Splunk® Add-on Builder

Splunk Add-on Builder User Guide

This documentation does not apply to the most recent version of Splunk® Add-on Builder. For documentation on the most recent version, go to the latest release.

Overview of the Splunk Add-on Builder

The Splunk Add-on Builder is a Splunk app that helps you build and validate technology add-ons for your Splunk platform deployment.

What is an add-on?

An add-on is a reusable Splunk component, much like an app, but is dedicated to a function such as getting a specific system's data in and out of Splunk Enterprise. Add-ons can include any combination of custom configurations, scripts, data inputs, custom reports or views, and themes that can change the look and feel of Splunk Enterprise. A single add-on can be used in multiple apps, suites, or solutions.

Technology add-ons are specialized add-ons that help to collect, transform, and normalize data feeds from specific sources in your Splunk environment. Technology add-ons typically include:

  • Knowledge management components, such as field extractions, transforms, and lookups, that make the data easy to use.
  • Knowledge mapping components, such as event types and tags, that normalize the data to the Common Information Model.
  • Configurations and/or tools to gather data from a source.

For more about apps and add-ons, see Develop Splunk Apps on the Splunk Developer Portal.

Why create a technology add-on?

Technology add-ons provide knowledge mapping, making it easier to do data transformations on unstructured data and extract value from raw event data. Many add-ons help collect the data from data sources, reducing the time spent to reach value. And, add-ons are particularly useful when you need to get data into the Splunk platform and the data is not in one of the native input formats.

Why use the Splunk Add-on Builder?

The Splunk Add-on Builder is intended to guide you through the process of creating a technology add-on without you having to know everything there is to know about the Splunk platform.

The goals of the Splunk Add-on Builder are to:

  • Guide you through all of the necessary steps of creating an add-on
  • Build alert actions and adaptive response actions for Splunk Enterprise Security
  • Reduce development and testing time
  • Follow best practices and naming conventions
  • Maintain data model (including CIM) compliance
  • Maintain quality of add-ons
  • Validate and test the add-on, helping you to check for release readiness and to identify any limitations such as compatibilities and dependencies
  • Maintain a consistent look and feel while still making it easy for you to add branding
  • Package the add-on and helps you get ready to publish the add-on

Who is the Splunk Add-on Builder for?

The Splunk Add-on Builder is for:

  • Splunk admins who would like to onboard additional data into the Splunk platform.
  • Developers who are looking for a tool to help them build and validate a Splunk add-on.


The Splunk Add-on Builder is intended for on-premises customers and developers only. It is intended for those interested in developing Splunk Add-ons and should not be used in a production environment. If you are using the Splunk Add-on Builder with any third-party add-on, or component thereof, you are responsible for ensuring that your actions comply with the applicable third-party license terms.

  • Splunk Add-on Builder is not compatible with search head clusters or Splunk Cloud. As a best practice, use Splunk Add-on Builder in a development environment with a single instance on-premises Splunk Enterprise to produce add-ons. After you package an add-on, test it on other deployment environments before running it in production.
  • Using the Splunk Add-on Builder requires you to be a member of the Admin role.
Last modified on 25 November, 2019
  Support and resources for the Splunk Add-on Builder

This documentation applies to the following versions of Splunk® Add-on Builder: 2.2.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters