Getting Data In

How to create your own add-on? | How to parse unusual logs?

splunky_diamond
Path Finder

Hello Splunkers!

I am collecting logs from Fudo PAM for which I haven't found any suitable existing add-on on the Splunk Base website. The logs are being collected over syslog, yet the regular "syslog" sourcetype doesn't suit the events coming from my source. I was searching the web for some tutorials on how to create your own add-on in Splunk in order to parse the unusual logs like in my case, but I haven't found any. 

Could someone please help me with that? Does anyone have any tutorial or guide on how to create your own parser, or can maybe explain what is needed for that, in case it's not a difficult task?

If someone decides to provide answer themselves, by explaining how to create your own add-on, I would really appreciate detailed description that will involve such notes as: required skills, difficulty, how long it will take, and whether it's the best practice in such situations or there are more efficient ways.

Again, the main goal for me is to get my logs from Fudo PAM (coming over syslog) parsed properly. 

Thank you for taking your time reading my post and replying to it ❤️

Labels (4)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @splunky_diamond ,

the best guide in ad-on creation is the Splunk Add-On Builder app (https://splunkbase.splunk.com/app/2962).

It guides you in the creation and in the normalization of your data to have a CIM compliant data flow that you can use also in ES or ITSI.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @splunky_diamond ,

the best guide in ad-on creation is the Splunk Add-On Builder app (https://splunkbase.splunk.com/app/2962).

It guides you in the creation and in the normalization of your data to have a CIM compliant data flow that you can use also in ES or ITSI.

Ciao.

Giuseppe

splunky_diamond
Path Finder

Thank you very much @gcusello ! 

You never fail to deliver best solutions for splunk newbies like me 🙂

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunky_diamond ,

it's always a pleasure!

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...