Splunk® Add-on Builder

Splunk Add-on Builder User Guide

Download manual as PDF

Download topic as PDF

Design your add-on

Before you build your add-on:

  • Be familiar with your data and understand the data that you want to extract from it.
  • Determine the method you will use to gather your data. For example, if you plan to use file monitors, network listeners, or the HTTP Event Collector, you do not need to build a modular input and can skip the input options requirement.
  • If you plan to create a modular input, have sample data and/or a test account for the system that the module will contact. Know the input options that are required to access your data.
  • Know which parts of the Common Information Model (CIM) to which you want to map data. For example, almost all data sources produce Authentication and Change Analysis events, but few produce Intrusion Detection events.

Understanding modular inputs

Modular inputs help you get your data into the Splunk platform when native Splunk data collection inputs do not meet your needs. They are typically written in Python or Java.

For example, use a modular input:

  • to query a third-party API for your data
  • if you have a type of data that is not a native Splunk input (such as HEC, syslog, or file monitor)

The Splunk Add-on Builder lets you create simple modular inputs for you and generates Python code for those modular inputs. You can also write your own Python code for the data input and provide the input arguments. You can validate each data input by running the input in the Splunk Add-on Builder UI.

For more information, see Modular inputs overview in the Splunk Enterprise Developing Views and Apps for Splunk Web manual.

Understanding field extractions

When Splunk Enterprise indexes data, it parses the data stream into a series of events and adds a number of fields to the event data. These fields include:

  • default fields that are added automatically
  • any custom fields that you specify

The Splunk Add-on Builder lets you add custom fields to your data and perform field mapping at index and/or search time.

For more information, see:

Understanding the CIM

Splunk Add-on Builder lets you normalize data from different sources or vendors to match with a common information model (CIM).

The CIM has 22 predefined data models. To make your data match these standards you add data model mapping to your data. The mappings are applied at search time.

For more information about the CIM, see Overview of the Splunk Common Information Model in the Common Information Model Add-on Manual.

About alert actions

Alerts monitor for and respond to specific events, in real time or on a schedule. When conditions are met, alerts trigger "alert actions". Splunk Enterprise includes a number of pre-configured alert actions, such as running a script, sending an email, or logging an event in response to an alert.

In the Add-on Builder, you create your own alert actions and make them available to your add-on users.

For more information, see

Last modified on 23 April, 2020
PREVIOUS
Install the Add-on Builder
  NEXT
Use the Splunk Add-on Builder

This documentation applies to the following versions of Splunk® Add-on Builder: 3.0.0, 3.0.0, 3.0.1, 3.0.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters