Splunk App Development Tips – Working with Splunk
This is a collection of useful tips and resources for developing Splunk apps. For an explanation of the available app types please see my earlier article on the topic.
Splunk Search References and Guides
Splunk publishes two excellent resources for learning and working with its search processing language (SPL):
- The book Exploring Splunk
- Quick reference guide
Splunk App Development
Character Encoding
The default character encoding is UTF-8. When indexing content with different encodings configure props.conf (on the forwarder) accordingly, e.g. for UTF-16:
[source::uberAgent_log]
CHARSET = utf-16le
(Example taken from the uberAgent Log Collector app)
Reindex Files
In order to make the Universal Forwarder forget what it already processed and index files again delete the index fishbucket ($SPLUNK_HOME\var\lib\splunk\fishbucket).
Development Masterplan by Elliott Brown under CC
REST API Permissions
The minimum permissions for posting data via the Splunk REST API: edit_tcp
Deleting Events
To delete all events from Splunk:
$SPLUNK_HOME/bin ./splunk stop
$SPLUNK_HOME/bin ./splunk clean all -f
Alternatively you can simply delete index directories after stopping splunkd. Index directories are stored in $SPLUNK_HOME\var\lib\splunk.
Deleting User State
The state of many modules (e.g. TimeRangePicker) is stored per user and app in the file viewstates.conf located in $SPLUNK_HOME\etc\users\USERNAME\APPNAME\local. Delete if you want the defaults back.
Advanced XML and Simple XML
Make Splunk Reload Changed Files
In many cases when you have edited source files you need to tell Splunk to reload. Otherwise you will see the old state and wonder why your edits have no effect.
- Navigation: http://SPLUNK_SERVER:8000/en-US/debug/refresh?entity=/data/ui/nav
- Views: http://SPLUNK_SERVER:8000/en-US/debug/refresh?entity=/data/ui/views
- Everything (except deployment server): http://SPLUNK_SERVER:8000/en-US/debug/refresh
- Deployment server: $SPLUNK_HOME\bin\splunk.exe reload deploy-server
Localization
Translate
Follow these steps when you need to translate an app to another language.
- Develop the original in English.
- Create a POT file:
$SPLUNK_HOME\bin\splunk extract i18n -app APPNAMEUnfortunately the splunk extract command fails when it encounters Unicode files with a BOM. Neither does it process Django template files.
- Translate the POT file
Use Poedit to translate the POT file to your target language (e.g. German). This step creates .po and .mo files. - Add the translations to your app
The .po and .mo files go into the corresponding locale\LANG subdirectory of your app’s directory, e.g. locale\de. - Test
To test a translation manually replace the default (English) language code in the URL, e.g.:
http://SPLUNKSERVER:8000/en-US/app/uberAgent –> http://SPLUNKSERVER:8000/de/app/uberAgent
Update
Updating an existing translation works like this:
- Create a new POT file (see above)
- Open the PO file (without a T) of the target language in Poedit
- Click menu Catalog -> Update from POT file
- Translate new or changed phrases
- Save
HTML
In order to translate HTML files copy the original (English) file and rename it by appending the locale name, e.g.: application_detail.html –> application_detail-de_DE.html. Translate the new file. Splunk automatically uses the translated file for DE locales.
1 Comment
I am hoping to get some tips from a splunk development expert such as yourself.
We have a need to create an inventory of reports, queries, dashboards,etc – information stored for execution within splunk.
We need it to be in a text based format that we can do analysis on it – see what items were created by what users, what items have not been used for years, what items are being used the most, what logs are most frequently and least frequently being accessed – that sort of information.
Are there tools which assist a splunk admin into dumping the information out in a form (csv, etc.) that could then be analyzed?
Thank you.