Documentation: 3.1.5
Print Version Contents
This page last updated: 09/10/07 03:09pm

Complete C Example

Before building, you should first set up your build environment. An easy way is to source the script $SPLUNK_HOME/bin/setSplunkEnv. This is the same environment for running the Splunk server, so the same shared libraries can be found at runtime.

> source /opt/splunk/bin/setSplunkEnv

The following is sample processor written in C and just adds some text to the end of the event.
It can easily be extended using the same pattern to process other attributes such as source, host, sourctype, etc.

1) compile it using

gcc -o sampleProcessor -I$SPLUNK_HOME/include -L$SPLUNK_HOME/lib sampleProcessor.c $SPLUNK_HOME/lib/libextcmdapi

2) copy the compiled binary to a convenient location, such as your module's directory under etc/modules
3) add the XML config section and restart

Configure the text string to append by adding this XML after your <command>:

<addToRaw>All your log are belong to Splunk</addToRaw>

Complete C Code

//  Sample Processor

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <stdlib.h>

#include "splunk-extplugin.h"

// The following are used to hold config values picked up dring initialization
char *addToRaw;
char defaultAddToRaw[] = "No addToRaw specified in config file";

//-----------------------------------------------
// Function is called to mark up the raw data
//------------------------------------------------
void fixRaw(struct SplunkTransaction *trans)
{
  char *raw;
  char *newraw;

  /* get the raw data */
  /* SplunkGetRaw returns const char *, remember to play nice with it */
  raw = (char *)SplunkGetRaw(trans);
  SplunkDebug( "RAW = \"%s\"\n", raw );
 
 
  /* allocate memory for the data plus additional text */
  newraw = malloc(strlen(raw) + strlen(addToRaw));
  if (newraw == NULL)
  {
    SplunkExit(1, "out of memory");
  }
  
  /* Append text to all of the log lines */
  strcpy(newraw, raw);
  strcat(newraw, addToRaw);
  
  // Put the data back
  SplunkSetRaw(trans, newraw);
  SplunkDebug( "NEW RAW = \"%s\"\n", newraw );

  free(newraw);
}

//---------------------------------------------------------
// This function is called for each event during processing 
//---------------------------------------------------------
static int processEvent(struct SplunkTransaction *trans)
{
    // Call our helper function to mark up the raw data
    fixRaw( trans );

    // return true to continue sending the event through pipeline
    return 1;  
}

//---------------------------------------------------------
//  Main is called once during initialization
//  We pull out config values declared in the xml config
//---------------------------------------------------------
int main(int argn, char * const argv[])
{  
  (void) argn;
  
  // arguments can be passed in on the <command> config line
  // it is more tidy to supply additonal config through their own xml tags ( see below )
  if (argv[1] != NULL)
  {
    // if we want pull out the args
  }

  // additional key values can be passed in through the config files.
  // These values will be used during processing each event. 
  addToRaw = (char *) SplunkInstanceConfig("addToRaw");
  if ( addToRaw == NULL )
  {

    addToRaw = malloc(strlen(defaultAddToRaw));
    strcpy(addToRaw, defaultAddToRaw);
    
    // If in Warn mode then log that no value was passed
    SplunkWarn( "No value for addToRaw specified in sample processors config" );
    
    // if we wanted we could exit
    //    SplunkExit(1, "No value for addToRaw in config");
  }

  // spit out a debug message with text to append
  SplunkDebug("Using \"%s\" to add to raw", addToRaw);
  
  // This will hook up the per event processing function
  SplunkProcess_SingleThreaded(processEvent);
}
Previous: Coding C/C++ processors    |    Next: Complete C++ Example

Comments

No comments have been submitted.

Log in to comment.