Splunk® Enterprise

Developing Views and Apps for Splunk Web

Acrobat logo Download manual as PDF


Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Modular inputs overview

Learn how to build a modular input to work with unique data sources, formats, or data input use cases.

Working with modular inputs

Use modular inputs to define a custom input capability. Users can select and configure them like any other Splunk input.

Data sources

The Splunk platform has the following data input options.

  • Monitor files and directories.
  • Listen on TCP or UDP ports for network events.
  • Read the output from a script.

Modular input use cases

Unique use cases might require a modular or scripted input. The following are some typical examples.

  • Stream results from a command, such as vmstat and iostat.
  • Query a database, web service, or API.
  • Reformat complex data.
  • Handle sensitive information more securely.
  • Handle special characters in inputs.

Modular input features

The modular input API provides the following features.

Feature Description
Splunk Web access To view installed modular inputs in Splunk Web, click Settings > Data Inputs.
Validation Developers can provide validation for modular inputs.
Platform-specific scripts Package platform-specific versions of the modular input script. For example, you can include a Windows version, a Linux version, and an Apple (Darwin) version in one package.
Stream XML data Streaming data in XML format lets you annotate the script output and manage how the data is processed.
REST API access Use Splunk platform REST endpoints to access modular input scripts. You can use capability settings to manage endpoint permissioning.
Single or multiple instance modes Developers can opt to launch a single instance or multiple instances.

Comparing modular inputs to scripted inputs

Use modular inputs for packaging and sharing technology-specific apps or any app that includes a scripted input.

The following table compares modular inputs and scripted inputs.

Feature Scripted Inputs Modular Inputs
Configuration Inline arguments

Separate configuration outside of the Splunk platform.
Parameters defined in inputs.conf

Users can configure inputs using Splunk Web input Settings fields.

Validation support
Specify event boundaries Available, but requires additional script complexity. Yes

XML streaming simplifies specifying event boundaries.
Single instance mode Yes, but requires manual implementation Yes
Multi-platform support No Yes

Developers can package a modular input script to include versions for separate platforms.
Checkpointing Yes, but requires manual implementation. Yes
Run as user Yes

You can specify which user can run the script.
No

All modular input scripts are run as the user using the Splunk instance.
Custom REST endpoints No Yes

Access modular inputs using REST
REST endpoint authorization N/A Yes

Use capabilities to control access.

Implementation overview

Start building a modular input by creating a script that streams data for indexing. Some modular input script components are required. There are also optional procedures that you can include to expand functionality.

In addition to the script, an input spec file is also required.


Create a modular input

Here are the steps for creating a modular input.

Add advanced features

Here are some of the more advanced features that you can include in a modular input.

Developer tools and troubleshooting

The Splunk platform provides some developer tools and troubleshooting tips to assist you in creating modular input scripts:

Modular input examples

The Modular inputs basic example provides an introduction to modular inputs.

Modular inputs examples show more advanced features, including the following.

  • Twitter modular input: Stream JSON data from a Twitter source to the Splunk platform for indexing.
  • Amazon S3 online storage: Use modular inputs to index data from the Amazon S3 online storage web service.

These examples use Python, but developers can use other languages to write modular input scripts.

Note: The Splunk universal forwarder does not provide a Python interpreter. If you intend to run the examples on a forwarder host, verify that a Python interpreter is installed on the host or, if necessary, install one.

Creating modular inputs with Splunk SDKs

Developers can use Splunk SDKs to create modular inputs in Python, Java, JavaScript, and C#. For more information, see the following resources on the Splunk developer portal.

Last modified on 08 September, 2021
PREVIOUS
Custom alert actions overview
  NEXT
Modular inputs basic example

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0, 8.2.1, 8.2.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters