Complete C++ Example
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Complete C++ Example
Before building, you should first set up your build environment. An easy way is to source the script $SPLUNK_HOME/bin/setSplunkEnv. This is the same environment for running the Splunk server, so the same shared libraries can be found at runtime.
> source /opt/splunk/bin/setSplunkEnv
The following is sample processor written in C++ and just adds some text to the end of the event.
It can easily be extended using the same pattern to processor other attributes such as source, host, sourctype, etc.
1) compile it using
g++ -o sampleProcessor -I$SPLUNK_HOME/include -L$SPLUNK_HOME/lib sampleProcessor.cpp -lextcmdapi
2) copy the compiled binary to a convenient location, such as your module's directory under etc/modules
3) add the XML config section and restart
Configure the text string to append by adding this XML after your <command>:
<addToRaw>All your log are belong to Splunk</addToRaw>
Complete C++ Code
#include "splunk-extplugin.h"
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <errno.h>
//----------------------------------------------------------------
// Sample Processor class
//----------------------------------------------------------------
class SampleProcessor : public Splunk::SingleThreadedProcessor {
std::string addToRaw;
//----------------------------------------------------------------
// Method to append data to raw
// Modifying host, source, sourcetype, etc follow the same pattern
//----------------------------------------------------------------
bool fixRaw(Splunk::Transaction *trans)
{
// get the raw data
// SplunkGetRaw returns const char *, remember to play nice with it
const char *r = trans->getRaw();
// If in debug mode dump out the data
SplunkDebug( "RAW = \"%s\"\n", r );
std::string rs(r);
// append the string to raw
rs.append(addToRaw);
// put the modified raw data back
trans->setRaw(rs);
// return true to continue sending the event through pipeline
return true;
}
//----------------------------------------------------------------
// This method is called once per event in the pipeline
//----------------------------------------------------------------
bool handler(Splunk::Transaction *trans)
{
// call method to fix up raw
return fixRaw(trans);
}
public:
//----------------------------------------------------------------
// Constructor pulls config values
//----------------------------------------------------------------
SampleProcessor(char * const args[])
{
// during initialization we try and read config data and cache result
addToRaw.append(" {");
// additional key values can be passed in through the config files.
// These values will be used during processing each event.
const char *r = Splunk::InstanceConfig["addToRaw"];
addToRaw.append((r == NULL) ? "UNKNOWN" : r);
addToRaw.append("}");
// spit out a debug message with text to append
SplunkDebug("Using \"%s\" to add to raw", addToRaw.c_str() );
}
};
//---------------------------------------------------------
// Main is called once during initialization
// We construct our processor class and call run
//---------------------------------------------------------
int main(int argn, char * const argv[])
{
(void) argn;
// if we had passed args in via the command tag we could pull them here.
if (argv[1] == NULL);
// construct our class and go
SampleProcessor sp(argv);
sp.run();
return 1;
}
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.