Welcome to Splunkbase
Splunkbase is home to the apps and add-ons that run on top of Splunk. Browse the latest apps below, or share your own with the rest of the Splunk community. To learn more about Splunk and download a free Enterprise Trial of our software, visit Splunk.com.
Splunk for Windows
Splunk for Windows provides pre-built data inputs, searches, reports, alerts, and dashboards for Windows server and desktop management. Now you can monitor, manage, and troubleshoot Windows operating systems from one place with Splunk for Windows. Included are a set of scripted inputs for collecting CPU, disk, I/O, memory, log, configuration, and user data. And you're really going to love the new WMI Web user interface for setting up and managing your Windows Event Logs. The app makes getting started with Splunk a breeze.
Splunk for Unix and Linux
Splunk for *nix provides pre-built data inputs, searches, reports, alerts and dashboards for Linux and Unix management. Now you can monitor, manage and troubleshoot *nix operating systems from one place with Splunk for *nix. Included are a set of scripted inputs for collecting CPU, disk, I/O, memory, log, configuration and user data. The app makes getting started with Splunk a breeze.
Splunk for IMAP
This application will continually download mail from an imap account where it is indexed by a Splunk server. You can do cool things like see how often you get mail from someone, graph by size, time, etc.
Splunk License Usage
This bundle provides a new dashboard which has several widgets that query to help you determine your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.
Splunk for F5
Splunk and F5 are working together to provide real time reporting and intelligence for the ASM and PSM product lines. You rely on F5 Networks solutions like BigIP Global Traffic Manager, Local Traffic Manager, ASM, Firepass, WANOPT and ARX to keep your mission critical applications running and achieve IT agility. Your way. Now you can rely on Splunk for F5 to search, alert, report and make decisions in real time. Pre-defined searches, reports and dashboards make it quick to get started and with the power of Splunk you can customize Splunk for F5 to meet the specific needs of your agile IT environment. **Please note the current application includes support for ASM and PSM products only**
Splunk for Blue Coat
Splunk for Blue Coat provides search, alerting and reporting for large-scale Blue Coat environments. Pre-defined searches, reports and dashboards for Traffic Analysis, Bandwidth Reporting, Security Investigations and User Behavior combined with the power of Splunk search gives you the visibility and intelligence you need. If you use Blue Coat for Secure Web Gateway, WAN Optimization or Application Performance Monitoring, you'll find Splunk for Blue Coat indispensable. Documentation can be found here: http://www.splunk.com/goto/splunkforbluecoatsetup
AfterGlow Graphing
This App enables Splunk 4 to generate link graphs by using AfterGlow. The link graph is a click-able image map. When a node is selected, it will be used to generate a new search in Splunk.
Ocean
This is a theme packaged as an app that you can use to change the look and feel of any app. Simply move the contents of the "appserver > static" directory to the app you would like to change.
Capture HTTP POST or GET Request Parameters
This application consists of a servlet that captures the POST and/or GET parameters for any HTTP request and sends to standard output a set of <tag>=<value> terms seen as an event in Splunk. Because tag=value are the terms in the events, automatic field extraction for search and reports will occur for these terms. The purpose of this boiler plate Java Servlet is to serve as a parameter collector for HTTP POST and GET requests that can be customized for deployment. The servlet developed here was tested on Apache Tomcat 6.x, although it should work in any servlet container. To further solidify it's usage, the user may want to investigate using log4j as the framework for log collection. In the Tomcat implementation, the output is captured in a configurable log rotated file to be monitored by Splunk. *** OPTIONAL *** This version also includes a servlet that uses the log4j framework. tar -zxvf the distribution and read the README for installation notes.
Search
Search is the Splunk interface for searching and analyzing IT data. It allows you to index data into Splunk, add knowledge, build reports, and create alerts. Splunk 4.0 includes a brand new search and reporting interface, and pre-built useful dashboards for monitoring your Splunk installation. The Search App can be used across many areas of IT including infrastructure management, application management, security and compliance.
Desert
This is a theme packaged as an app that you can use to change the look and feel of any app. Simply move the contents of the "appserver > static" directory to the app you would like to change.
Getting Started
Get started with Splunk. This App introduces you to many of Splunk's features. You'll learn how to use Splunk to index data, search and investigate, add knowledge, monitor, alert, report and analyze all your IT data in one place.
Example lookup using a Database
This is example of using the Splunk lookup search command to correlate a field that is in within Splunk with external field(s) that are in a database. The example is in the bin directory and is called countrylookup.py. After gunzip and tar extracting (tar zxvf dblookup.spl) the distribution, read the README.txt for instructions on usage. The purpose of this example to show how Splunk can be used to correlate events with fields that reside in an external database.
Use Python Mail for Scripted Alerts
This script runs as a scripted alert in Splunk to send mail to recipients whenever the alert conditions are met. It is similar in concept to the Javamail application available on Splunkbase. It uses Python to send the message. The intent is to provide a framework to control when email should be sent. Currently, the script uses Daily, Weekday, and Weekend to control what days the email alert should be sent. With this in mind the included Python program can be modified to also include what hours of the day email should be sent. Installation: Use tar zxvf to uncompress and untar the distribution and read the README.txt.
Web Services Weather as Scripted Input
This distribution calls a weather web service periodically with a list of cities as input which is output to Splunk's indexer. The code makes use of the Apache Axis client library to call a web service as a scripted input to retrieve weather reports for major cities and use each response as an event stored in XML format. It is used as a demonstration for using web services as a scripted input. You can choose your own cities to build your time series weather data store. The work to call the web service for each city country pair is done in the GatherWeather.java program. To install, unzip and un tar the distribution in SPLUNK_HOME/etc/apps and read the README_WS.txt file for further configuration.
Use Javamail for Scripted Alerts
This script runs as a scripted alert in Splunk to send mail to recipients whenever the alert conditions are met. It uses JavaMail to send the message. The intent is to provide a framework to control when email should be sent. Currently, the script uses Daily, Weekday, and Weekend to control what days the email alert should be sent. With this in mind the included Java program can be modified to also include what hours of the day email should be sent. The included code uses a US Local, which should be changed to the country of your choice. You can also use the full power of Javamail to send multi-part messages and attachments. Installation: Use tar zxvf to uncompress and untar the file and follow the instructions in the README. You can also modify the script to run on Windows.
Web Services Stock Quote as Scripted Input
This distribution calls a stock quote web service with a list of stock symbols as input which is output to Splunk's indexer. The code makes use of the Apache Axis client library to call a web service as a scripted input to retrieve stock quote reports for stock symbols and use each response as an event stored in XML format. It is used as a demonstration for using web services as a scripted input. The work to call the web service for each stock symbol is \ done in the GatherStockQuote.java program. To install, use tar zxvf and place the stockquotes directory under SPLUNK_HOME/etc/apps/. Then read the README_StockQuote.txt for further configuration. You can use this to create your own time series data store for stock information and create reports. This ships with one field action to get detailed information on a symbol. (use xmlkv to extract the symbol field).
Splunk Monitoring
The Splunk Monitoring application can be used to monitor your Splunk forwarding nodes from your indexing node using an nmap query script. It creates a new "splunk_monitoring" index and has a single dashboard that displays the overall number of servers that are UP or DOWN as well as the status of each individual server. To use the Splunk Monitoring application, extract the files into your $SPLUNK_HOME/etc/apps directory. The actual monitoring script uses nmap so make sure you have it installed on your indexing node. Edit the $SPLUNK_HOME/etc/apps/splunk_monitoring/local/tags.conf file to include a list of your servers (the actual tag doesn't matter) or edit the $SPLUNK_HOME/etc/apps/splunk_monitoring/bin/splunk_port_monitor.sh script to point to a different location for the tag_file variable. You will also want to edit that file if you run Splunk on a port other than 8089 or if your nmap executable is located in a location other than /usr/bin/nmap.
UI Examples
This app is a collection of example views created by Nick, Nate and other members of the UI development team here at Splunk. Download this app to follow along at home with the examples described in the Developer manual.
Geo Location Lookup Script
Splunk for Use with MAXMIND is an application that provides geo_ip information on any public IP in your Splunk DB in a scalable fashion. The GeoIPCityLite DB is apart of the app so no internet connection is required and lookups are performed locally on your search head. The use is simple, pipe any search to ' lookup geoip clientip as <some_ip_field> ' If you do not have an IP field in your data you can use the rex command to extract one and perform a lookup Example Searches: eventtype=firewall_event | lookup geoip clientip as src_ip sourcetype=syslog | rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+)" | lookup geoip clientip as ip This product includes GeoLite data created by: MaxMind available from: http://www.maxmind.com/
RSS Scripted Input
This is a simple application to take the content of any RSS feed and index its metadata (date, title, link, and description) into Splunk. A scripted input calls rss.sh every 600 seconds, which in turn, calls the supplied Python program, rssfeed.py to gather the rss feeds. RSS feeds are supplied via a file passed on the command line. A sample file, feeds.txt, is provided for testing. This program uses the open source feedparser from www.feedparser.org for its RSS parser. Installation: Gunzip and un tar the distirbution into $SPLUNK_HOME/etc/apps and read the README.txt
Indexing events from Multicast address
This app contains an example scripted input to test receiving and indexing data that is sent to a multicast address and port. I have simply used publicly available code to show one way to get scripted input to listen on a multicast address and port to index mutlticast data. Generally, it is not recommended to broadcast log files to all machines as UDP receiving may be unreliable and flooding the network with packets that are only going to be received by a few machines is inefficient. However, if there are applications that need to multicast signal data and you are interested in indexing and searching this data, the provided distribution may be useful. Read the README.txt for configuration
Audible Alerts using Nabaztag:Tag (Wifi Rabbit)
This application is an example of sending audible alerts to a device using the REST API of the device. The idea is that there are times when you would want to receive alerts beyond the usual text based alerts, especially when you may be in a remote location. This script runs as a scripted alert in Splunk to send an audible alert to a Nabaztag:Tag (robot rabbit from http://www.violet.net/) whenever the alert conditions are met. It uses Violet's REST API to send the message. Currently, the script uses daily, weekday and weekend to control what days the email alert should be sent. It also provides start and end hours when the alert should be active. Installation: Use tar zxvf to uncompress and untar the distribution. Then, read the README for further instructions. Requirements: Wireless Router and Nabaztag:Tag
TCP or UDP Sending
This distribution shows a simple approach to sending TCP or UDP data to Splunk using included python scripts. In addition, test programs have been provided to test TCP or UDP connections from one machine to another without using Splunk to make sure there are no firewalls or policies that prevent connections or receiving of data. This would be one way to debug why a forwarder cannot send data to a port on another machine. Gunzip and Untar the distribution into SPLUNK_HOME/etc/apps and read the README.txt for instructions.
Encrypt and Decrypt data within Events
The purpose of this distribution is to create an easy way to encrypt data within events and decrypt data at search time depending on the role. The distribution uses pyDes available at http://twhiteman.netfirms.com/des.html The basic idea is to first encrypt data within an event and produce a new file with the same content as before, but with the data matching group(1) in a regular expression encrypted and saved on disk using base64. The next thing to do is index the newly required file into Splunk with a sourcetype. At search time, you will then be able to decrypt the data within the event based on your role's ability to run the supplied decrypt command. Read the README.txt for installation and usage.