salt.modules.splunk_search¶

Module for interop with the Splunk API

New in version 2015.5.0.

depends:

depends:	splunk-sdk python module
configuration:	Configure this module by specifying the name of a configuration profile in the minion config, minion pillar, or master config. The module will use the 'splunk' key by default, if defined. For example: splunk: username: alice password: abc123 host: example.splunkcloud.com port: 8080

splunk-sdk python module

configuration:

Configure this module by specifying the name of a configuration profile in the minion config, minion pillar, or master config. The module will use the 'splunk' key by default, if defined.

For example:

splunk:
    username: alice
    password: abc123
    host: example.splunkcloud.com
    port: 8080

salt.modules.splunk_search.create(name, profile='splunk', **kwargs)¶

Create a splunk search

CLI Example:

splunk_search.create 'my search name' search='error msg'

salt.modules.splunk_search.delete(name, profile='splunk')¶

Delete a splunk search

CLI Example:

splunk_search.delete 'my search name'

salt.modules.splunk_search.get(name, profile='splunk')¶

Get a splunk search

CLI Example:

splunk_search.get 'my search name'

salt.modules.splunk_search.list(profile='splunk')¶

List splunk searches (names only)

CLI Example:: splunk_search.list

salt.modules.splunk_search.list_all(prefix=None, app=None, owner=None, description_contains=None, name_not_contains=None, profile='splunk')¶

Get all splunk search details. Produces results that can be used to create an sls file.

if app or owner are specified, results will be limited to matching saved searches.

if description_contains is specified, results will be limited to those where "description_contains in description" is true if name_not_contains is specified, results will be limited to those where "name_not_contains not in name" is true.

If prefix parameter is given, alarm names in the output will be prepended with the prefix; alarms that have the prefix will be skipped. This can be used to convert existing alarms to be managed by salt, as follows:

CLI example:

Make a "backup" of all existing searches

$ salt-call splunk_search.list_all --out=txt | sed "s/local: //" > legacy_searches.sls

Get all searches with new prefixed names

$ salt-call splunk_search.list_all "prefix=**MANAGED BY SALT** " --out=txt | sed "s/local: //" > managed_searches.sls

Insert the managed searches into splunk

$ salt-call state.sls managed_searches.sls

Manually verify that the new searches look right

Delete the original searches $ sed s/present/absent/ legacy_searches.sls > remove_legacy_searches.sls $ salt-call state.sls remove_legacy_searches.sls

Get all searches again, verify no changes $ salt-call splunk_search.list_all --out=txt | sed "s/local: //" > final_searches.sls $ diff final_searches.sls managed_searches.sls

salt.modules.splunk_search.update(name, profile='splunk', **kwargs)¶

Update a splunk search

CLI Example:

splunk_search.update 'my search name' sharing=app

You are viewing docs for the previous stable release, 2015.5.11. Switch to docs for the latest stable release, 2016.3.2, or to a recent doc build from the develop branch.

saltstack.com