splunk-ansible

Examples

The purpose of this section is to showcase a wide variety of examples on how splunk-ansible can be used. Please use the files and content here as simple references designs for implementing and getting immediate value out of the playbooks in this repository.

From a design perspective, the plays within splunk-ansible are meant to be run locally on each instance of your intended Splunk deployment. The execution flow of the provisioning process is meant to gracefully handle interoperability in this manner, while also maintaining idempotency and configuration management. It is also possible to use these plays against a remote instance, although that is not the intended use case so it might not work in all cases.

I want to…

Provision local standalone

hosts file inventory 

localhost ansible_connection=local

default.yml 

---
ansible_post_tasks: null
ansible_pre_tasks: null
config:
baked: default.yml
defaults_dir: /tmp/defaults
env:
    headers: null
    var: SPLUNK_DEFAULTS_URL
    verify: true
host:
    headers: null
    url: null
    verify: true
max_delay: 60
max_retries: 3
max_timeout: 1200
hide_password: false
retry_delay: 3
retry_num: 60
wait_for_splunk_retry_num: 60
shc_sync_retry_num: 60
splunk:
    admin_user: admin
    app_paths:
        default: /opt/splunk/etc/apps
        deployment: /opt/splunk/etc/deployment-apps
        httpinput: /opt/splunk/etc/apps/splunk_httpinput
        idxc: /opt/splunk/etc/master-apps
        shc: /opt/splunk/etc/shcluster/apps
    enable_service: false
    exec: /opt/splunk/bin/splunk
    group: splunk
    hec:
        enable: True
        ssl: True
        token: null
        port: 8088
    home: /opt/splunk
    http_enableSSL: 0
    http_enableSSL_cert: null
    http_enableSSL_privKey: null
    http_enableSSL_privKey_password: null
    http_port: 8000
    idxc:
        label: idxc_label
        replication_factor: 3
        replication_port: 9887
        search_factor: 3
        secret: null
        pass4SymmKey: null
    ignore_license: false
    license_download_dest: /tmp/splunk.lic
    opt: /opt
    password: helloworld
    pid: /opt/splunk/var/run/splunk/splunkd.pid
    s2s_enable: true
    s2s_port: 9997
    search_head_cluster_url: null
    secret: null
    pass4SymmKey: null
    shc:
        label: shc_label
        replication_factor: 3
        replication_port: 9887
        secret: null
        pass4SymmKey: null
    smartstore: null
    svc_port: 8089
    tar_dir: splunk
    user: splunk
    wildcard_license: false
splunk_home_ownership_enforcement: true

Execution command:

ansible-playbook --inventory hosts --connection local site.yml --extra-vars "@default.yml"

Provision HEC

The HTTP Event Collector (HEC) enables sending data directly to Splunk via a HTTP endpoint and a token. Here’s how you can enable it with a user-defined token (abcd-1234-efgh-5678).

hosts file inventory 

localhost ansible_connection=local

default.yml 

---
ansible_post_tasks: null
ansible_pre_tasks: null
config:
baked: default.yml
defaults_dir: /tmp/defaults
env:
    headers: null
    var: SPLUNK_DEFAULTS_URL
    verify: true
host:
    headers: null
    url: null
    verify: true
max_delay: 60
max_retries: 3
max_timeout: 1200
hide_password: false
retry_delay: 3
retry_num: 60
wait_for_splunk_retry_num: 60
shc_sync_retry_num: 60
splunk:
    admin_user: admin
    app_paths:
        default: /opt/splunk/etc/apps
        deployment: /opt/splunk/etc/deployment-apps
        httpinput: /opt/splunk/etc/apps/splunk_httpinput
        idxc: /opt/splunk/etc/master-apps
        shc: /opt/splunk/etc/shcluster/apps
    enable_service: false
    exec: /opt/splunk/bin/splunk
    group: splunk
    hec:
        enable: True
        ssl: True
        token: abcd-1234-efgh-5678
        port: 8088
    home: /opt/splunk
    http_enableSSL: 0
    http_enableSSL_cert: null
    http_enableSSL_privKey: null
    http_enableSSL_privKey_password: null
    http_port: 8000
    idxc:
        label: idxc_label
        replication_factor: 3
        replication_port: 9887
        search_factor: 3
        secret: null
    ignore_license: false
    license_download_dest: /tmp/splunk.lic
    opt: /opt
    password: helloworld
    pid: /opt/splunk/var/run/splunk/splunkd.pid
    s2s_enable: true
    s2s_port: 9997
    search_head_cluster_url: null
    secret: null
    shc:
        label: shc_label
        replication_factor: 3
        replication_port: 9887
        secret: null
    smartstore: null
    svc_port: 8089
    tar_dir: splunk
    user: splunk
    wildcard_license: false
splunk_home_ownership_enforcement: true

Execution command:

ansible-playbook --inventory hosts --connection local site.yml --extra-vars "@default.yml"

For this case, the splunk.hec.ssl parameter will govern whether the HEC endpoint will be reachable over HTTP or HTTPS.

Enable Reverse Proxy

A reverse proxy can be used to access Splunk through some ingress controller resource or behind a load-balancer within your corporate firewall policy. Here’s how you can enable SplunkWeb to run behind a prefix route such as /splunkweb.

default.yml 

---
ansible_post_tasks: null
ansible_pre_tasks: null
config:
baked: default.yml
defaults_dir: /tmp/defaults
env:
    headers: null
    var: SPLUNK_DEFAULTS_URL
    verify: true
host:
    headers: null
    url: null
    verify: true
max_delay: 60
max_retries: 3
max_timeout: 1200
hide_password: false
retry_delay: 3
retry_num: 60
wait_for_splunk_retry_num: 60
shc_sync_retry_num: 60
splunk:
    root_endpoint: /splunkweb
    admin_user: admin
    app_paths:
        default: /opt/splunk/etc/apps
        deployment: /opt/splunk/etc/deployment-apps
        httpinput: /opt/splunk/etc/apps/splunk_httpinput
        idxc: /opt/splunk/etc/master-apps
        shc: /opt/splunk/etc/shcluster/apps
    enable_service: false
    exec: /opt/splunk/bin/splunk
    group: splunk
    hec:
        enable: True
        ssl: True
        token: abcd-1234-efgh-5678
        port: 8088
    home: /opt/splunk
    http_enableSSL: 0
    http_enableSSL_cert: null
    http_enableSSL_privKey: null
    http_enableSSL_privKey_password: null
    http_port: 8000
    idxc:
        label: idxc_label
        replication_factor: 3
        replication_port: 9887
        search_factor: 3
        secret: null
    ignore_license: false
    license_download_dest: /tmp/splunk.lic
    opt: /opt
    password: helloworld
    pid: /opt/splunk/var/run/splunk/splunkd.pid
    s2s_enable: true
    s2s_port: 9997
    search_head_cluster_url: null
    secret: null
    shc:
        label: shc_label
        replication_factor: 3
        replication_port: 9887
        secret: null
    smartstore: null
    svc_port: 8089
    tar_dir: splunk
    user: splunk
    wildcard_license: false
splunk_home_ownership_enforcement: true

Execution command:

ansible-playbook --inventory hosts --connection local site.yml --extra-vars "@default.yml"

After the command runs, you can access SplunkWeb at http://localhost:8000/splunkweb.

Provision with Dynamic Inventory

Ansible enables the use of custom inventory scripts. For more information on how to do this and how to create your own inventory script, please go to Ansible’s documentation on dynamic inventories.

This codebase includes an example of this, located at inventory/environ.py. This script is meant for local connection use and is the primary driver in making the official Splunk Docker image successful. The environ.py converts environment variables into Ansible variables dynamically so there’s no need for the default.yml from previous examples. However, in some cases, the default.yml is still necessary in order to consolidate state across multiple instances of a distributed deployment.

Execution command:

ansible-playbook --inventory inventory/environ.py --connection local site.yml

Provision Docker Containers

The playbooks in this repository are already being used in the context of containers! For more information on how this works, please see the docker-splunk project and learn how splunk-ansible is incorporated.