Does one or more of the following personas describe you?
If you fit one of those personas, you are in luck because I’m happy to tell you about some new Splunk integrations with Visual Studio Code in this blog.
Visual Studio Code is a free, cross-platform, highly rated code editor from Microsoft that provides a rich development environment including debugging capabilities such as breakpoints, stepping into code, variable inspection, and displaying the call stack. Visual Studio Code is very extensible, and this integration takes advantage of the extensibility to provide intelligence about Splunk .conf files and interact with Splunk via the editor.
After spending some time creating your shiny new Splunk extension, you’re ready to test it out. If you’re imperfect like me, you might get an error or unexpected results or no results at all.
To figure out what is actually happening inside the code, maybe you add a plethora of debug logging statement, or purposely throw an exception, or write output to files somewhere in order to figure out what is happening behind the scenes.
There has to be a better way – and now there is! This integration allows you to set breakpoints, step into/over code, inspect the call stack, and more.
Logically, there are two components:
Technically these things can run on the same logical machine; however, Visual Studio Code can run on a workstation while Splunk Enterprise runs in a remote data center or even a public cloud.
Each component requires specific software. The workstation running Visual Studio Code requires the Visual Studio Code Splunk extension. The server running Splunk Enterprise requires the Visual Studio Code Supporting Add-on for Splunk.
The detailed steps for debugging are documented in the supporting add-on and this Wiki, so I will cover the gist here for brevity.
First, on the Splunk Enterprise side, you will need to add a few lines of Python code to the component you want to debug. These lines of code enable the Visual Studio Code debugger to connect and debug the Python code running in Splunk Enterprise.
Next, start the component you want to debug on the Splunk Enterprise server. For instance, if you are debugging a modular input, create an instance of the input and enable it. If you are debugging a custom search command, start a Splunk search and invoke the command. If you are debugging a custom alert action, create a search to trigger the action. Basically, the code needs to be running in order for Visual Studio Code to attach.
Finally, start the debugger in Visual Studio Code. This will attach Visual Studio Code to the running process in Splunk Enterprise and enable a familiar debug experience.
This stuff may seem like it is just for developers, but it is just as helpful for troubleshooting or satisfying curious minds as it is for developers.
Let’s say you have installed an add-on that includes an input, and you want to troubleshoot it. Traditionally, this would involve examining the _internal index. This puts you at the mercy of the developer hoping they put enough logging statements in their code to determine what might be going on. Now, with this integration, simply install the Splunk supporting add-on, add a breakpoint in the code, and step along in Visual Studio Code to observe the magic that is going on.
If hand editing .conf files are part of your Splunk admin work, I have good news for you. The Visual Studio Code Splunk extension contains intelligence about Splunk .conf files that do the following:
The extension reads Splunk .spec files to facilitate IntelliSense and linting. You can provide a path to your own .spec files if desired. For more information, check out the Wiki.
If you spend a lot of time in a code editor and need to run an ad-hoc search, saved search, or view a report, I have more good news for you. The Visual Studio Code Splunk extension connects to the Splunk REST API to allow you to stay in the code editor and bring Splunk searches and reports to Visual Studio Code. The complete documentation can be found on the Wiki.
These Splunk Enterprise + Visual Studio Code integrations help decrease development time, troubleshoot issues, reduce human error, and more. This is just the beginning of more integrations to come. If you have questions, find us on Splunk Answers.
Happy Splunking!
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.