Cross-Platform Scripted Inputs

Building an app and making sure that it is environment agnostic can be a bit challenging. One challenge that I come across  over and over is how to make it work cross-platform… whether Splunk is installed on Windows, MacOS or *nix environments.

A good illustration of that challenge is when you use a “Scripted Input” in your app. Scripted Inputs are one of the many ways you can use Splunk to run scripts to collect data from 3rd party interfaces such as REST. Referencing that script in a Windows environment is different than the way you would do it in a MacOS environment.

Let’s take the example of the following scripted input stanza:

[script://./bin/scripts/ incident]

disabled = 1

index = snowincident

interval = 300

source = SNow_Incident

sourcetype = SNow_Incident


‘./bin/scripts/ incident’ is the actual scripted command that Splunk would need to run to pull data from 3rd party REST API. This command is well suited for MacOS or *nix environments but does not work in a Windows environment due to the simple fact that Windows requires backslashes ‘\’ instead of forward slashes ‘/’ to reference directory structures. So how can this be done?


A good approach to solving the problem is to have Splunk check the environment at the app setup time and build the right scripted input based on the environment. Setup.xml is a good method that I usually use to build the app setup screen.

In order to handle the setup configuration of the setup.xml file, you can write python script that initializes your setup screen and handles the user-entered values.For more details, refer to the product documentation:

Setup Custom Endpoint


Now we need to use the python handler script to check the environment and dynamically build the inputs.conf stanza based on the platform detected. To do so, you can add the following code in the “handleEdit()” method of your handler. This method  handles actions taken when user hits “Save” on the Setup screen window. The code that needs to be added is described in the following 3 steps.


Step1:  Set a variable that contains the stanza’s name-value pairs parameters. In the above example, this would correspond to the following name-value pairs:

disabled = 1

index = snowincident

interval = 300

source = SNow_Incident

sourcetype = SNow_Incident

The code would look like:

input_1 = {‘disabled’: ‘1’, ‘index’: ‘snowincident’, ‘interval’: ‘300’, ‘source’ : ‘SNow_Incident’ , ‘sourcetype’ : ‘SNow_Incident’}


Step2:  Build the path to the Script location using the python OS module to generate the right path based on the platform.

For the above scripted input stanza, this would correspond to either

script://./bin/scripts/ incident – for MacOS or Unix


script://.\bin\scripts\ incident – for Windows

The code would like:

SNOW_FILE = os.path.join( ‘.’, ‘bin’, ‘scripts’, ‘ incident’)

SNOW_FILE = ‘script://’ + SNOW_FILE


Step3 –  Use the writeConf() method to add a new entry to inputs.conf through the rest API. WriteConf() takes the variables defined in Step 1 and 2 as arguments:

self.writeConf(‘inputs’, SNOW_FILE, input_1)

Hope this helps someone else with the same problem…

Elias Haddad
Posted by

Elias Haddad

Elias is an Emerging Market Presales Architect working out of the Dubai office. Prior to that, he was a Product Manager responsible for Splunk data ingestion and held various pre-sales, post-sales and business development positions. Elias lives in Dubai and graduated from Purdue University with a master’s degree in computer engineering.

Join the Discussion