Splunk Dev

Can my Splunk app listen for all incoming log events?

nohyei6v
Explorer

I am new to Splunk but would like to make a plugin for others to use: it should read all incoming events and scan them for certain contents. As an example (this is not my use case), imagine the app would look for IP addresses being logged. It would then use any IP addresses it finds, check them for a certain property (e.g. reachability), and create new log entries if relevant.

The part I can't find in the documentation (or ducking/googling) is how to listen for events. Using the Add-on Builder I got to the point where my Python code gets called every X seconds, but there does not seem to be a way to register a callback for log entries. Is this possible?

One workaround I can think of is using the "every X seconds" callback (collect_events(helper, ew)) to perform a search in Splunk for events that occurred between now and X seconds ago (or perhaps search any events with a higher ID than the highest resulting ID of the previous search), but it seems rather inefficient. Would this be the way to implement this?

Labels (2)
0 Karma
1 Solution

starcher
SplunkTrust
SplunkTrust

That is not how splunk addons work. You don't listen to incoming events. The search over indexed data would be the correct method.

View solution in original post

starcher
SplunkTrust
SplunkTrust

That is not how splunk addons work. You don't listen to incoming events. The search over indexed data would be the correct method.

nohyei6v
Explorer

Thanks for the response! Odd that Splunk doesn't implement something so basic as running the data through some custom code for additional functionality, I expected that to be core to many add-ons.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...