Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the process that I should follow to build an add-on from scratch ?

RS001
New Member
‎07-09-2015 06:39 AM

Hello, I am new to Splunk and I would like to build an add-on that gets the data and performs a function on a column that we choose ( for example: adding a value ). I don't know from where I should start and what to do so any help would be appreciated.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎07-09-2015 08:14 AM

If you can, join us on IRC, #splunk on efnet.org, and we can go over exactly what you are looking for in real-time and see if we can help point you in the right direction.

Reply

bwooden
Splunk Employee
Splunk Employee
‎07-09-2015 11:39 AM

Based on clarifications added since this was posted, I recommend indexing this data "as is". Splunk's search language is powerful and visualizations are easy to create. The advantage of indexing the data "as is" and performing the calculations at search time is that you can change the calculations whenever you want, without needing to re-index the data. You could then have different panels displaying different visualizations and/or using different calculations from the same base search.

Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-09-2015 01:15 PM

if you do end up developing an add-on, then look into using EVAL (see more here: http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf).

0 Karma
Reply

woodcock
Esteemed Legend
‎07-09-2015 07:34 AM

Based on your clarification (ask a question better and you get better answers):

What I want is to build an add-on that before data indexing gets the values of a certain column and for example multiplies that column value by 100 .

You need to do something very similar to anonymize which you can read about here:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles#Anonymi...

So you could do something like this:

SEDCMD-multiply_field_x_by_100 = s/x=(\d+)/x=\100/
0 Karma
Reply

RS001
New Member
‎07-09-2015 07:50 AM

Thank you for your answer. So to make things clear, this is what I want :
- Develop a plugin or something that gets the data ( I am new to Splunk so I really don't know what is the best way to do this )
- Checks the columns and adds a value to a certain column ( I have data of salaries, so I want to add a value to certain rows )
- Then I want to visualise the data

In your opinion what is the best way to do this ?
I know you gave me an answer but I really don't know where to write this expression so if there's a tutorial on how to do this or something that can be helpful I would appreciate it.
Thank you in advance Sir 🙂

0 Karma
Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-09-2015 01:20 PM

you have 2 options:

  1. do everything through UI (as per @bwooden) recommendation. This is the quickest way to get where you are going and might be best for a beginner. Through the search commands, you can create new columns, do calculatations etc
  2. create an add-on. this is more complicated, but more powerful. this is a great solution if you are technical and want to have deep Splunk knowledge eventually. There is a development guide here: dev.splunk.com/goto/devguide
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-09-2015 07:55 AM

I've done this many times using scripted inputs. Once the data is in Splunk you can use the Searching & Reporting app to visualize it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

woodcock
Esteemed Legend
‎07-09-2015 07:54 AM

I forgot the URL:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles#Anonymi...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-09-2015 07:16 AM

You can do that with a scripted input. Create a script in your favorite programming language that fetches data, performs the necessary transforms, and then writes it to stdout. Everything sent to stdout will be indexed by Splunk. When your script is ready, go to Settings->Data Inputs->Scripted inputs and click the Add New link. Enter the command that launches your script plus scheduling info and click Save. See http://docs.splunk.com/Documentation/Splunk/6.2.4/AdvancedDev/ScriptedInputsIntro.

---
If this reply helps you, Karma would be appreciated.
Reply

woodcock
Esteemed Legend
‎07-09-2015 06:57 AM

You are describing a macro; read about it here:

http://docs.splunk.com/Documentation/Splunk/latest/Search/Usesearchmacros

0 Karma
Reply

RS001
New Member
‎07-09-2015 07:06 AM

No this is not what I mean ! What I want is to build an add-on that before data indexing gets the values of a certain column and for example multiplies that column value by 100 .

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...