Splunk® Add-on Builder

Splunk Add-on Builder User Guide

This documentation does not apply to the most recent version of Splunk® Add-on Builder. For documentation on the most recent version, go to the latest release.

What to know before you build add-ons

Before you begin to build an add-on:

  • Be familiar with your data and know what you want to extract from it.
  • Know how your data is gathered, whether by a native Splunk input or by a new modular input. If you are using file monitors, network listeners, or the HTTP Event Collector, you do not need to build a modular input and can skip the input options requirement.
  • If you plan to create a modular input, have sample data and/or a test account for the system for which you are creating a modular input. Know the input options that are required to access your data.
  • Know which parts of the common information model (CIM) you want to map data to. Note that almost all data sources use Authentication and Change Analysis.


Building an add-on can include creating modular inputs to send data to Splunk, getting your data into Splunk and extracting the fields you need, and mapping your data to the CIM. Understanding these concepts will help you create your add-ons.

Understanding modular inputs

Modular inputs, which are typically written in Python or Java, allow you to programmatically create a way to get your data into Splunk when the native Splunk data collection inputs do not meet your needs. For example, use a modular input if you need to query a database, web service, or API to get to your data; if you have a type of data that is not a native Splunk input; or if you can't use a forwarder for some reason (such as a cloud installation).

The Splunk Add-on Builder can create simple modular inputs for you and generate the basic Python code. For more complex cases, you can write your own Python code for the data input and provide the input arguments. You can validate each data input in the Splunk Add-on Builder UI by running the input.

For more about modular inputs, see Modular inputs overview in the Splunk Enterprise Developing Views and Apps for Splunk Web manual.

Understanding field extractions

When Splunk Enterprise indexes data, it parses the data stream into a series of events. As part of this process, Splunk adds a number of fields to the event data. These fields include default fields that are added automatically and any custom fields that you specify. The Splunk Add-on Builder lets you add custom fields to your data and perform field mapping at index and/or search time.

For more about fields and field extraction, see:

Understanding the CIM

Mapping to the common information model (CIM) is a way to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. The CIM has 22 predefined data models. If you want your data to match these standards you can add CIM mapping to your data, which is applied at search time.

For more information about the CIM, see Overview of the Splunk Common Information Model in the Common Information Model Add-on Manual.

Last modified on 31 March, 2016
Install the Add-on Builder   Use the Splunk Add-on Builder

This documentation applies to the following versions of Splunk® Add-on Builder: 1.0.0, 1.0.1, 1.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters