Splunk® Add-on Builder

Splunk Add-on Builder User Guide

This documentation does not apply to the most recent version of Splunk® Add-on Builder. For documentation on the most recent version, go to the latest release.

What to know before you build add-ons

Before you begin to build an add-on:

  • Be familiar with your data and know what you want to extract from it.
  • Consider how you intend to gather your data. If you are going to use file monitors, network listeners, or the HTTP Event Collector, you do not need to build a modular input and can skip the input options requirement.
  • If you plan to create a modular input, have sample data and/or a test account for the system that the modular will contact. Know the input options that are required to access your data.
  • Know which parts of the Common Information Model (CIM) you want to map data to. For instance, almost all data sources produce Authentication and Change Analysis events, but few produce Intrusion Detection events.

Building an add-on can include creating modular inputs to send data to Splunk, getting your data into Splunk and extracting the fields you need, mapping your data to the CIM, and creating alert actions. Understanding these concepts will help you create your add-ons.

Understanding modular inputs

Modular inputs, which are typically written in Python or Java, allow you to programmatically create a way to get your data into Splunk when the native Splunk data collection inputs do not meet your needs. For example, use a modular input if you need to query a third-party API to get to your data or if you have a type of data that is not a native Splunk input (such as HEC, syslog, or file monitor).

The Splunk Add-on Builder can create simple modular inputs for you and generate the basic Python code. For more complex cases, you can write your own Python code for the data input and provide the input arguments. You can validate each data input in the Splunk Add-on Builder UI by running the input.

For more about modular inputs, see Modular inputs overview in the Splunk Enterprise Developing Views and Apps for Splunk Web manual.

Understanding field extractions

When Splunk Enterprise indexes data, it parses the data stream into a series of events. As part of this process, Splunk adds a number of fields to the event data. These fields include default fields that are added automatically and any custom fields that you specify. The Splunk Add-on Builder lets you add custom fields to your data and perform field mapping at index and/or search time.

For more about fields and field extraction, see:

Understanding the CIM

Splunk Add-on Builder supports normalizing your data from different sources or vendors to match to common information model (CIM). The CIM has 22 predefined data models. If you want your data to match these standards you can add data model mapping to your data, which is applied at search time. For more information about the CIM, see Overview of the Splunk Common Information Model in the Common Information Model Add-on Manual.

Understanding alert actions

Alerts monitor for and respond to specific events, in real time or on a schedule. When certain conditions are met, alerts are triggered and run alert actions. Splunk Enterprise includes a number of pre-configured alert actions, such as running a script, sending an email, or logging an event in response to an alert. Using Add-on Builder, you can create your own alert actions that are available in Splunk Enterprise to users of your add-on. Alert actions might define third-party integrations, add custom functionality, or include adaptive response actions for Splunk Enterprise Security.

For more about creating alert actions, see Custom alert actions overview in the Developing Views and Apps for Splunk Web manual.

For more about creating alert actions that are compatible with adaptive response for Enterprise Security, see:

Last modified on 04 March, 2019
Install the Add-on Builder   Use the Splunk Add-on Builder

This documentation applies to the following versions of Splunk® Add-on Builder: 2.0.0, 2.1.0, 2.1.1, 2.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters