Speaking from personal experience, building add-ons had never been the easiest task for me. There are numerous steps required, and each step may come with its owns challenges. Worse, I might spend time on a solutions just to hear it wasn’t best practice.
Wouldn’t it be great if there was a way to make this process easier by equipping developers, consultants, and Splunk Admins with the right tool to build their own add-ons? To take it a step further, wouldn’t it be even better if this tool actually helps you build the add-on by following tried and true best practices?
Allow me to introduce you to the Splunk Add-on Builder that helps to address the challenges highlighted above. Splunk Add-on Builder V1 was released on April 1st, 2016. In this release the Add-on Builder assists with building the basic components of add-ons. Namely:
UI based creation of the add-on and its folder structure:
Intuitive add-on setup page creation: No need to write xml files, just select the fields you want your add-on setup to expose. Multiple accounts and custom fields are easy to support now:
Building data collection: in this release, Add-on Builder helps you build your modular input supporting various mechanisms such as REST API, shell commands, or using your own python code to pull data from third party systems. If you have a REST API, let us generate the code and modular input for you. Just input the API URL and parameters and hit save:
If you need a modular input that requires you to write you own Python code or run a system command, you can use the Add-on Builder to interactively validate the output:
Interactive fields extraction: Add-on Builder uses a machine learning clustering algorithm to classify data ingested by add-on into groups that share the same format structure. That means it can automatically generate the field extractions for each group, letting you skip the grunt work and go straight through to recognizing event types.
Mapping to CIM made easy:
Last but not least, the Add-on Builder offers validation for best practices so you can see if you’re going to run into trouble before you post your Add-on on Splunkbase:
Please give Splunk Add-on Builder a try and provide us with your feedback. We’re very excited to hear how the first version works for you, and we are looking forward to your help to take this to the next level.