salt.modules.splunk_search

Module for interop with the Splunk API

New in version 2015.5.0.

depends

  • splunk-sdk python module

configuration

Configure this module by specifying the name of a configuration profile in the minion config, minion pillar, or master config. The module will use the 'splunk' key by default, if defined.

For example:

splunk:
    username: alice
    password: abc123
    host: example.splunkcloud.com
    port: 8080

salt.modules.splunk_search.create(name, profile='splunk', **kwargs)

Create a splunk search

CLI Example:

splunk_search.create 'my search name' search='error msg'

salt.modules.splunk_search.delete(name, profile='splunk')

Delete a splunk search

CLI Example:

splunk_search.delete 'my search name'

salt.modules.splunk_search.get(name, profile='splunk')

Get a splunk search

CLI Example:

splunk_search.get 'my search name'

salt.modules.splunk_search.list_(profile='splunk')

List splunk searches (names only)

CLI Example:

splunk_search.list

salt.modules.splunk_search.list_all(prefix=None, app=None, owner=None, description_contains=None, name_not_contains=None, profile='splunk')

Get all splunk search details. Produces results that can be used to create an sls file.

if app or owner are specified, results will be limited to matching saved searches.

if description_contains is specified, results will be limited to those where "description_contains in description" is true if name_not_contains is specified, results will be limited to those where "name_not_contains not in name" is true.

If prefix parameter is given, alarm names in the output will be prepended with the prefix; alarms that have the prefix will be skipped. This can be used to convert existing alarms to be managed by salt, as follows:

CLI Example:

  1. Make a "backup" of all existing searches

    $ salt-call splunk_search.list_all --out=txt | sed "s/local: //" > legacy_searches.sls

  2. Get all searches with new prefixed names

    $ salt-call splunk_search.list_all "prefix=**MANAGED BY SALT** " --out=txt | sed "s/local: //" > managed_searches.sls

  3. Insert the managed searches into splunk

    $ salt-call state.sls managed_searches.sls

  4. Manually verify that the new searches look right

  5. Delete the original searches $ sed s/present/absent/ legacy_searches.sls > remove_legacy_searches.sls $ salt-call state.sls remove_legacy_searches.sls

  6. Get all searches again, verify no changes $ salt-call splunk_search.list_all --out=txt | sed "s/local: //" > final_searches.sls $ diff final_searches.sls managed_searches.sls

salt.modules.splunk_search.update(name, profile='splunk', **kwargs)

Update a splunk search

CLI Example:

splunk_search.update 'my search name' sharing=app

© 2021 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.splunk_search.html