puppetlabs-splunk needs LOTS of usage examples

337 views
Skip to first unread message

Vince Skahan

unread,
Jul 28, 2015, 1:31:24 PM7/28/15
to Puppet Users
Does anybody actually use the puppetlabs-splunk module ?

I've been battling this for too many hours and have a bunch of questions.  I can't really find any references via Google that this is getting much usage, and the documentation in the module itself seems essentially non-existent, but I thought I'd ask just in case:
  • how do you define a section for inputs.conf that has multiple key=value pairs

If I wanted a inputs.conf stanza of the following, how do I make that happen ?


[monitor:///var/log/nginx]
disabled = false
index = main
sourcetype = nginx

       
         I came up with the following, but the problem is it only permits 'one' setting and value.....

splunkforwarder_input { 'nginx':
        section => 'monitor:///var/log/nginx',
        setting => 'disabled'
        value => 'false',
      }

Is there a way to get it to accept multiple free-form multiple key=value pairs ?  It's using their ini module under the hood isn't it ? Is there a secret decoder ring of examples someplace ?

  • the README file seems totally wrong to me. On a centos6 system, it doesn't try to install the universal forwarder rpm from the source tree it tells you to build, and it doesn't use the version/build info it tells you to put into parameters. It does a 'yum install splunkforwarder' with odd options, and no (visible to me) way to control yum options, which repo(s) are enabled/disabled, etc.   While the installation 'does' work and it enables and starts the process well, the whole thing seems like half a solution with a tenth of the docs that I'd expect a 'supported' module to have.

FWIW, I only figured out what was expected by reading the (minimal) tests in the module sources.  I'd have expected some examples/readme files to save hundreds of potential users that pain.


class { 'splunk::params':
         version => '6.1.2',
         build   => '213098',
         server  => 'splunk.apps.oris.washington.edu',
      }
class { 'splunk::forwarder' :

      }


Am I missing something in how to decipher this thing ?  Should we have to spend hours trying to reverse engineer a basically undocumented module that doesn't even really say what it does/doesn't support in terms of functionality or should we just shop elsewhere or roll our own ?  Guess I'm pretty lost/confused/tired of battling this thing.  Ideas ?



 


Sandor W. Sklar

unread,
Jul 28, 2015, 2:15:55 PM7/28/15
to puppet...@googlegroups.com
I had the same experience; I wound up rolling my own, because I just needed something simple that worked to set up the forwarder.  I’ve attached it, maybe you’ll find it useful.

- Sandy

ssklar-splunk.tar.gz

Christina Kyriakidou

unread,
Jul 29, 2015, 9:44:30 AM7/29/15
to Puppet Users, vince...@gmail.com
Hi Vince,
To do that you will need to populate the
https://github.com/puppetlabs/puppetlabs-splunk/blob/master/manifests/forwarder.pp forwarder_input parameter. The title won't matter so you can have 3 different titles pointing to a splunkforwarder_input parameter section. Section is defined in each hash as below:
You will need to say something like
class { 'splunk::forwarder' :
   forwarder_input => {
      'nginx' =>{
        section => 'monitor:///var/log/nginx',
        setting => 'disabled',
        value => 'false',
      },
      'nginx_sourcetype' => { 

        section => 'monitor:///var/log/nginx',
        setting =>  'sourcetype',
        value   => '
nginx'},
       'nginx_input' => {
        
section => 'monitor:///var/log/nginx',
         setting => 'index',
         value   => 'main'
        }
    }
}






Let me know if this helps.





Vince Skahan

unread,
Jul 29, 2015, 11:34:22 AM7/29/15
to Puppet Users, moonlig...@gmail.com
On Wednesday, July 29, 2015 at 6:44:30 AM UTC-7, Christina K. wrote:
Hi Vince,
To do that you will need to populate the
https://github.com/puppetlabs/puppetlabs-splunk/blob/master/manifests/forwarder.pp forwarder_input parameter. The title won't matter so you can have 3 different titles pointing to a splunkforwarder_input parameter section. Section is defined in each hash as below:
You will need to say something like

[...deleted for brevity...]
 






Let me know if this helps.







It does....much appreciated.

Amazing how it takes 15 lines of puppet to write a four-line ini file stanza, and 5 lines of puppet to write each additional line to that stanza.   I guess I was assuming I could cook up an array of key=>value hashes one per line.  Something in needing to use bogus titles that are never used and also needing to repeat the section name every time just bugs me I guess.

Thanks again for the example - gotta love examples that work !

Garrett Honeycutt

unread,
Jul 29, 2015, 3:28:58 PM7/29/15
to puppet...@googlegroups.com
Sandy,

Thanks for sharing your code! Would you consider putting in on github or
a similar place with a corresponding license.

Best regards,
-g


--
Garrett Honeycutt
@learnpuppet
Puppet Training with LearnPuppet.com
Mobile: +1.206.414.8658

Vince Skahan

unread,
Jul 29, 2015, 4:42:27 PM7/29/15
to Puppet Users, g...@garretthoneycutt.com
On Wednesday, July 29, 2015 at 12:28:58 PM UTC-7, Garrett Honeycutt wrote:
Sandy,

Thanks for sharing your code! Would you consider putting in on github or
a similar place with a corresponding license.



I was going to write up a quick set of example docs (with attribution to the real author :-) and submit a PR if that's ok with you guys.

 
Reply all
Reply to author
Forward
0 new messages