Module for interop with the Splunk API
New in version 2015.5.0.
depends: |
|
---|---|
configuration: | Configure this module by specifying the name of a configuration profile in the minion config, minion pillar, or master config. The module will use the 'splunk' key by default, if defined. For example: splunk:
username: alice
password: abc123
host: example.splunkcloud.com
port: 8080
|
salt.modules.splunk_search.
create
(name, profile='splunk', **kwargs)¶Create a splunk search
CLI Example:
splunk_search.create 'my search name' search='error msg'
salt.modules.splunk_search.
delete
(name, profile='splunk')¶Delete a splunk search
CLI Example:
splunk_search.delete 'my search name'
salt.modules.splunk_search.
get
(name, profile='splunk')¶Get a splunk search
CLI Example:
splunk_search.get 'my search name'
salt.modules.splunk_search.
list
(profile='splunk')¶List splunk searches (names only)
salt.modules.splunk_search.
list_all
(prefix=None, app=None, owner=None, description_contains=None, name_not_contains=None, profile='splunk')¶Get all splunk search details. Produces results that can be used to create an sls file.
if app or owner are specified, results will be limited to matching saved searches.
if description_contains is specified, results will be limited to those where "description_contains in description" is true if name_not_contains is specified, results will be limited to those where "name_not_contains not in name" is true.
If prefix parameter is given, alarm names in the output will be prepended with the prefix; alarms that have the prefix will be skipped. This can be used to convert existing alarms to be managed by salt, as follows:
CLI example:
- Make a "backup" of all existing searches
$ salt-call splunk_search.list_all --out=txt | sed "s/local: //" > legacy_searches.sls
- Get all searches with new prefixed names
$ salt-call splunk_search.list_all "prefix=**MANAGED BY SALT** " --out=txt | sed "s/local: //" > managed_searches.sls
- Insert the managed searches into splunk
$ salt-call state.sls managed_searches.sls
Manually verify that the new searches look right
Delete the original searches $ sed s/present/absent/ legacy_searches.sls > remove_legacy_searches.sls $ salt-call state.sls remove_legacy_searches.sls
Get all searches again, verify no changes $ salt-call splunk_search.list_all --out=txt | sed "s/local: //" > final_searches.sls $ diff final_searches.sls managed_searches.sls
salt.modules.splunk_search.
update
(name, profile='splunk', **kwargs)¶Update a splunk search
CLI Example:
splunk_search.update 'my search name' sharing=app