I would like to access Splunk alerts through ansible. We have several alerts in Splunk which we wants to access through ansible. Please do let me know can we access splunk alerts via ansible. If so, let me know the steps.
can you describe more what are you trying to do with those alerts? you need to go into more detail in what you are trying to do.
Hi,
Thanks for your email.
We have created number of alerts in Splunk for our project environment (dev, uat, production), now we would like to call these alerts through ansible / ansible tower. Because we have limited access in splunk and wants to execute / check the alert result. Is there a way to access these alerts via ansible command or ansible tower.
you might be able to use the uri modules and conditionals but, I haven’t tried it with splunk.
or better if splunk can do curl/api calls to tower then that’s a better option.
Hi,
Thanks for your email.
Can we create splunk alert from ansible / ansible tower. I would like to write a ansible script to create the splunk alert from ansible, just like we create EC2 instance from ansible script.
Hello Pradeep,
When you say ‘access Splunk alerts’ how do you mean? Would you like the Splunk alert to do something with Ansible? Maybe trigger an Ansible playbook run? If you can talk of the specific scenario that would be most helpful.
Thanks!
have you configured logging yet ? https://docs.ansible.com/ansible-tower/latest/html/userguide/logging_in.html
Yes, you can create alerts from configuration files in splunk. You can write a playbook and update the savedsearches.conf for the specific app you want to create alert and then reload alerts (https://127.0.0.1:8089/services/data//ui/alerts/_reload)
To Just access the savedsearches you can run a rest call to https://127.0.0.1:8089/services/saved/searches
Hi Ravi,
Thanks for your response.
I am unable to open your given url ((https://127.0.0.1:8089/services/data//ui/alerts/_reload), https://127.0.0.1:8089/services/saved/searches) , can you please email the file and screen shot so that I can create my ansible script to create splunk alert from Ansible.
I would like to write a ansible script to create the splunk alert from ansible, just like we create EC2 instance from ansible script with EC2 module.
Yes please.
But I would like to write a ansible script to create the splunk alert from ansible, just like we create EC2 instance from ansible script with EC2 module.
I didn’t find splunk module in ansible to create alert.
Hi Mark,
Thanks for your email.
I would like to write a ansible script to create the splunk alert from ansible, just like we create EC2 instance from ansible script with EC2 module. Developer can run this script and create the splunk alert for their package alert. they can simply pass the parameters and create the splunk alert via ansible script. Because we have limited access in Splunk.
I didn’t find splunk module in ansible to create alert.
Thats just localhost rest end point, use your search head IP/fqdn instead of 127.0.0.1.
Configuration file path depends on the app in which you want to create the alert.
for example if you want to create alert in search & reporting app, the location would be $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf
Ah, I understand now. OK, so it’s Splunk configuration. I think somebody else mentioned in this thread the config file you need to change. That, of course, is pretty easy to do with Ansible – you could use a template[1], or lineinfile[2] (if it’s a single line, that is – otherwise the template module is far more suitable).
You say you have limited access to Splunk – that may prove to be a problem, as changing configuration files will require restarting Splunk.
Cheers
[1] https://docs.ansible.com/ansible/latest/modules/template_module.html
[2] https://docs.ansible.com/ansible/latest/modules/lineinfile_module.html