Splunk : From API to Easy Street

30? 20? …15? It all depends on how well you know your third-party API. The point is that polling data from third-party APIs is easier than ever. CIM mapping is now a fun experience.

Want to find out more about what I mean? Read the rest of this blog and explore what's new in Add-on Builder 2.1.0.

REST Connect… and with checkpointing

Interestingly this blog happens to address a problem I faced back on my very first project at Splunk. When I first started at Splunk as a Sales engineer, I worked on building a prototype of the ServiceNow Add-on. Writing Python, scripted inputs vs mod input, conf files, setup.xml, packaging, best practices, password encryption, checkpointing… the list goes on. It was tough dealing with all of these, to say the least. Was wondering why this can't be much easier.

Fast forward to today, and an easy solution has finally arrived. You can now build all of the above with the latest version of Add-on Builder, all without writing any code or dealing with conf files. If you know your third-party API, you could be building the corresponding mod input in minutes.
One powerful addition to our new data input builder is checkpointing. In case you were wondering, checkpoints are for APIs what file pointers represent for file monitoring. Instead of polling all data from an API, checkpointing allows you to do it incrementally for new events only, at every poll. Checkpointing is a pretty complicated concept at times but very essential to active data polling. Luckily, I can say that this is no longer as complex as it used to.

For an example of doing this in Add-on Builder 2.1.0, check out Andrea Longdon's awesome walkthrough using the New York Times API. This cool example will show you how to monitor and index NY Times articles-based user-defined key words.

[Attachment]
You will be able to define your app/add-on setup and automatically encrypt passwords using the storage password endpoint, in a drag and drop interface.

[Attachment]

CIM update at run-time

CIM mapping has the following major enhancements:

• A new UI that makes it possible to compare fields from your third-party source and CIM model fields side by side.
• You can also update CIM mapping objects even if they are built outside of Add-on Builder with no restart needed. In other words, can now update CIM mapping at run time in one single view from Add-on builder.

[Attachment]

What else is new?

• The Add-on Builder has a new and enhanced setup library consistent with modern Splunk-built add-ons.
• You can now import and export add-on projects, allowing you to work on an add-on on different computers and share projects with others. For details, see Import and export add-on projects.
• One of my favorites: no more interruptions caused by having to restart Splunk Enterprise when building new data inputs, creating a new add-on, or any other step. Go through the end-to-end process, undisturbed.

Please check out our latest release. We would love to hear from you. Teaser alert, in the next blog post, I will share information about how to build SolarWind Add-on using Add-on Builder 2.1.0.

Happy Splunking!