All Apps and Add-ons

How do you allow a user of an add-on app created by the "Splunk Add-on Builder" app configure the source and source type?

jeffrey_berry
Path Finder

How do you allow an user of an add-on created by the "Splunk Add-on Builder" app to configure the source and source type of the input data? It appears that this feature does not exist.

If the feature does not exist, has anyone been able to modify the config files of an add-on built using the Add-on Builder app to change the source and source type?

0 Karma

jeffrey_berry
Path Finder

The above links to docs give instructions for managing the source and source type within the "Splunk Add-on Builder" app which is not the question. I will re-phrase...How can an user within a created add-on app by given an input screen to manage the source and source type? For example, a data input parameter can be created in the "Splunk Add-on Builder" to allow the user of the add-on app to customize the values sent for a REST API, but a data input parameter cannot be created for the source or source type.

0 Karma

chli_splunk
Splunk Employee
Splunk Employee

oh, you want to expose source or source type to end users. Per addon best practice, these index time fields should input by developers rather than users. The reason is that addon is built for a specific data source, and developers should know the proper source or source type names, as well as the field extractions associated. So leave these values to end users may have some potential risks on field extraction. AoB doesn't support this yet.

If you still want to do this, pls refer this link which allows users input index.
https://answers.splunk.com/answers/679480/splunk-addon-builder-how-to-create-an-input-that-s.html

0 Karma

jeffrey_berry
Path Finder

I agree with you that an "unauthorized" end user of a Production environment should not be granted rights to change settings like source and source type. However, administrator end users should have the ability to change the source and source type of a created add-on app without the need of the developer to change the settings in the "Splunk Add-on Builder" app.

I do not follow how the url link that you provided assists with adding source and source type fields to a created add-on app. The "Splunk Add-on Builder" app allows an end user of created add-on app to change/manage the index without any additional configuration (see https://docs.splunk.com/Documentation/AddonBuilder/2.2.0/UserGuide/Usetheaddon ), but not the source and source type. If the index is allowed to be managed by an end user of a created add-on app, why is it not allowed for the source and source type to be managed by an end user ? Can you provide more details to add the source and source type input fields to a created add-on app to manage the source and source type of the ingested data by the created add-on?

0 Karma

chli_splunk
Splunk Employee
Splunk Employee

Source or Sourcetype is the bridge of data inputs & field extractions. Any specific addons should not expose them unless end users want to build both by themselves like developers.
Anyways, if you do want to do this, one workaround here. Use Python data input, and compose the event by replacing helper.get_sourcetype() or helper.get_input_type() with your customized parameters.

Blockquote

event = helper.new_event(source=helper.get_input_type(), index=helper.get_output_index(), sourcetype=helper.get_sourcetype(), data=data)
ew.write_event(event)
0 Karma

jeffrey_berry
Path Finder

Other Splunk supported apps expose the source and source type that allows end users to set the values as needed. For example, the Splunk DB Connect app (see the doc at https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/Createandmanagedatabaseinputs ).

Are you aware of a way to expose the source and source type for a created add-on app for a REST API data input?

The data can ingested by a REST API data input without writing Python code for it.

0 Karma

chli_splunk
Splunk Employee
Splunk Employee

DBX is more like a protocol such as TCP, file monitoring & HEC. For these common tunnels, users can ingest ANY data for ANY sources, so users should be able to input source or sourcetype.
However, this is only my impression. If you do have such requirements, please file a JIRA and our PM may consider it. Thanks.

0 Karma

jeffrey_berry
Path Finder

Users of a REST API can "ingest ANY data for ANY sources" also. As an example, a REST API could have an input parameter for a query to a third party database, log files, and/or some other data source(s) which has different data and/or sources. I am not familiar with the JIRA process for the "Splunk Add-on Builder" app. Do you have url link for it?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...