One of the best ways to learn is by example. If you want to build your own Splunk app, one of the best things you can do is dissect other apps.
In the below youtube video, I slowly go through a simple but useful app that adds a single search command: timewrap.
I go line-by-line, file-by-file, explaining everything. You will learn something.
Youtube video: Splunk App Walkthrough: Timewrap
A few notes:
- Yes, that’s a Hobbit movie poster behind me
- It’s about 50 minutes long, most of it dealing with the details of the python search command.
- Tell me if it was helpful, or what I could do to improve it.