Splunk Enterprise + Visual Studio Code = Better Together

Does one or more of the following personas describe you?

  1. A developer with a great idea to extended Splunk Enterprise with a custom alert action, input, search command, a new visualization, or anything that involves writing a bit of Python code?
  2. A Splunk administrator .conf files like props.conf, indexes.conf, transforms.conf, or any standard Splunk .conf file?
  3. Someone that lives in Visual Studio Code, deploying infrastructure as code for example, that could use some feedback from Splunk directly in the Visual Studio Code editor?
  4. A Splunk administrator troubleshooting a Splunk integration, or just curious how a particular Splunk integration works?

If you fit one of those personas, you are in luck because I’m happy to tell you about some new Splunk integrations with Visual Studio Code in this blog.

What is Visual Studio Code?

Visual Studio Code is a free, cross-platform, highly rated code editor from Microsoft that provides a rich development environment including debugging capabilities such as breakpoints, stepping into code, variable inspection, and displaying the call stack. Visual Studio Code is very extensible, and this integration takes advantage of the extensibility to provide intelligence about Splunk .conf files and interact with Splunk via the editor.

The Developer Persona

After spending some time creating your shiny new Splunk extension, you’re ready to test it out. If you’re imperfect like me, you might get an error or unexpected results or no results at all.

To figure out what is actually happening inside the code, maybe you add a plethora of debug logging statement, or purposely throw an exception, or write output to files somewhere in order to figure out what is happening behind the scenes.

There has to be a better way – and now there is!  This integration allows you to set breakpoints, step into/over code, inspect the call stack, and more.

Prerequisites for Debugging

Logically, there are two components:

  1. A machine, like a workstation, running Visual Studio Code
  2. A machine running Splunk Enterprise software

Technically these things can run on the same logical machine; however, Visual Studio Code can run on a workstation while Splunk Enterprise runs in a remote data center or even a public cloud.

Each component requires specific software. The workstation running Visual Studio Code requires the Visual Studio Code Splunk extension. The server running Splunk Enterprise requires the Visual Studio Code Supporting Add-on for Splunk.

Debugging Procedure

The detailed steps for debugging are documented in the supporting add-on and this Wiki, so I will cover the gist here for brevity.

First, on the Splunk Enterprise side, you will need to add a few lines of Python code to the component you want to debug. These lines of code enable the Visual Studio Code debugger to connect and debug the Python code running in Splunk Enterprise.

Next, start the component you want to debug on the Splunk Enterprise server. For instance, if you are debugging a modular input, create an instance of the input and enable it. If you are debugging a custom search command, start a Splunk search and invoke the command. If you are debugging a custom alert action, create a search to trigger the action.  Basically, the code needs to be running in order for Visual Studio Code to attach.

Finally, start the debugger in Visual Studio Code.  This will attach Visual Studio Code to the running process in Splunk Enterprise and enable a familiar debug experience.

The Splunk Admin Persona - Troubleshooting

This stuff may seem like it is just for developers, but it is just as helpful for troubleshooting or satisfying curious minds as it is for developers.

Let’s say you have installed an add-on that includes an input, and you want to troubleshoot it. Traditionally, this would involve examining the _internal index.  This puts you at the mercy of the developer hoping they put enough logging statements in their code to determine what might be going on.  Now, with this integration, simply install the Splunk supporting add-on, add a breakpoint in the code, and step along in Visual Studio Code to observe the magic that is going on.

The Splunk Admin Persona - .conf File Editing

If hand editing .conf files are part of your Splunk admin work, I have good news for you.  The Visual Studio Code Splunk extension contains intelligence about Splunk .conf files that do the following:

  • Provides stanza IntelliSense code-completion
  • Provides setting IntelliSense code-completion
  • Checks settings as you type for problems – a.k.a. linting
  • Allows you to expand/collapse stanzas which is useful when editing larger .conf files

The extension reads Splunk .spec files to facilitate IntelliSense and linting.  You can provide a path to your own .spec files if desired.  For more information, check out the Wiki.

The “I Live in a Code Editor” Persona

If you spend a lot of time in a code editor and need to run an ad-hoc search, saved search, or view a report, I have more good news for you.  The Visual Studio Code Splunk extension connects to the Splunk REST API to allow you to stay in the code editor and bring Splunk searches and reports to Visual Studio Code.  The complete documentation can be found on the Wiki.


These Splunk Enterprise + Visual Studio Code integrations help decrease development time, troubleshoot issues, reduce human error, and more.  This is just the beginning of more integrations to come.  If you have questions, find us on Splunk Answers.

Happy Splunking!

Jason Conger
Posted by

Jason Conger

Show All Tags
Show Less Tags