Extend Splunk

Extend Splunk

Are you looking to take your Splunk install a little further? Perhaps you'd like to use the Splunk datastore below some custom code you've written. Or you'd like to run searches and get results without using the Splunk UI. Read on for a description of different ways you can extend Splunk via APIs and the CLI.

REST API

If you're looking to extend Splunk to work with your Java app, or you want to run searches or manage Splunk configurations and objects without ever accessing Splunk's UI, you'll want to use Splunk's REST API. Start off by reading Splunk's API is RESTful.

Currently, only APIs for search and authentication are certified and supported. Over the next year we will be releasing SDKs for search and management in a variety of languages. We will also continue to certify REST endpoints for configuration and objects management with each new release.

Requires an understanding of REST, HTTP and knowledge of whatever language you'd like to hook into Splunk with. It's a good idea to have whatever support or libraries you may need for curl in whatever language you're using (libcurl in Python, for example).

Custom search commands

While Splunk ships with a wide variety of search commands, you may find that you want to add your own. Build your own custom search command to parse and present data in a new way. Note that search commands are not recursive -- they only act on the data they receive back from the search.

Requires a moderate understanding of Python.

CLI

There are quite a few things you can do with Splunk's CLI, like launch searches, retrieve search results, manage configurations and objects. You can also access remote CLIs from another instance, so it is possible to programmatically configure multiple Splunk instances from the CLI. Or just launch several searches and parse the returned results.

• Was this topic useful?
• Post a comment