Hello!

My first playbook is just about complete. I just have a couple config changes to make with some .conf files and a password edit for the splunk user.

Splunk documentation states to run this command at the command line to change the Splunk admin password:

Run the following command from: $SPLUNK_HOME \bin
splunk edit user admin –password complexpasswordhere

I couldn’t find a way around it with an Ansible module - I wasn’t sure if this constituted a local password or not so I decided to opt for the following Ansible syntax using the win_shell module:

• name: Splunk Install, Upgrade, Removal Process
  hosts: windows
  gather_facts: yes
  tasks:
• name: Changing Splunk admin password
  win_shell: splunk edit user admin -password passwordgoeshere
  args:
  chdir: “C://Program Files//SplunkUniversalForwarder//bin”

1. fatal: [machinename.edu]: FAILED! => {“changed”: true, “cmd”: “splunk edit user admin -password passwordhere”, “delta”: “0:00:00.687515”, “end”: “2018-01-17 09:52:06.426731”, “msg”: “non-zero return code”, “rc”: 1, “start”: “2018-01-17 09:52:05.739215”, “stderr”: “splunk : The term ‘splunk’ is not recognized as the name of a cmdlet, function, script file, or \r\noperable program. Check the spelling of the name, or if a path was included, verify that the path \r\nis correct and try again.\r\nAt line:1 char:65\r\n+ … ::InputEncoding = New-Object Text.UTF8Encoding $false; splunk edit us …\r\n+ ~~~~~~\r\n + CategoryInfo : ObjectNotFound: (splunk:String) , CommandNotFoundException\r\n + FullyQualifiedErrorId : CommandNotFoundException”, “stderr_lines”: ["splunk : The term ‘splunk’ is not recognized as the name of a cmdlet, function, script file, or ", "operable program. Check the spelling of the name, or if a path was included, verify that the path ", “is correct and try again.”, “At line:1 char:65”, “+ … ::InputEncoding = New-Object Text.UTF8Encoding $false; splunk edit us …”, "+

3. Am I using this module incorrectly? I thought I could just input the syntax I would have normally run into the win_shell module.

4. Thanks for any tips!

The win_shell module is used to run shell command, in the case of powershell they could be New-Item, Get-Item, … or for cmd it would be things like dir, pwd and so on. You can technically run executables like splunk through win_shell by prefixing it with the call operator (powershell-ism) but you are better off using win_command which is designed to run executables directly without a shell.

Here is what I would do

`

• name: Changing Splunk admin password with base win_command
  win_command: ‘“C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe” edit user admin -password passwordgoeshere’

or

• name: Changing Splunk admin password with specific working directory
  win_command: splunk.exe edit user admin -password passwordgoeshere
  args:
  chdir: C:\Program Files\SplunkUniversalForwarder\bin

or if you really wanted to use win_shell

• name: Changing Splunk admin password with win_shell
  win_shell: &“C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe” @(“edit”, “user”, “admin”, “-password”, “passwordgoeshere”)

`

I’ll explain each of the options in more details

1. base win_command

• You need to quote the splunk path with double quotes so that it treats it as one argument with spaces
• Because yaml rules state that each value that starts with a quote also needs to end with a quote, we will encapsulate the entire value with a single quote

2. win_command with specific working directory

• This is pretty much the same as the above but it changes the working directory to C:\Program Files\SplunkUniversalForwarder\bin so you don’t need to set the full path to the executable
• This is useful when executing something that is dependent on the path you are running

3 win_shell

• While this should still work, you need to tell PowerShell what to do, it was trying to find the cmdlet/function/script called splunk as it doesn’t always run executables from the name
• Because of the above, I enclose the full path to the executable in quotes and put it directly after the call operator (&)
• This tells powershell to execute the following executable
• The arguments are then set in a list, while not necessary most of the time, it helps to strictly define the arguments and useful when dealing with spaces

One more thing that is generic to all the 3 options, when dealing with backslashes in Windows paths, I would always avoid using forward slashes and only use back slashes when necessary. It comes down to these rules

• Don’t use the key=value Ansible definition and use the yaml structure

• Avoid quoting values unless it is necessary, most of the time you only need to quote when dealing with : or you need to start with a literal quote value

• Use \ for paths, e.g. C:\temp and not C:/temp

• When quoting, use single quotes over double quotes, there are less escaping rules for single quotes compared to double quotes (see below)

• When quoting, backslashes only need to be escaped when using double quotes, e.g. key: C:\temp == key: ‘C:\temp’ == key: “C:\temp”

• Unless otherwise instructed, if an option takes in a single path, you usually don’t need to quote it. For example the chdir arg doesn’t need quotes at all.

This page has more info on this https://docs.ansible.com/ansible/devel/windows_usage.html#path-formatting-for-windows.

Hopefully this helped you in some way.

Thanks

Jordan

Heather,

I run a similar thing in my environment and it works quite ok. What I do is as follows:

← Cut →

• name: Set the new Splunk admin password
  action: shell /opt/splunkforwarder/bin/splunk edit user admin -auth admin:changeme -role admin -password {{splunk_new_pass}}

← Cut →

Where {{splunk_new_pass}} is the variable which holds the password.

Hopefully this could be of some use for you.

Cheers, Mike