Access Splunk alerts through ansible

[Pradeep Drall]

I would like to access Splunk alerts through ansible. We have several alerts in Splunk which we wants to access through ansible. Please do let me know can we access splunk alerts via ansible. If so, let me know the steps. 

 

[Jonathan Lozada De La Matta]

can you describe more what are you trying to do with those alerts? you need to go into more detail in what you are trying to do.

On Mon, Aug 20, 2018 at 12:37 PM Pradeep Drall <drallp...@gmail.com> wrote:

I would like to access Splunk alerts through ansible. We have several alerts in Splunk which we wants to access through ansible. Please do let me know can we access splunk alerts via ansible. If so, let me know the steps. 

 

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bdf57008-8a33-4f07-97f4-16c46d239d88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Jonathan lozada de la matta

AUTOMATION CONSULTANT - AUTOMATION PRACTICE

Red Hat Consulting Services

jloz...@redhat.com   

 

[Pradeep Drall]

Hi, 

Thanks for your email. 

We have created number of alerts in Splunk for our project environment (dev, uat, production), now we would like to call these alerts through ansible / ansible tower. Because we have limited access in splunk and wants to execute / check the alert result. Is there a way to access these alerts via ansible command or ansible tower. 

Thanks & regards,

Pradeep Kumar Drall

919711940167

skype - pradeep.kumar2607

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAFYJA%2BJ4-P2roOMQEBSa394C5RYsYvRLUfms%3DXr0H4N%2B2qtVfg%40mail.gmail.com.

[Jonathan Lozada De La Matta]

you might be able to use the uri modules and conditionals but, I haven't tried it with splunk.

[Jonathan Lozada De La Matta]

or better if splunk can do curl/api calls to tower then that's a better option.

On Wed, Aug 22, 2018 at 1:23 AM Pradeep Drall <drallp...@gmail.com> wrote:

[Pradeep Drall]

Hi, 

Thanks for your email. 

Can we create splunk alert from ansible / ansible tower. I would like to write a ansible script to create the splunk alert from ansible, just like we create EC2 instance from ansible script. 

 

Thanks & regards,

Pradeep Kumar Drall

919711940167

skype - pradeep.kumar2607

[Mark Phillips]

Hello Pradeep,

When you say 'access Splunk alerts' how do you mean? Would you like the Splunk alert to do something with Ansible? Maybe trigger an Ansible playbook run? If you can talk of the specific scenario that would be most helpful.

Thanks!

[Jonathan Lozada De La Matta]

have you configured logging yet ? https://docs.ansible.com/ansible-tower/latest/html/userguide/logging_in.html

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e66ef23e-1688-4df8-a922-7451be723f1b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Ravi Reddy]

Yes, you can create alerts from configuration files in splunk. You can write a playbook and update the savedsearches.conf for the specific app you want to create alert and then reload alerts (https://127.0.0.1:8089/services/data//ui/alerts/_reload)

To Just access the savedsearches you can run a rest call to https://127.0.0.1:8089/services/saved/searches

[Pradeep Drall]

Hi Ravi, 

Thanks for your response. 

I am unable to open your given url ((https://127.0.0.1:8089/services/data//ui/alerts/_reload), https://127.0.0.1:8089/services/saved/searches) , can you please email the file and screen shot so that I can create my ansible script to create splunk alert from Ansible. 

I would like to write a ansible script to create the splunk alert from ansible, just like we create EC2 instance from ansible script with EC2 module.

Thanks & regards,

Pradeep Kumar Drall

919711940167

skype - pradeep.kumar2607

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/69a14a52-3dce-435f-bf71-d8cfa5c042b4%40googlegroups.com.

[Pradeep Drall]

Yes please. 

But  I would like to write a ansible script to create the splunk alert from ansible, just like we create EC2 instance from ansible script with EC2 module. 

I didn't find splunk module in ansible to create alert. 

 

Thanks & regards,

Pradeep Kumar Drall

919711940167

skype - pradeep.kumar2607

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAFYJA%2BLoyMO9FSvtW3BGCKpv2uMO%2BfEFDLO9cp6P%3DYGAbgHyLw%40mail.gmail.com.

[Pradeep Drall]

Hi Mark, 

Thanks for your email. 

I would like to write a ansible script to create the splunk alert from ansible, just like we create EC2 instance from ansible script with EC2 module. Developer can run this script and create the splunk alert for their package alert. they can simply pass the parameters and create the splunk alert via ansible script. Because we have limited access in Splunk. 

I didn't find splunk module in ansible to create alert. 

Thanks & regards,

Pradeep Kumar Drall

919711940167

skype - pradeep.kumar2607

--

[Ravi Reddy]

Thats just localhost rest end point, use your search head IP/fqdn instead of 127.0.0.1. 

Configuration file path depends on the app in which you want to create the alert. 

for example if you want to create alert in search & reporting app, the location would be $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf

Regards,

Ravi

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJv_HQVjmKPG5kdMAoJZL35NV5m6yZcaYmVfXjPUaU2v6v1USw%40mail.gmail.com.

[Mark Phillips]

Ah, I understand now. OK, so it's Splunk configuration. I think somebody else mentioned in this thread the config file you need to change. That, of course, is pretty easy to do with Ansible – you could use a template[1], or lineinfile[2] (if it's a single line, that is – otherwise the template module is far more suitable).

You say you have limited access to Splunk – that may prove to be a problem, as changing configuration files will require restarting Splunk.

Cheers

[1] https://docs.ansible.com/ansible/latest/modules/template_module.html

[2] https://docs.ansible.com/ansible/latest/modules/lineinfile_module.html