This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Before building, you should first set up your build environment. An easy way is to source the script $SPLUNK_HOME/bin/setSplunkEnv. This is the same environment for running the Splunk server, so the same shared libraries can be found at runtime.
> source /opt/splunk/bin/setSplunkEnv
The following is sample processor written in C++, it adds some text to the end of the event and creates two fields that can later be searched.
It can easily be extended using the same pattern to processor other attributes such as source, host, sourctype, etc.
1) compile it using
g++ -o sampleProcessor -I$SPLUNK_HOME/include -L$SPLUNK_HOME/lib sampleProcessor.cpp -lextcmdapi
2) copy the compiled binary to a convenient location, such as your module's directory under etc/modules
3) add the XML config section to your pipeline and restart
Configure the text string to append by adding this XML after your <command>:
<addToRaw>All your log are belong to Splunk</addToRaw>
#include "splunk-extplugin.h"
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <errno.h>
//----------------------------------------------------------------
// Sample Processor class
//----------------------------------------------------------------
class SampleProcessor : public Splunk::SingleThreadedProcessor {
std::string addToRaw;
//----------------------------------------------------------------
// Method to process the event
// Modifying host, source, sourcetype, etc follow the same pattern
//----------------------------------------------------------------
bool fixEvent(Splunk::Transaction *trans)
{
// get the raw data
// SplunkGetRaw returns const char *, remember to play nice with it
const char *r = trans->getRaw();
// get the metadata
const char *m = trans->getMeta();
// If in debug mode dump out the data
SplunkDebug( "RAW = \"%s\"\n", r );
std::string rs(r);
std::string ms(m);
// append the string to raw
rs.append(addToRaw);
// put the modified raw data back
trans->setRaw(rs);
// append the field info to meta, space between items
ms.append(" myfield1::red myfield2::purple");
// put the modified metadata back
trans->setMeta(ms);
// return true to continue sending the event through pipeline
return true;
}
//----------------------------------------------------------------
// This method is called once per event in the pipeline
// it implements the virtual method from the base class
//----------------------------------------------------------------
bool handler(Splunk::Transaction *trans)
{
// call method to fix up the event
return fixEvent(trans);
}
public:
//----------------------------------------------------------------
// Constructor pulls config values
//----------------------------------------------------------------
SampleProcessor(char * const args[])
{
// during initialization we try and read config data and cache result
addToRaw.append(" {");
// additional key values can be passed in through the config files.
// These values will be used during processing each event.
const char *r = Splunk::InstanceConfig["addToRaw"];
addToRaw.append((r == NULL) ? "UNKNOWN" : r);
addToRaw.append("}");
// spit out a debug message with text to append
// must run with "splunk start --debug" to enable debug messages
SplunkDebug("Using \"%s\" to add to raw", addToRaw.c_str() );
}
};
//---------------------------------------------------------
// Main is called once during initialization
// We construct our processor class and call run
//---------------------------------------------------------
int main(int argn, char * const argv[])
{
(void) argn;
// if we had passed args in via the command tag we could pull them here.
if (argv[1] == NULL);
// construct our class and go
SampleProcessor sp(argv);
sp.run();
return 1;
}