proxy()
account = self.get_user_credential("admin")
userdefined = self.get_global_setting("userdefined")

Version 1.0.1

What's new in this release:

Version 1.0.0

This is the first release of the Splunk Add-on Builder.

PREVIOUS
Python helper functions
  NEXT
Known issues for Splunk Add-on Builder

This documentation applies to the following versions of Splunk® Add-on Builder: 2.2.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters