Selection from Splunk Developer's Guide [Book] You can download the example code files for all Packt books you have downloadd from your account at. Learn the A to Z of building excellent Splunk applications with the latest techniques using this comprehensive guide. (c) >>> page 1 of 8 PDF File: a70c4e Splunk Developer's Guide Second Edition By Kyle Smith [EBOOK.

Splunk Developers Guide Pdf

Language:English, Dutch, Japanese
Genre:Business & Career
Published (Last):01.05.2016
ePub File Size:15.45 MB
PDF File Size:16.34 MB
Distribution:Free* [*Register to download]
Uploaded by: PARKER

You can download the example code files for all Packt books you have downloadd from your .. The App Splunk Developer's Guide was created through the GUI. Download Splunk Developer's Guide by Kyle Smith PDF. By Kyle Smith. Design, enforce, and put up customized Splunk purposes and accessories following top. The download is a self-contained software package that runs on all major operating systems Learn more about the Splunk MINT SDKs and Developer Guides.

Can be opened from the Splunk Enterprise home page, from the App menu, or from the Apps section of Settings. Why applications? Applications allow us to quickly share configurations, focus on the context of available data, limit data access to specific individuals or groups, and organize similar dashboards and views into a cohesive presentation of data within Splunk. Sharing applications can be as easy as just zipping it up and sending it out.

Splunk applications could be said to be open source, due to the fact that almost all of the configurations, custom scripts, and any other knowledge object contained within the applications, are readable on the filesystem. This allows for customization for an individual instance while maintaining an overall master configuration.

Denitions To get started, we should define a few naming conventions typically used when naming applications. Note that while we will use these naming conventions as the best practice, your application can really be named anything at all, which may conflict with other applications of the same name, or violate Splunk usage agreements or publishing guidelines.

In particular, the name Splunk cannot be present in your application or add-on name. Additionally, in the past, Splunk has referred to add-ons as technology add-ons, and has since moved to just add-ons.

The following list of add-on types is our way to distinguish the different uses of each add-on:. Applications could be named anything, as long as they are relevant to the content of the application and don't contain the name Splunk. Domain add-ons DA: Domain add-ons are not full applications, rather they contain the visualizations and presentation of the data for a broader application.

No other configurations should be included extracts, tags, event types, macros, line breaking configurations, and so on. Dashboards and views are the primary objects contained within this type of add-on.

Post navigation

Supporting add-ons SA: Supporting add-ons are also not full applications; these contain data definitions, such as macros, saved searches, event types, and tags. These describe how to correlate the data, normalize the data, and consolidate the data to be usable in the domain add-on.

Technology add-ons TA: Technology add-ons provide extraction, data massage, and index-time configurations. These can also be referred to as technical add-ons. These contain the configuration options required to properly break events, extract search fields, and create timestamps, among other functions.

These are the building blocks for the SA and DA add-ons, as well as full-blown applications. Follow the Splunk application design guidelines.

Using a custom naming scheme may cause conflicts. Thus end the official naming conventions as normally seen in a Splunk installation. We will now discuss some other naming conventions that have been found to help in the wild west of various Splunk installations.

These two naming conventions are of the author's own design, which have helped in some of his deployments:. Input add-ons IA: Input add-ons are just thatconfigurations that assist in the collection of data, known as inputs. These add-ons are most likely found on a deployment server and are used to collect data from universal forwarders. One of the advantages to splitting your IAs from your TAs is a reduced size in the add-on being sent to the universal forwarder.

This is especially useful if your TA contains lookups that aren't needed on the universal forwarder but are several megabytes in size. This add-on is a very special add-on. It would typically contain administrative configurations that might be needed in a variety of locations. Such configurations could be the web server SSL port, deployment client information, or anything in web. It can be used to send index information to a set of non-clustered indexers, or possibly to scale the addition of more search heads by setting all relevant settings from a central location.

While this may not be a complete list of naming conventions, it should be enough to recognize any that are seen in the wild. An additional aspect of the naming conventions that we recommend is the addition of company information. This will help your Splunk admins differentiate between Splunk add-ons and custom add-ons. Splunk's provided add-on is entitled TA-cisco, but you don't want to modify a vendor's offering.

This gives you two things: Let's discuss application precedence for a moment. Splunk uses a merged configuration when applying configurations that are installed via the applications.

The methodology that Splunk chose to implement conflict resolution is pretty simple. There are two different methods of precedence. The first is directory structure. If you have an input located in the default folder of an application more on default in the later chapters , you can place a matching configuration in the local folder of the application to override the default configuration.

The same method is applied to the applications themselves. This will show you the ASCII-sorted order of the applications, and the first in the list will be highest priority.

A has a higher priority than Z, but Z has a higher priority than a. So, the A at the beginning of the add-on name gives your add-on the highest precedence, so you can override any setting as needed.

From this point forward, both Splunk applications and add-ons will be referred to formally as Apps purely as a convenience. Designing the App So you've decided that you need an App? Now that you know that you need one, you need to decide on a few more items as well. It is important to do a little bit of planning, as even the simplest Apps can evolve into super-complicated Apps, with dashboards, saved searches, workflows, and more.

Never assume "well, this'll just be a quick development", as, most of the time, it is not. Identifying the use case First and foremost, try to determine the scope of your App. Once you have the scope planned out, try to limit the amount of scope creep that occurs, if possible. You may just be trying to perform extractions on your data, and if that is your current end goal, stop there.

Don't try to build a full-blown suite on your first attempt. Build the IA, then the TA, and then move on from there. Ask yourself these questions as you try to determine your scope:. What am I trying to accomplish?

Search-time extractions? Index-time parsing? Dashboards to share? Who is my target audience?

These questions can help you spark an idea of what internal resources would need to be engaged, as well as any kind of documentation and educational requirements.

Identifying what you want to consume Once you have determined the scope of the App, you will need to decide how and from where you will consume the data. Getting data into Splunk can happen in a very wide variety of ways. There is no set manner of input that will work on all data sources.

You may have to develop a new script or modular input. Being aware of where your data is coming from is the key to getting it consumed correctly the first time. A few questions you may ask yourself could be:. How do I get the data? What format is the data?

Is it already extracted or well known, like syslog , or do I need to write custom extractions? There is a lot of data out in the wild, but not all of it may be relevant to your use case. You may find that of a service that has endpoints available for data collection, you only need Not only will you save on license usage, but your indexers will thank you for it as well.

Identifying what you want to brand Another key thought process in App development is how far you want to brand your App. Splunk has a very robust architecture and framework, providing you with the ability to customize your Apps extensively. You can override any individual piece of CSS and extend SplunkJS Stack to include any number of different visualizations or third-party libraries. Additional questions you might ponder on would include:.

Developing Views and Apps for Splunk Web

Do I need to engage an internal graphics resource to design and create App icons? App logos? Am I going for mobile or static desktops? What desktop size is typical of incoming users? To what extent should I customize my App? There are so many options available to brand your App, but all customizations should conform to the Splunk branding guidelines for developers.

Visit http: Identifying what you want to display Once you have the whats and hows of the data you're going to collect, you need to figure out visualizations. How you display the information is just as important as what data you collect. Splunk comes with a variety of graphs and displays right out of the box, and can be extended quite easily to include some really cool presentations. Some of the questions posed to you might be:. Do you need a programmer to write custom modules or extend SplunkJS views and managers?

What third-party graphing or graphic libraries do you need to document, develop, or get permission to use?

Do you need to engage a statistician to determine the best and most effective way to display your data? Some stats such as max, mean, and min are easy, others such as confidence intervals and trendlines are not. Such a small list of questions hardly precludes any other relevant discussion within your organization. The more internal discussion that can take place, the better and more thought-out your App may turn out. Installing Apps As a Splunk developer, you should be aware of the three methods to install Apps.

There are advantages and disadvantages to each method, but no required method. It is mostly personal preference as to which method is used by the end user, but, typically, newer Splunk users will use the Web interface, while advanced users will use the command line.

Related titles

Let's review those methods, just to keep them fresh in your mind. Once you have downloaded the App from its source, you navigate to the Manage Apps section of Splunk. You will find this at the top-left of Splunk Web, as shown in the following screenshot:. Once you have clicked on Manage Apps, you will see a button to install the app from a file. You can also browse the Splunk App store, using the first button:.

This brings you to a form that you can use to actually install the App.

Simply click on the Browse button, select the file you downloaded, check the Upgrade button if this App has already been installed, and then click on Upload. That's it! Splunk takes the App, installs it, and prompts to restart if needed:. It is entirely possible to install Apps via the command line alone. Doing so requires having the following: Follow these steps to install an App via CLI: Run the.

Splunk will install the App. You may be prompted to restart, depending on the contents of the App. Index-time configurations require a restart, whereas search-time configurations do not. If the App was constructed properly, the only steps you need to perform are as follows: Change the file extension from. Use your favorite utility and unzip the file into the folder. This will overwrite any other settings you have configured, including local configurations if present in the zip file.

Splunk Developer's Guide - Second Edition

We will cover directory structure in the next chapter. Downloading the example code You can download the example code files from your account at http: If you downloadd this book elsewhere, you can visit http: Summary In this chapter, we covered the basic fundamentals of designing and installing Splunk Apps.

Getting started. Building customizations for the Splunk platform. Custom visualizations. Custom alert actions. Custom alert actions overview Custom alert action component reference Set up custom alert configuration files Create a custom alert action script Define a custom alert action user interface Optional custom alert action components Convert a script alert action to a custom alert action Logger example for custom alert actions HipChat example for custom alert actions Advanced options for working with custom alert actions KV Store integration for custom alert actions.

Modular inputs. Modular inputs overview Modular inputs basic example Create modular inputs Set up logging Set up external validation Data checkpoints Set up streaming Modular inputs configuration Create a custom user interface Developer tools for modular inputs Modular inputs examples.

Build scripted inputs. Scripted inputs overview Setting up a scripted input Writing reliable scripts Example script that polls a database. Customize Splunk Web. Customization options and caching Customize the login page Customize dashboard styling and behavior UI internationalization. Building custom apps. Developer resources. Advanced XML Deprecated. Toggle navigation Hide Contents.

Developing Views and Apps for Splunk Web. Download topic as PDF Developer resources To learn about designing and building custom apps, see Develop apps using the Splunk Web framework on the Splunk developer portal.The download is a self-contained software package that runs on all major operating systems.

Identifying what you want to display Once you have the whats and hows of the data you're going to collect, you need to figure out visualizations. That's it!

What kind of information will I be presenting? As a new user, these step-by-step tutorial guides will give you all the practical skills necessary to become competent and efficient. Getting started. Furthermore, in order to create a valid Splunk application, you must include the ability to navigate. Graphics Programming. Dashboards and views are the primary objects contained within this type of add-on.

It would typically contain administrative configurations that might be needed in a variety of locations.

MAYOLA from Kalamazoo
Review my other posts. I'm keen on cave diving. I enjoy reading books certainly.