Python helper functions
The Add-on Builder provides Python code templates for creating modular data inputs and alert actions, with helper functions for working with parameters.
Helper functions are Python 2 and Python 3 compatible.
You can only access input arguments using helper functions.
Functions to get values from input parameters
Function | Description |
---|---|
get_app_name() | Returns the name of the add-on. |
get_input_type() | Returns the value of Input name on the Data Input Properties tab of the Inputs & Parameters step. |
get_input_stanza(input_stanza_name=None) | If input_stanza_name is provided, returns a dict containing all stanza parameters for the specified stanza name, or "None" if the stanza name does not exist.
If input_stanza_name is not provided, returns all stanzas in a dict, with the stanza name as the key and detailed stanza parameters as the value. Note When input_stanza_name is not provided, one key-value pair is returned for multi-instance mode, and multiple key-value pairs are returned for single-instance mode. |
get_input_stanza_names() | Returns all stanza names for this input. A single string value is returned for multi-instance mode. A list of stanza names is returned for single-instance mode. |
get_arg(arg_name, input_stanza_name=None) | Returns an argument value based on arg_name and input_stanza_name. Arguments are defined on the Data Input Parameters tab of the Inputs & Parameters step. arg_name refers to the input field's Internal name.
For multi-instance mode, input_stanza_name is not necessary, and the returned arg value is "None". For single-instance mode, if input_stanza_name is "None", a dict with the stanza name as the key and the arg value as the value is returned. If input_stanza_name is not "None", a single value of "None" is returned. |
get_sourcetype(input_stanza_name=None) | Returns the source type. |
get_output_index(input_stanza_name=None) | Returns the output index. |
Functions to get values from setup parameters
Helper functions to get credential accounts are used in rare cases. If you need an account in your modular input code, add a Global Account field to your setup parameters, then use helper.get_arg("internal_name"), where internal_name is the internal name of the Global Account field, to retrieve the value.
Function | Description |
---|---|
get_proxy() | If Proxy settings is selected, returns a dict:
{ "proxy_url": ..., "proxy_port": ... , "proxy_username": ... , "proxy_password": ... , "proxy_type": ... , "proxy_rdns": ...} Otherwise, an empty dict is returned. |
get_user_credential_by_username(username) | If username exists, returns the dict:
{"name": account_id, "username": username, "password": password} Otherwise, returns "None". |
get_user_credential_by_id(account_id) | If account_id exists, returns the dict:
{"name": account_id, "username": username, "password": password} Otherwise, returns "None". |
get_global_setting(var_name) | Returns a global setting value for var_name. This method is used to get custom settings. |
get_log_level() | Returns the log level that was selected. If not set, returns "INFO". |
set_log_level(level) | Sets the log level to level. |
log(msg) | Logs a message using the configured logging level. |
log_debug(msg) | Logs a message using the logging.DEBUG level |
log_info(msg) | Logs a message using the logging.INFO level. |
log_warning(msg) | Logs a message using the logging.WARNING level. |
log_error(msg) | Logs a message using the logging.ERROR level. |
log_critical(msg) | Logs a message using the logging.CRITICAL level. |
Functions for checkpoints
Function | Description |
---|---|
save_check_point(key, state) | Saves the checkpoint {key: state} to the Splunk KV store. |
delete_check_point(key) | Deletes the checkpoint corresponding to key. |
get_check_point(key) | Get the value of the checkpoint corresponding to key. |
batch_save_check_point(states) | Saves a batch of {key: state} pairs, where states is a dict, the key is the checkpoint state key, and state is the value. |
Functions for alert actions
Function | Description |
---|---|
addevent(event_message, sourcetype) | Adds a custom event to the Adaptive Response Framework.
|
writeevents(index, host, source) | Flushes the custom Adaptive Response Framework events. Call this function only once in your adaptive response.
|
get_events() | Gets an event list that contains all of the search results when this alert is triggered. |
get_param(param_name) | Gets the parameter value when the alert is triggered for param_name, which is the internal name of the alert parameter. |
Other functions
Function | Description |
---|---|
send_http_request(url, method, parameters=None, payload=None, headers=None, cookies=None, verify=True, cert=None, timeout=None, use_proxy=True) | Sends an HTTP request and returns the response.
|
new_event(data, time=None, host=None, index=None, source=None, sourcetype=None, done=True, unbroken=True) | Creates a new event. This function is used to index data in Splunk Enterprise.
The example in the code template shows ew.write_event(event). Refer to splunklib.modularinput.Event in splunklib. |
Modify files directly | Troubleshooting |
This documentation applies to the following versions of Splunk® Add-on Builder: 4.1.4, 4.1.5
Feedback submitted, thanks!