Splunk® Add-on Builder

Splunk Add-on Builder User Guide

This documentation does not apply to the most recent version of Splunk® Add-on Builder. For documentation on the most recent version, go to the latest release.

What's new

Here's what's new in each version of the Splunk Add-on Builder.

Note: If you use the Add-on Builder to build add-ons for the Splunk Cloud Platform, make sure to review the latest information changes and requirements for the Splunk Cloud Platform.

Version 4.2.0

Version 4.2.0 of the Splunk Add-on Builder was released on April 17, 2024.

  • Fixed security issues where the Add-on Builder logged sensitive information when updating the Add-on properties.
  • Fixed false-positive Splunk Certification failures for Splunk SDK, common.js, and jQuery in add-ons created using the Add-on Builder. For more details, see troubleshooting section.
  • Provided auto-replication of configuration files across search head clusters to maintain same configurations across all the search heads.

Version 4.1.5

Version 4.1.5 of the Splunk Add-on Builder was released on April 4, 2024.

  • Fixed compatibility issues with python 3.9, removed deprecated methods.

Version 4.1.4

Version 4.1.4 of the Splunk Add-on Builder was released on September 26, 2023.

  • Fixed the security issues where AOB was logging the session_key and password in plain text during the input creation process.
  • Fixed the issue where user was not able to rename the already configured TA.

Version 4.1.3

Version 4.1.3 of the Splunk Add-on Builder was released on April 28, 2023.

Fixed the issue where default values were not being set in the settings.conf file for additional_parameters stanza for the TAs built using AOB.

Version 4.1.2

Version 4.1.2 of the Splunk Add-on Builder was released on February 14, 2023.

Fixed a security vulnerability where the rest API inputs created by the add-on builder allowed connection to insecure URLs.

Security Vulnerability observed in Splunk Add-on Builder v4.1.1

While creating a REST API input using a self signed URL, the Add-on builder successfully makes a connection request with the insecure URL and will make a successful connection with any insecure URLs that do not have the correct certificates. This vulnerability is resolved in Splunk Add-on Builder v4.1.2.

For upgrade steps, see Upgrade from version 4.1.1 or lower to version 4.1.2 of the Splunk Add-on Builder.

Version 4.1.1

  • Fixed an issue where Add-on builder was creating an invalid template, which caused alerts with 0 results not to trigger.
  • Fixed an issue where the following error was logged after performing changes to an existing add-on or creating a new one: "TypeError: get_state_store() got an unexpected keyword argument 'max_cache_seconds'"

Version 4.1.0

  • Upgraded vulnerable dependencies and fixed security issues.
  • Fixed package validation issue on Windows.

To update to 4.0.1

  1. Export the app from any Add-on Builder
  2. Import the app into Add-on Builder v4.1.0 or newer
  3. Download the app packaged from Add-on Builder v4.1.0 or newer
  4. The resulting app package that you download will have the fix

Version 4.0.0

  • Generated addons support only Python 3.
  • Possibility to migrate correctly exported addons to jQuery 3 and new UI.
  • Updated how the addons are generated so they will pass AppInspect requirements


Version 3.0.1

Fixed a bug to allow add-ons built by the Splunk Add-on Builder to be deployed on Splunk version 7.3.0 and earlier.

Version 3.0.0

Splunk Add-on Builder now supports Python 3.

For more information about migrating to Python 3, see Upgrade the Splunk Add-on Builder App.

To learn more about the Python 3 and Splunk Enterprise 8.0, see the Python 3 Migration manual

Version 2.2.0

What's new in this release:

  • The Add-on Builder allows you to map your data events to any data model which follows the Splunk Add-on Builder standard. For details, see Map to data model.
  • The Add-on Builder allows you to manage source types and extract fields of the other apps and add-ons which were not created using Add-on Builder.
  • The Add-on Builder provides you three ways to do the field extractions: assisted extractions, manual extractions, and manual transformation. For details, see Extract fields.
  • You can now import and export project on Splunk Web or by using the migration scripts. For details, see Import and export an add-on project.
  • Improvements have been made to Manage source type page. For details, see Manage source types.
  • The documentation now provides guidance for what third-party libraries to credit in the add-ons you create with Add-on Builder. See Credit third-party libraries.

Version 2.1.2

What's new in this release:

Version 2.1.1

What's new in this release:

Version 2.1.0

What's new in this release:

  • The Add-on Builder has a new and enhanced setup library consistent with modern Splunk-built add-ons.
  • The Add-on Builder no longer requires you to restart Splunk Enterprise when building new data inputs, creating a new add-on, or any other step.
  • The Add-on Builder home page has been updated and improved.
  • You can now import and export add-on projects, allowing you to work on an add-on on different computers and share projects with others. For details, see Import and export add-on projects.
  • You can now use the Add-on Builder to add CIM mapping to apps and add-ons that were not created using Add-on Builder. For details, see Work with other apps and add-ons.
  • When you configure data inputs using a REST API, you can now add checkpointing for incremental data collection and set JSON event breaking. For details, see Add a data input using a REST API.
  • Improvements have been made to the CIM mapping UI. For details, see Map to CIM.
  • Changes have been made to the way global accounts are implemented in the setup page for an add-on. For details, see Create a setup page.


Upgrade add-ons from earlier versions

When you open an add-on project that was created in an earlier version of Add-on Builder, the add-on is automatically upgraded. Note the following changes:

  • Any UI or dashboards that were created outside of Add-on Builder will no longer be available.
  • If you made any changes outside of Add-on Builder to configuration files, review these files in case your changes were not migrated.
  • Setup pages have changed in version 2.1.0 and are upgraded to the new style. Due to changes between these styles, review your setup pages and verify the text appears correctly. Ensure that display labels for input fields are unique.
  • If you created data inputs with Python code in Add-on Builder 2.0.0, you must upgrade your code for version 2.1.0.
Replace: def collect_events(helper, inputs, ew):
With:def collect_events(helper, ew):

Version 2.0.0

What's new in this release:

  • The validation process has been enhanced to include App Certification readiness. This validation process can also be performed on apps and add-ons that were created outside of Add-on Builder. For details, see About Splunk App Certification.
  • You can now create alert actions for your add-ons using the Add-on Builder. For details, see Create alert actions.
  • You can now create adaptive response actions for use with Splunk Enterprise Security. For details, see Create an adaptive response action for Enterprise Security.
  • The Add-on Builder is easier to use with a new workflow and enhanced UI.
  • Bug fixes. For details, see Fixed issues.

Version 1.1.0

What's new in this release:

  • Additional data formats (JSON, XML, and tabular) are now supported, improving field extraction.
  • Adding sample data is easier, with the option to upload sample data files and indexed data from Splunk Enterprise.
  • Support for field extraction and CIM mapping has been added for indexed data in Splunk Enterprise.
  • The framework for modular inputs has changed. See below for details about migrating your code.
  • Bug fixes. For details, see Fixed issues.

Migrating modular input code from an earlier release

The framework for modular inputs has changed. If you are upgrading the Add-on Builder app from a previous release, update your Python code for any modular inputs you created as described below.

Create events

Use the self.new_event method to create events for modular inputs rather than creating an event directly using smi.Event. The arguments are the same.

For example, in the auto-generated code for modular inputs, you would update the sample code as follows.

1. Find this line:

event = smi.Event(source=self.input_name, index=self.output_index, sourcetype=self.output_sourcetype, data=data)

2. Replace it with this line:

event = self.new_event(source=self.get_input_name(), index=self.get_output_index(), sourcetype=self.get_sourcetype(), data=data)

Read configurations from setup pages

The following example code, also included in the auto-generated code for modular inputs, shows how to read configurations from setup pages in the new framework for version 1.1.0:

arg_value = self.get_arg('arg_name')
proxy_settings = self.get_proxy()
account = self.get_user_credential("admin")
userdefined = self.get_global_setting("userdefined")

Version 1.0.1

What's new in this release:

Version 1.0.0

This is the first release of the Splunk Add-on Builder.

Last modified on 16 April, 2024
Python helper functions   Known issues

This documentation applies to the following versions of Splunk® Add-on Builder: 4.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters