Splunk Add-on Builder Overview

The Add-on Builder is a tool that helps developers quickly create add-ons for Splunk. With the Add-on Builder, you can configure data inputs, create alert actions, create a setup page, perform field extractions, and add CIM mapping to your data using a UI, without having to edit and manage Splunk configuration files. The Add-on Builder also validates your add-on against best practices and app certification, and provides suggestions for fixing issues before you package your add-on for distribution.

Get familiar with the Splunk Add-on Builder by following this step-by-step guide that shows how to use the Add-on Builder to build sample add-ons to address different use cases.

DISCLAIMER: The Splunk Add-on Builder is intended for on-premises customers and developers only. It is intended for those interested in developing Splunk Add-ons and should not be used in a production environment. Please note that if you are using the Splunk Add-on Builder with any third-party add-on, or component thereof, you are responsible for ensuring that your actions comply with the applicable third-party license terms.

  • The Splunk Add-on Builder is not compatible with search head clusters or Splunk Cloud.
  • Using the Add-on Builder requires that you have the admin roles.

To get started, you'll need to use a computer running Splunk Enterprise in a development environment, such as on a laptop. Then:

  1. Download the Splunk Add-on Builder app.
  2. On the Splunk Web home page, click the Manage Apps Gears icon next to Apps, then click Install app from file.
  3. Click Choose File, navigate to and select the Splunk Add-on Builder package file, then click Open.
  4. Click Upload.
  5. Click Restart Later.
  6. You'll also need to install the Splunk Common Information Model (CIM) add-on, which is required for working with adaptive response actions for Enterprise Security, and for mapping fields in your data to the CIM.

  7. Download the Splunk Common Information Model add-on.
  8. On the Splunk Web home page, click the Manage Apps Gears icon next to Apps, then click Install app from file.
  9. Click Choose File, navigate to and select the Splunk Common Information Model package file, then click Open.
  10. Click Upload.
  11. Click Restart Splunk.

 

Meet the Add-on Builder

Start the Splunk Add-on Builder from the Splunk Web home page to see the main page of the app:

[Add-on Builder home page]

The top section shows you all of your Add-on Builder projects, along with details about them such as the last modified date, author, and version. You can open these projects and continue working on them using the Add-on Builder.

You'll see other apps and add-ons that are installed on your Splunk instance. You can map fields to CIM, create alert actions, and run the validation check on them.