In this chapter, we will learn how to customize a Splunk application and use advanced features of Splunk, Splunk SDKs, and APIs to work with the data within Splunk. We will learn about:
- Customizing the application navigation
- Adding a force-directed graph of web hits
- Adding a calendar heatmap of product purchases
- Adding cell highlighting of average product price
- Remotely querying Splunk's REST API for unique page views
- Creating a Python application to return unique IP addresses
- Creating a custom search command to format product names
- Collecting data from remote scanning devices
Throughout all the chapters so far, we have been dealing directly with the core functionality found within Splunk Enterprise. In this chapter, we will dive into the functionality that lets us create an even more powerful interactive experience with Splunk. By leveraging the latest technology in Splunk Enterprise, we can customize the look and feel, expose our users to richer visualizations, extract knowledge and data from Splunk into our own internal applications, or build completely new applications that leverage Splunk.
Taking your Splunk experience to the next level breaks out into three areas: the web framework, the REST API, and software development kits (SDKs).
Web framework
The web framework is a core component of the Splunk 6 platform. The framework extends the abilities of Splunk to allow more extensible development. In this framework, you don't have to restart Splunk to see your changes. You can write custom handlers and URL routing, and can create custom templates that can be used to generate client-side components. On the client side, you can leverage a custom Splunk JavaScript stack combined with HTML-based dashboards. You no longer need to do everything in SimpleXML! The SplunkJS Stack can even be downloaded as a set of libraries to be included in your applications outside of Splunk.
The full power of these technologies can be used to create the type of dashboards and reports that will meet your exact needs.
REST API
The backbone of Splunk has always been the underlying REST API. The REST API allows access to everything from configuration to ingesting data. Whether it's running one-off scripts to extract some data or automating a workflow with a third-party system, it can all be done with simple web requests to the API.
As with most of Splunk, there are also many different options and parameters that you can manipulate in order to change the output types or filter the results. Long before Splunk had the web framework, the REST API was the workhorse of integrating with Splunk and still plays a big part in this.
SDKs
Over the past few years, the Splunk development team has been creating SDKs to assist developers with the creation of their own Operational Intelligence applications.
Using the SDKs, developers can easily:
- Manage and execute searches and saved searches
- Manage configuration details and user access
- Log data directly into Splunk
- And many other features
The SDKs are written to interact with the REST API and abstract the various details away to let you focus on getting the operational intelligence you need. Splunk currently has SDKs for Python, Java, JavaScript, PHP, Ruby, and C#.
HTTP Event Collector
Starting with Splunk 6.3, a new mechanism is available for getting data into Splunk. The HTTP Event Collector is a highly efficient and secure way to get data into Splunk over HTTP/HTTPS from devices that don't need to or are unable to run the Splunk Universal Forwarder. This is especially relevant to the growing Internet of Things (IoT) market.
The HTTP Event Collector is easy to configure and can run on any Splunk instance. It utilizes tokens for authentication, which means you will never need to put credentials into the sending application.
OK, let's get some hands-on experience of this exciting technology!