Workflows integrate with your data and are designed to help you move quickly through your data, or help you to integrate easily with other services. They can be used to drill down to another Splunk dashboard with prepopulated data in the request, perform an nslookup on an IP address in an event, open a ticket in an external ticket tracking system, or even launch an external search-all based on data found within the event. Workflows are displayed inline with the events you are working with. They don't have to apply for every single event. You can restrict a workflow to be revealed only when target events are listed, or a set of fields are listed. Workflows can be configured via the Web or configuration files.

Building a workflow in the web interface is straightforward. As part of our Splunk Developer's Guide (SDG) App, we will create a workflow that will interface with the http://mxtoolbox.com/ website to perform a reverse DNS lookup based on an IP address in the src_ip field found...

New in Splunk Enterprise 6.3, custom alert actions (also called modular alerts) allow a developer to define an integration that can be reused multiple times and in different ways based on the data being presented to it. Custom alert actions interact specifically with the alerts that were already present in Splunk. There are a few new components that go into making a custom alert action (let's call this a CAA). We will discuss the various components of a CAA and build a very simple CAA that will output the results of the search into a file within the App.

The first step in the creation of a CAA is to determine what your alert is intending to do. While it is possible for your alert to do multiple actions, do not try and combine multiple technologies unless necessary. For example, you wouldn't want to combine a Facebook action with a Twitter action, since both actions require separate authentication and authorization methodologies and credentials. Once you have narrowed...

Naturally, when we talk about enriched data, we are talking about separating the isotopes of our data and storing them in secure storage, right? Nope! No weapons-grade data here! The term enriched data refers to adding extra context to raw data. Therefore, the data is then enriched. We will now cover event types, tags, and macros.

Branding your App allows end users to know who you are and provides them with a consistent representation of your brand. Splunk offers almost limitless options for customization and brand creation within a Splunk App. SimpleXML provides a small subset of customization, and if you employ the full Splunk Developer's Kit (SDK), you will get limitless control over presentation and branding. There are a few guidelines for rebranding your App, and the most up-to-date information can be found at http://www.splunk.com/view/SP-CAAAFT9.

The guidelines are as follows:

Splunk searches are fast. They can pull millions of events in a relatively small amount of time. However, what happens when you need to search billions of events? Also, what if you want the daily statistics of a website over 5 years? This is where some methods of acceleration will give you an advantage over raw data. Acceleration summarizes your data and provides you with aggregated statistics that can be looked up faster. If your App doesn't collect that much data, or you don't care about long-term statistics, you might not need any form of acceleration.

In this chapter, we went through various methods of enriching data. By adding more tags, event types, and workflow actions to your App, you can provide various enhancements for your end users, creating a unified and seamless environment. We showed you how using lookups provides a means of enhancing data, and how you can start branding your App according to your specifications. We will elaborate on these customizations as we move forward. We also looked at some methods of accelerating data and provided an example of how to do so.

In the next chapter, we will start covering the use and configuration of SimpleXML views and dashboards. We won't delve extensively into SimpleXML, but will cover some basic visualizations and how to create and use a SimpleXML form.