Design your add-on
Before you build your add-on:
- Be familiar with your data and understand the data that you want to extract from it.
- Determine the method you will use to gather your data. For example, if you plan to use file monitors, network listeners, or the HTTP Event Collector, you do not need to build a modular input and can skip the input options requirement.
- If you plan to create a modular input, have sample data and/or a test account for the system that the module will contact. Know the input options that are required to access your data.
- Know which parts of the Common Information Model (CIM) to which you want to map data. For example, almost all data sources produce Authentication and Change Analysis events, but few produce Intrusion Detection events.
Understanding modular inputs
Modular inputs help you get your data into the Splunk platform when native Splunk data collection inputs do not meet your needs. They are typically written in Python or Java.
For example, use a modular input:
- to query a third-party API for your data
- if you have a type of data that is not a native Splunk input (such as HEC, syslog, or file monitor)
The Splunk Add-on Builder lets you create simple modular inputs for you and generates Python code for those modular inputs. You can also write your own Python code for the data input and provide the input arguments. You can validate each data input by running the input in the Splunk Add-on Builder UI.
For more information, see Modular inputs overview in the Splunk Enterprise Developing Views and Apps for Splunk Web manual.
Understanding field extractions
When Splunk Enterprise indexes data, it parses the data stream into a series of events and adds a number of fields to the event data. These fields include:
- default fields that are added automatically
- any custom fields that you specify
The Splunk Add-on Builder lets you add custom fields to your data and perform field mapping at index and/or search time.
For more information, see:
- Create custom fields at index time in the Splunk Enterprise Getting Data In manual.
- Extract fields from files with structured data in the Splunk Enterprise Getting Data In manual
Understanding the CIM
Splunk Add-on Builder lets you normalize data from different sources or vendors to match with a common information model (CIM).
The CIM has 22 predefined data models. To make your data match these standards you add data model mapping to your data. The mappings are applied at search time.
For more information about the CIM, see Overview of the Splunk Common Information Model in the Common Information Model Add-on Manual.
About alert actions
Alerts monitor for and respond to specific events, in real time or on a schedule. When conditions are met, alerts trigger "alert actions". Splunk Enterprise includes a number of pre-configured alert actions, such as running a script, sending an email, or logging an event in response to an alert.
In the Add-on Builder, you create your own alert actions and make them available to your add-on users.
For more information, see
- Custom alert actions overview in the Developing Views and Apps for Splunk Web manual.
- Use the common action model to build custom alert actions in the Common Information Model Add-on Manual
- Create an adaptive response action on the Splunk Developer Portal
Install the Add-on Builder
Use the Splunk Add-on Builder
This documentation applies to the following versions of Splunk® Add-on Builder: 3.0.0, 3.0.0, 3.0.1, 3.0.2