Splunk App Development Tips - Working with Splunk

This is a collection of useful tips and resources for developing Splunk apps. For an explanation of the available app types please see my earlier article on the topic.

Splunk Search References and Guides

Splunk publishes two excellent resources for learning and working with its search processing language (SPL):

• The book Exploring Splunk
• Quick reference guide

Splunk App Development

Character Encoding

The default character encoding is UTF-8. When indexing content with different encodings configure props.conf (on the forwarder) accordingly, e.g. for UTF-16:

[source::uberAgent_log]
CHARSET = utf-16le

(Example taken from the uberAgent Log Collector app)

Reindex Files

In order to make the Universal Forwarder forget what it already processed and index files again delete the index fishbucket ($SPLUNK_HOME\var\lib\splunk\fishbucket).

REST API Permissions

The minimum permissions for posting data via the Splunk REST API: edit_tcp

Deleting Events

To delete all events from Splunk:

$SPLUNK_HOME/bin ./splunk stop
$SPLUNK_HOME/bin ./splunk clean all -f

Alternatively you can simply delete index directories after stopping splunkd. Index directories are stored in $SPLUNK_HOME\var\lib\splunk.

Deleting User State

The state of many modules (e.g. TimeRangePicker) is stored per user and app in the file viewstates.conf located in $SPLUNK_HOME\etc\users\USERNAME\APPNAME\local. Delete if you want the defaults back.

Advanced XML and Simple XML

Make Splunk Reload Changed Files

In many cases when you have edited source files you need to tell Splunk to reload. Otherwise you will see the old state and wonder why your edits have no effect.

• Navigation: http://SPLUNK_SERVER:8000/en-US/debug/refresh?entity=/data/ui/nav
• Views: http://SPLUNK_SERVER:8000/en-US/debug/refresh?entity=/data/ui/views
• Everything (except deployment server): http://SPLUNK_SERVER:8000/en-US/debug/refresh
• Deployment server: $SPLUNK_HOME\bin\splunk.exe reload deploy-server

Localization

Translate

Follow these steps when you need to translate an app to another language.

1. Develop the original in English.

2. Create a POT file:

   $SPLUNK_HOME\bin\splunk extract i18n -app APPNAME
   

   Unfortunately the splunk extract command fails when it encounters Unicode files with a BOM. Neither does it process Django template files.

3. Translate the POT file
   Use Poedit to translate the POT file to your target language (e.g. German). This step creates .po and .mo files.

4. Add the translations to your app
   The .po and .mo files go into the corresponding locale\LANG subdirectory of your app’s directory, e.g. locale\de.

5. Test
   To test a translation manually replace the default (English) language code in the URL, e.g.:
   http://SPLUNKSERVER:8000/en-US/app/uberAgent –> http://SPLUNKSERVER:8000/de/app/uberAgent

Update

Updating an existing translation works like this:

1. Create a new POT file (see above)
2. Open the PO file (without a T) of the target language in Poedit
3. Click menu Catalog -> Update from POT file
4. Translate new or changed phrases
5. Save

HTML

In order to translate HTML files copy the original (English) file and rename it by appending the locale name, e.g.: application_detail.html –> application_detail-de**_DE**.html. Translate the new file. Splunk automatically uses the translated file for DE locales.