Splunk Module Development Recommendations

[Brendan Murtagh]

Good morning,

We've been testing PE and beginning developing modules for our infrastructure. One of the modules I'm looking to create is an installation for Splunk, with the primary focus at this time, on the Forwarder. I already have the splunkforwarder-5.0.1-143156-linux-2.6-amd64.deb package being fetched from the Master and also performing the installation via dpkg. I need help brainstorming/figuring out the best way to handle the rest of the installation/configuration commands. Here is the guide I was given to complete the installation for the Splunk Forwarder:

dpkg -i splunkforwarder-5.0.1-143156-linux-2.6-amd64.deb

source /opt/splunkforwarder/bin/setSplunkEnv 

splunk start

splunk add forward-server 10.1.1.45:9996

Splunk username: admin

Password: password

splunk restart

splunk enable boot-start

cd /data/apps/ror/pws/current/log

splunk add monitor .

edit /opt/splunkforwarder/etc/apps/search/local/inputs.conf

Add the following lines:

inputs.conf for the web servers

[monitor:///var/log]

disabled = false

[monitor:///data/apps/ror/pws/shared/log/leads.log]

disabled = false

sourcetype = est_appts

[monitor:///data/apps/ror/pws/shared/log/audit.log]

disabled = false

sourcetype = salesbooks

[monitor:///data/apps/ror/pws/shared/log/production.log]

disabled = false

sourcetype = rails

[monitor:///data/apps/ror/pws/shared/log/call_attempts.log]

disabled = false

sourcetype = call_attempts

[monitor:///data/apps/ror/pws/shared/log/call_selection.log]

disabled = false

sourcetype = call_selection

I'm ok using a template/content parameter for handling the /opt/splunkforwarder/etc/apps/search/local/inputs.conf file. What are some of the recommended ways for handling the install steps prior to the inputs.conf edits?

Thanks,

Brendan

[Darin Perusich]

I've broken my splunk module in splunk::client for the forwarder and
splunk::server for the server. Both inherit splunk which realizes the
user and group, i don't let the splunk packages create them cuz
they're created as non-system accounts which collide with ldap
accounts, and creates the init script, again modified since I don't
like the supplied one. The client also creates the
deploymentclient.conf so we can push what to monitor from the splunk
server.

No need to add forward-server or any of that other stuff.

--
Later,
Darin

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/J01GCHL_T7MJ.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.

[Brendan Murtagh]

Thanks for the input Darin. I did want to question why you don't add or have a place in code for the add forward server? Is it because its contained in templates that you reference? 

[Keiran Sweet]

HI There,

I'm not sure if Luke's splunk work has hit the forge, but you may find some useful splunk/puppet examples here: http://verypowerful.info/

I know he did talk at the Sydney puppet camp last year about this topic, however i've not been able to locate his slides, his contact details are on the link above, so maybe its worth reaching out to see if you can get a copy.

Cheers,

K

[Brendan Murtagh]

Hey Keiran,

That's one of my sources that I'm using as a guide when developing our module. I think some of his stuff is excessive for our infrastructure so I'm utilizing bits & pieces from his work and building around it.

Thanks,

Brendan