What to know before you build add-ons
Before you begin to build an add-on:
- Be familiar with your data and know what you want to extract from it.
- Consider how you intend to gather your data. If you are going to use file monitors, network listeners, or the HTTP Event Collector, you do not need to build a modular input and can skip the input options requirement.
- If you plan to create a modular input, have sample data and/or a test account for the system that the modular will contact. Know the input options that are required to access your data.
- Know which parts of the Common Information Model (CIM) you want to map data to. For instance, almost all data sources produce Authentication and Change Analysis events, but few produce Intrusion Detection events.
Building an add-on can include creating modular inputs to send data to Splunk, getting your data into Splunk and extracting the fields you need, mapping your data to the CIM, and creating alert actions. Understanding these concepts will help you create your add-ons.
Understanding modular inputs
Modular inputs, which are typically written in Python or Java, allow you to programmatically create a way to get your data into Splunk when the native Splunk data collection inputs do not meet your needs. For example, use a modular input if you need to query a third-party API to get to your data or if you have a type of data that is not a native Splunk input (such as HEC, syslog, or file monitor).
The Splunk Add-on Builder can create simple modular inputs for you and generate the basic Python code. For more complex cases, you can write your own Python code for the data input and provide the input arguments. You can validate each data input in the Splunk Add-on Builder UI by running the input.
For more about modular inputs, see Modular inputs overview in the Splunk Enterprise Developing Views and Apps for Splunk Web manual.
Understanding field extractions
When Splunk Enterprise indexes data, it parses the data stream into a series of events. As part of this process, Splunk adds a number of fields to the event data. These fields include default fields that are added automatically and any custom fields that you specify. The Splunk Add-on Builder lets you add custom fields to your data and perform field mapping at index and/or search time.
For more about fields and field extraction, see:
- Create custom fields at index time in the Splunk Enterprise Getting Data In manual.
- Extract fields from files with structured data in the Splunk Enterprise Getting Data In manual
Understanding the CIM
Splunk Add-on Builder supports normalizing your data from different sources or vendors to match to common information model (CIM). The CIM has 22 predefined data models. If you want your data to match these standards you can add data model mapping to your data, which is applied at search time. For more information about the CIM, see Overview of the Splunk Common Information Model in the Common Information Model Add-on Manual.
Understanding alert actions
Alerts monitor for and respond to specific events, in real time or on a schedule. When certain conditions are met, alerts are triggered and run alert actions. Splunk Enterprise includes a number of pre-configured alert actions, such as running a script, sending an email, or logging an event in response to an alert. Using Add-on Builder, you can create your own alert actions that are available in Splunk Enterprise to users of your add-on. Alert actions might define third-party integrations, add custom functionality, or include adaptive response actions for Splunk Enterprise Security.
For more about creating alert actions, see Custom alert actions overview in the Developing Views and Apps for Splunk Web manual.
For more about creating alert actions that are compatible with adaptive response for Enterprise Security, see:
- Use the common action model to build custom alert actions in the Common Information Model Add-on Manual
- Create an adaptive response action on the Splunk Developer Portal
Install the Add-on Builder | Use the Splunk Add-on Builder |
This documentation applies to the following versions of Splunk® Add-on Builder: 2.0.0, 2.1.0, 2.1.1, 2.1.2
Feedback submitted, thanks!