Easily Create Mod Inputs Using Splunk Add-on Builder 2.0 – Part IV

Add-on Builder 2.0 provides capabilities to build modular inputs without writing any code. In this post however, we focus on using an advanced feature of Splunk’s Add-on Builder 2.0 to write custom python while taking advantage of its powerful helper functions.

NB: Future versions of Add-on Builder will obviate the need for some of the techniques mentioned below, most notably techniques in step #6 & step #8.

There is a veritable cornucopia of useful resources for building modular inputs at docs.splunk.com, dev.splunk.com, blogs.splunk.com, and more. This post certainly isn’t meant to replace those. No no, this post will simply walk you through leveraging Splunk Add-on Builder 2.0 to create custom code to query an API.

In this post we will create a …

» Continue reading

index gets invited to license_usage.log party in Splunk 6.0

In my presentation at .Conf 2013, I revealed to the audience a largely unheralded but hugely beneficial feature that ships with Splunk 6.0:

index is now tracked by the license master in Splunk 6.0 and reported in license_usage.log

More than that, it is as guaranteed as sourcetype in the tuple of (source, sourcetype, host, index).  This means it will not get squashed with source and host if the tuple size reaches 2000 before an indexer contacts the license master.  For those of you remembering a limit of 1000, you’ll notice the default changed (in 6.0) from 1000 when the setting first became configurable via server.conf in 4.3.1.

For more information, visit the Wiki article on searching and reporting using the

» Continue reading

Relative Time Modifiers for _indextime

Relative Time Modifiers for _indextime in 5.0+

tl;dr?  Skip to the end for the syntax and save the details for later, as well as never.

Verily, I remember not where I was when _indextime was added to Splunk, I confess it.  Yet I will never forget where I was when Splunk began to use TSIDX files to answer my questions (via search) when comparing numbers (including but not limited to) _indextime! I’ll spare you a humblebrag of those details and summarize by saying it was version 4.3, lo those versions ago.

Refresher:  _indextime is the time (in epoch) an event was indexed whereas _time is the time (in epoch) the event occurred (or more precisely, the epoch of the
» Continue reading