Data
Reader small image

You're reading from  Implementing Splunk: Big Data Reporting and Development for Operational Intelligence

Product typeBook
Published inJan 2013
PublisherPackt
ISBN-139781849693288
Edition1st Edition
Tools
Splunk
Concepts
Big Data
Right arrow
Author (1)
VINCENT BUMGARNER
VINCENT BUMGARNER
author image
VINCENT BUMGARNER

Vincent Bumgarner has been designing software for over 20 years, working with many languages on nearly as many platforms. He started using Splunk in 2007 and has enjoyed watching the product evolve over the years. While working for Splunk, he has helped many companies train dozens of users to drive, extend, and administer this extremely flexible product. At least one person in every company he has worked with has asked for a book, and he hopes that this book will help fill their shelves.
Read more about VINCENT BUMGARNER

Right arrow

Chapter 12. Extending Splunk

While the core of Splunk is closed, there are a number of places where you can use scripts or external code to extend the default behaviors. In this chapter, we will write a number of examples, covering most of the places where external code can be added. Most code samples are written in Python, so if you are not familiar with Python, a reference may be useful.

We will cover:

  • Writing scripts to create events

  • Using Splunk from the command line

  • Calling Splunk via REST

  • Writing custom search commands

  • Writing event type renderers

  • Writing custom search action scripts

The examples used in this chapter are included in the app ImplementingSplunkExtendingExamples, which can be downloaded from the support page of the Packt Publishing website (www.packtpub.com/support).

Writing a scripted input to gather data

Scripted inputs allow you to run some piece of code on a scheduled basis, and capture the output as if it were simply being written to a file. It does not matter what language the script is written in, or where it lives, as long it is executable. We touched on this topic in the Using scripts to gather data section in Chapter 11, Advanced Deployments. Let's write a few more examples.

Capturing script output with no date

One common problem with script output is the lack of a predictable date or date format. In this situation, the easiest thing to do is to tell Splunk to not try to parse a date at all, and instead use the current date instead. Let's make a script that lists open network connections:

from subprocess import Popen
from subprocess import PIPE
from collections import defaultdict
import re


def add_to_key(fieldname, fields):
    return " " + fieldname + "+" + fields[fieldname]

output = Popen("netstat -n -p tcp", stdout=PIPE, 
             ...

Using Splunk from the command line

Almost everything that can be done via the web interface can also be accomplished via the command line. For an overview, see the output of /opt/splunk/bin/splunk help. For help on a specific command, use /opt/splunk/bin/splunk help [commandname].

The most common action to perform on the command line is search. For example, have a look at the following code:

$ /opt/splunk/bin/splunk search 'foo'
2012-08-25T20:17:54 user=user2 GET /foo?q=7148356 uid=MzA4MTc5OA
2012-08-25T20:17:54 user=user2 GET /foo?q=7148356 uid=MzA4MTc5OA
2012-08-25T20:17:54 user=user2 GET /foo?q=7148356 uid=MzA4MTc5OA
...

Things to note:

  • By default, searches are performed over All time. Protect yourself by including earliest=-1d or an appropriate time range in your query.

  • By default, Splunk will only output 100 lines of results. If you need more, use the -maxout flag.

  • Search requires authentication, so the user will be asked to authenticate unless -auth is included as an argument.

Most use...

Querying Splunk via REST

Splunk provides an extensive HTTP REST interface, which allows searching, adding data, adding inputs, managing users, and more. Documentation and SDKs are provided by Splunk at http://dev.splunk.com/.

To get an idea of how this REST interaction happens, let's step through a sample conversation to run a query and retrieve the results. The steps are essentially as follows:

  1. Start the query (POST).

  2. Poll for status (GET).

  3. Retrieve results (GET).

We will use the command line program cURL to illustrate these steps. The SDKs make this interaction much simpler.

To start a query, the command is as follows:

curl -u user:pass -k https://yourserver:8089/services/search/jobs
  -d"search=search query"

This essentially says to POST search=search query. If you are familiar with HTTP, you might notice that this is a standard POST from an HTML form.

To run the query earliest=-1h index="_internal" warn | stats count by host, we need to URL encode the query. The command then is as follows:

...

Writing commands

To augment the built-in commands, Splunk provides the ability to write commands in Python and Perl. You can write the commands to modify events, replace events, or even dynamically produce events.

When not to write a command

While external commands can be very useful, if the number of events to be processed is large, or if performance is a concern, it should be considered a last resort. You should make every effort to accomplish the task at hand using the search language built into Splunk, or other built-in features. For instance, if you need:

  • Regular expressions—learn to use rex, regex, and extracted fields

  • To calculate a new field, or modify an existing field—look into eval (search for splunk eval functions with your favorite search engine)

  • To augment your results with external data—learn to use lookups , which can also be a script, if need be

  • To read external data that changes periodically—consider using inputcsv

The performance issues introduced by external commands come from...

Writing a scripted lookup to enrich data

We covered CSV lookups fairly extensively in Chapter 6, Extending Search, then touched on them again in Chapter 9, Summary Indexes and CSV Files and Chapter 10, Configuring Splunk. The capabilities built into Splunk are usually sufficient, but sometimes it is necessary to use an external data source or dynamic logic to calculate values. Scripted lookups have the following advantages over commands or CSV lookups:

  • Scripted lookups are only run once per unique lookup value, as opposed to a command, which would run the command for every event

  • The memory requirement of a CSV lookup increases with the size of the CSV file

  • Rapidly changing values can be left in an external system and queried using the scripted lookup instead of being exported frequently

In the Using a lookup with wildcards section in Chapter 9, Summary Indexes and CSV Files, we essentially created a case statement through configuration. Let's implement that use case as a script, just to show...

Writing an event renderer

Event renderers give you the ability to make a specific template for a specific event type. To read more about creating event types, see Chapter 6, Extending Search.

Event renderers use mako templates (http://www.makotemplates.org/). An event renderer is comprised of the following:

  • A template stored at $SPLUNK_HOME/etc/apps/[yourapp]/appserver/event_renderers/[template].html

  • A configuration entry in event_renderers.conf

  • An optional event type definition in eventtypes.conf

  • Optional CSS classes in application.css

Let's create a few small examples. All the files referenced are included in $SPLUNK_HOME/etc/apps/ImplementingSplunkExtendingExamples. These examples are not shared outside this app, so to see them in action, you will need to search from inside this app. Do this by pointing your browser at http://[yourserver]/app/ ImplementingSplunkExtendingExamples/flashtimeline.

Using specific fields

If you know the names of the fields you want to display in your output, your...

Writing a scripted alert action to process results

Another option for interfacing with an external system is to run a custom Alert action using the results of a saved search. Splunk provides a simple example in $SPLUNK_HOME/bin/scripts/echo.sh. Let's try it out and see what we get, using the following steps:

  1. Create a saved search. For this test, do something cheap, such as the following:

    index=_internal | head 100 | stats count by sourcetype

  2. Schedule the search to run at some point in the future. I set it to run every five minutes, just for this test.

  3. Enable Run a script and type in echo.sh.

The script places the output into $SPLUNK_HOME/bin/scripts/echo_output.txt. In my case, the output is as follows:

'/opt/splunk/bin/scripts/echo.sh' '4' 'index=_internal | head 100 | stats count by sourcetype' 'index=_internal | head 100 | stats count by sourcetype' 'testingAction' 'Saved Search [testingAction] always(4)' 'http://vlbmba.local:8000/app/search/@go?sid=scheduler__admin__search__testingAction_at_1352667600_2efa1666cc496da4...

Summary

As we have seen in this chapter, there are a number of ways in which Splunk can be extended to input, manipulate, and output events. The search engine at the heart of Splunk is truly just the beginning. With a little creativity, Splunk can be used to extend existing systems, both as a data source and as a way to trigger actions.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 18 of 19
Next Chapter
You have been reading a chapter from
Implementing Splunk: Big Data Reporting and Development for Operational Intelligence
Published in: Jan 2013Publisher: PacktISBN-13: 9781849693288
© 2013 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
VINCENT BUMGARNER

Vincent Bumgarner has been designing software for over 20 years, working with many languages on nearly as many platforms. He started using Splunk in 2007 and has enjoyed watching the product evolve over the years. While working for Splunk, he has helped many companies train dozens of users to drive, extend, and administer this extremely flexible product. At least one person in every company he has worked with has asked for a book, and he hopes that this book will help fill their shelves.
Read more about VINCENT BUMGARNER

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages