Splunk® Add-on Builder

Splunk Add-on Builder User Guide

This documentation does not apply to the most recent version of Splunk® Add-on Builder. For documentation on the most recent version, go to the latest release.

Python helper functions

The Add-on Builder provides Python code templates for creating modular data inputs and alert actions, with helper functions for working with parameters.

You can only access input arguments using helper functions.

Functions to get values from input parameters

Function Description
get_app_name() Returns the name of the add-on.
get_input_type() Returns the value of Input name on the Data Input Properties tab of the Inputs & Parameters step.
get_input_stanza(input_stanza_name=None) If input_stanza_name is provided, returns a dict containing all stanza parameters for the specified stanza name, or "None" if the stanza name does not exist.

If input_stanza_name is not provided, returns all stanzas in a dict, with the stanza name as the key and detailed stanza parameters as the value.

Note When input_stanza_name is not provided, one key-value pair is returned for multi-instance mode, and multiple key-value pairs are returned for single-instance mode.

get_input_stanza_names() Returns all stanza names for this input. A single string value is returned for multi-instance mode. A list of stanza names is returned for single-instance mode.
get_arg(arg_name, input_stanza_name=None) Returns an argument value based on arg_name and input_stanza_name. Arguments are defined on the Data Input Parameters tab of the Inputs & Parameters step. arg_name refers to the input field's Internal name.

For multi-instance mode, input_stanza_name is not necessary, and the returned arg value is "None".

For single-instance mode, if input_stanza_name is "None", a dict with the stanza name as the key and the arg value as the value is returned. If input_stanza_name is not "None", a single value of "None" is returned.

get_sourcetype(input_stanza_name=None) Returns the source type.
get_output_index(input_stanza_name=None) Returns the output index.

Functions to get values from setup parameters

Helper functions to get credential accounts are used in rare cases. If you need an account in your modular input code, add a Global Account field to your setup parameters, then use helper.get_arg("internal_name"), where internal_name is the internal name of the Global Account field, to retrieve the value.

Function Description
get_proxy() If Proxy settings is selected, returns a dict: 
{ "proxy_url": ..., "proxy_port": ... , "proxy_username": ... , "proxy_password": ... , "proxy_type": ... , "proxy_rdns": ...}

Otherwise, an empty dict is returned.

get_user_credential_by_username(username) If username exists, returns the dict: 
{"name": account_id, "username": username, "password": password}

Otherwise, returns "None".

get_user_credential_by_id(account_id) If account_id exists, returns the dict: 
{"name": account_id, "username": username, "password": password}

Otherwise, returns "None".

get_global_setting(var_name) Returns a global setting value for var_name. This method is used to get custom settings.
get_log_level() Returns the log level that was selected. If not set, returns "INFO".
set_log_level(level) Sets the log level to level.
log(msg) Logs a message using the configured logging level.
log_debug(msg) Logs a message using the logging.DEBUG level
log_info(msg) Logs a message using the logging.INFO level.
log_warning(msg) Logs a message using the logging.WARNING level.
log_error(msg) Logs a message using the logging.ERROR level.
log_critical(msg) Logs a message using the logging.CRITICAL level.

Functions for checkpoints

Function Description
save_check_point(key, state) Saves the checkpoint {key: state} to the Splunk KV store.
delete_check_point(key) Deletes the checkpoint corresponding to key.
get_check_point(key) Get the value of the checkpoint corresponding to key.
batch_save_check_point(states) Saves a batch of {key: state} pairs, where states is a dict, the key is the checkpoint state key, and state is the value.

Functions for alert actions

Function Description
addevent(event_message, sourcetype) Adds a custom event to the Adaptive Response Framework.
  • event_message: The event message.
  • sourcetype: The source type of this event.
writeevents(index, host, source) Flushes the custom Adaptive Response Framework events. Call this function only once in your adaptive response.
  • index: The index that stores these events.
  • host: The host fields of these events.
  • source: The source fields of these events.
get_events() Gets an event list that contains all of the search results when this alert is triggered.
get_param(param_name) Gets the parameter value when the alert is triggered for param_name, which is the internal name of the alert parameter.

Other functions

Function Description
send_http_request(url, method, parameters=None, payload=None, headers=None, cookies=None, verify=True, cert=None, timeout=None, use_proxy=True) Sends an HTTP request and returns the response.
  • url: URL for the new Request object.
  • method: Method for the new Request object (GET | POST | PUT | DELETE).
  • parameters: Optional. Dictionary or bytes to be sent in the query string for the request.
  • payload: Optional. Dictionary, bytes, or file-like object to send in the body of the request.
  • headers: Optional. Dictionary of HTTP headers to send with the request.
  • cookies: Optional. Dict or CookieJar object to send with the request.
  • verify: Optional. Indicates whether the SSL certificate will be verified. A CA_BUNDLE path can also be provided.
  • cert: Optional. If a string, contains the path to the SSL client cert (.pem) file. If Tuple, a ('cert', 'key') pair.
  • timeout (float or tuple): Optional. Specifies how long to wait for the server to send data, as a float or a (connect timeout, read timeout) tuple.
  • use_proxy: Optional. Indicates whether to use a proxy. If True, the proxy in the Add-on Builder Configuration settings is used.
new_event(data, time=None, host=None, index=None, source=None, sourcetype=None, done=True, unbroken=True) Creates a new event. This function is used to index data in Splunk Enterprise.

The example in the code template shows ew.write_event(event). Refer to splunklib.modularinput.Event in splunklib.

Last modified on 27 November, 2019
Modify conf files directly   What's new

This documentation applies to the following versions of Splunk® Add-on Builder: 2.2.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters