Splunk® Add-on Builder

Splunk Add-on Builder User Guide

This documentation does not apply to the most recent version of Splunk® Add-on Builder. For documentation on the most recent version, go to the latest release.

Create a new data model

From version 2.2.0, Splunk add-on builder supports the user to map the data event to the data model you create.
Users can design and maintain data models and use them in Splunk Add-on builder. Splunk recommends you to use Splunk web first and then modify the data model JSON file to follow the standard of Add-on builder.

To create data models which can be used by Splunk add-on builder, you need to understand

  • What is data models and how to create a data model in Splunk platform.
  • The format and semantics of their indexed data and are familiar with the Splunk search language. In building a typical data model, knowledge managers use knowledge object types such as lookups, transactions, search-time field extractions, and calculated fields.
  • The data model standard of Splunk add-on builder. See syntax of data model for details.


Make sure you have sufficient access permissions to any files you place in your add-on directory.

Syntax of data model

After building data model using Splunk web, the generated JSON file cannot be used by Splunk Add-on builder directly, add the following fields to the existing JSON file.

Required field

objects.comment.tags
Syntax: $.objects[*].comment.tags
Description:: It defines the tags of object in the data model. Eventtype which has the same tag(s) will be mapped to this data model.

Optional fields

objects.comment.description
Syntax: $.objects[*].comment.description
Description:: The description of the data model.
object.fields.comment.description
Syntax: $.object[*].fields[*].comment.description:<string>
Description:: The description of the data model field.
object.fields.comment.expected_values
Syntax: $.object[*].fields[*].comment.expected_values:<string>
Description:: It defines the expected value(s) of the data model field. Splunk add-on builder verifies the expect value(s) when user validates the add-on.

Example: Create a data model named test

  1. Create the data model using Splunk Web and name it as 'test'.
  2. Open the test.json file under $SPLUNK_HOME/etc/apps/<your_addon_folder>/default/data/models/test.jsonand add the field required by Splunk Add-on builder as follows
    AOB2.2 newfield.jpg
  3. Save the file and then restart Splunk
  4. The data model you create will be listed on the Select Data Models page. Follow the instruction on how to map to data model.
  5. AOB2.2 newfields.jpg

Last modified on 27 November, 2019
Use the add-on   Modify conf files directly

This documentation applies to the following versions of Splunk® Add-on Builder: 2.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters