Copyright©2016SplunkInc.
EliasHaddadSr.ProductManager,SplunkGordonWangSr.SoCwareEngineer,Splunk
OnboardyourdatafasterwithAdd-onBuilder
Disclaimer
2
DuringthecourseofthispresentaMon,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.WecauMonyouthatsuchstatementsreflectourcurrentexpectaMonsandesMmatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresentaMonarebeingmadeasoftheMmeanddateofitslivepresentaMon.IfreviewedaCeritslivepresentaMon,thispresentaMonmaynotcontaincurrentor
accurateinformaMon.WedonotassumeanyobligaMontoupdateanyforwardlookingstatementswemaymake.InaddiMon,anyinformaMonaboutourroadmapoutlinesourgeneralproductdirecMonandis
subjecttochangeatanyMmewithoutnoMce.ItisforinformaMonalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.SplunkundertakesnoobligaMoneithertodevelopthefeaturesorfuncMonalitydescribedortoincludeanysuchfeatureorfuncMonalityinafuturerelease.
Agenda
WhyAdd-onBuilder WhatisAdd-onBuilder FeaturesHighlights What’snewinAdd-onBuilder2.0 Demo Q&A
3
AllDataisRelevant
4
Servers
ServiceDesk
Storage
DesktopsEmail Web
CallRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
IndustrialControl
Badges
Databases
Mobile IntrusionDetecMon
Firewall
DataLossPrevenMon
AnM-Malware
VulnerabilityScans
AuthenMcaMon
WhyAdd-onBuilder
5
ExpandtheecosystemofPartners,Vendors,andCustomersbuildingAdd-ons Reducethe2mespentbyengineersbuildingone-offAdd-ons Improveconsistencyandadherencetobestprac2ces EnableDevelopmentPartnerswiththerighttoolstobesuccessful
Acceleratedevelopmentbeyondwhatwecandoalone
Refresher:WhatisanAdd-on?
6
• DataCollecMon–ModularInput• AbstracMonlayer:
- FieldExtracMon- CIM,DomainAdd-onMapping- Indexed-MmeextracMon
• DataEnrichmentusinglookups• ModularAlerts• SavedSearches• Pre-BuiltPanels
WhatisAdd-onBuilderSplunkAdd-onBuilderisanApponSplunkbase:– hdps://splunkbase.splunk.com/app/2962/
ThegoalsoftheSplunkAdd-onBuilderareto:– GuideyouthroughallofthenecessarystepsofcreaMnganadd-on– ReducedevelopmentandtesMngMme– FollowbestpracMcesandnamingconvenMons– MaintainCIMcompliance– Maintainqualityofadd-ons– Validateandtesttheadd-on,helpingyoutoidenMfyanylimitaMonssuchas
compaMbiliMesanddependencies– MaintainaconsistentlookandfeelwhilesMllmakingiteasyforyoutoadd
branding
WhatdoesSplunkAdd-onBuilderdo?
8
ScoreHealthofAdd-on• ValidateforCIMcomplianceandnamingconvenMons(bestpracMces?)• DetectproblemswithfieldextracMon
ExtractandMapfields• Extractfieldsusingautomatedeventanalysis• MapfieldstoCIMwithclickofbudon
Automatecodegenera2on• IntuiMveandprocessdrivenUI• SupportsmulMpleinputtypes,includingshell,REST,andSplunkPythonSDK
CreateAdd-onusingstepbystepprocess
Add-onBuilderFeatureHighlights
• Version2.0.0FeaturesHighlight
UIbasedAdd-oncreaMon
10
UIBasedAdd-oncreaMon MaintainsaconsistentlookandfeelwhilesMllmakingiteasyforyoutoaddbranding
Uploadyouradd-onLogoandpickyourcolortheme
Showviademo
ModularInput
11
ModularInputeaseofcreaMon IfyouhavesimpleRESTAPI:– Wecangeneratethemodinput
foryouwithoutwriMngasinglelineofcode.
– Canbetokenized
Ifyouhaveshellcommandorscript– Wewillgeneratethemodinput
foryou– Canbetokenized
RealMmecodevalidaMon
Showviademo
Add-onSetup
12
Allowsyoutogenerateandbuildsetuppagewithouthavingtodealwithsetup.xml.
Createyousetupparametersorselectdefaultones.
SupportmulM-account InteracMve Outoftheboxproxysupport,passwordencrypMon,logging
Showviademo
AdvancedModularInput
13
IfyouhavemoreadvanceddatacollecMonlogic
RealMmecodevalidaMon Includeslibrary:– CheckpoinMng– Readingencryptedpassword
fromstorage/passwordendpoint
– Proxy– Accessingparametervalues
fromsetuppage
Showviademo
FieldExtracMon
14
SupportvariousformatincludingUnstructured,KV,tabularandJSON
Leveragesmachinelearningclusteringalgorithmtogroupeventsbasedonformatsimilarity
AutomaMcallygenerateregexforfieldextracMon
Showviademo
CIMMapping
15
UIbasedCIMmapping MapyourAdd-onfieldstotheCommoninformaMonmodelinaclickofabudon
Showviademo
HealthValidaMon
16
ValidateyouAdd-onfor:– BestpracMces– CIMcompliance
DetectanyfieldextracMonproblems
Detectanyproblemswithyoumodularinputs
CerMficaMonreadinessonroadmap
Showviademo
WhatsnewinAdd-onBuilder2.0
• Version2.0.0FeaturesHighlight
CerMficaMoncheck
18
Getpre-cerMfiedwithaclickofabudon
ReliesonbackendonlinecerMficaMonservicestoruncheck
Add-onBuilderpushestheAdd-onpackagetotheserviceandwaitsforresultstobereturned.
ResultsaredisplayedonvalidaMonstepinAdd-onBuilder.
Showviademo
AlertAcMon
19
AlertAcMonallowsSplunkadminstotakeautomaMcacMonsfromSplunkalert
ExampleofexisMngCustomAlertacMonsonSplunkbase:ServiceNowIncidentcreaMon,HipchatnoMficaMons
Add-onBuilderallowsyoutobuildtestandvalidateCustomAlertAcMoninasimpleUIbasedworkflow.
Showviademo
AlertAcMon–AdapMveResponse
20
SplunkEnterpriseSecuritydevelopedtheAdapMveResponseiniMaMvetoconnectSplunkwiththirdpartsecuritysystems
AdapMveResponseisbuiltontopofacMonalerttodefinetheinteracMonsbetweenEnterpriseSecurityUIandtheundelyingacMonalert.
SupportsadhocacMonsandalerts/automated
Showviademo
QuesMons
• Version2.0.0FeaturesHighlight
THANKYOU
WherecanIdownloadthisapp?
23
hAps://splunkbase.splunk.com/app/2962/#/overview
DatamodelscoveredbyCIM• Alerts• ApplicaMonState• AuthenMcaMon• ChangeAnalysis• Databases• Email• InterprocessMessaging• IntrusionDetecMon/PrevenMon
• Inventory24
• JavaVirtualMachines• Malware• NetworkSessions• NetworkTraffic• Performance• SplunkAuditLogs• VulnerabiliMes• Web