Skip to content

StackStorm-Exchange/stackstorm-splunk

1 Branch17 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

arm4barm4b
Merge pull request #25 from bertyah/master
Dec 7, 2023
6bc01ba · Dec 7, 2023

History

109 Commits
.circleci
.circleci
Dec 19, 2021
.github
.github
Jan 12, 2022
actions
actions
Dec 7, 2023
aliases
aliases
Feb 6, 2021
.gitignore
.gitignore
Jan 15, 2022
CHANGES.md
CHANGES.md
Dec 7, 2023
LICENSE
LICENSE
Oct 31, 2019
README.md
README.md
Jan 20, 2022
config.schema.yaml
config.schema.yaml
Jan 20, 2022
icon.png
icon.png
Feb 6, 2021
pack.yaml
pack.yaml
Dec 7, 2023
requirements.txt
requirements.txt
Feb 9, 2021
splunk.yaml.example
splunk.yaml.example
Jan 20, 2022

Repository files navigation

Splunk Integration Pack

Basic integration with Splunk Enterprise, Splunk Cloud, or Splunk Light: http://www.splunk.com/en_us/products.html

Configuration

Copy the example configuration in splunk.yaml.example to /opt/stackstorm/configs/splunk.yaml and edit as required.

It should contain:

  • instance - Friendly instance name
  • host - Splunk server
  • port - Splunk API port (default: 8089)
  • username - Splunk username
  • password - Splunk password
  • splunkToken - Bear token from splunk for authentication
  • scheme - Protocol for contacting Splunk API (default: https)
  • verify - Should vertificate validation be performed (default: true)
  • hec_endpoint - The Splunk's HEC URL (default: /services/collector)
  • hec_port - The port HEC is listening on (default: 8088)

You can also use dynamic values from the datastore. See the docs for more info.

Note : When modifying the configuration in /opt/stackstorm/configs/ please remember to tell StackStorm to load these new values by running st2ctl reload --register-configs

Actions

search

Runs a synchronous search to get Splunk data. E.g., st2 run splunk.search query='search * | head 10. Refer to Splunk documentation for search query syntax.

As of version 0.5.0, this returns formatted results, rather than raw data, e.g.:

lhill@st2:~$ st2 run splunk.search query='search * | head 1'
.
id: 597439dec3540c7fd6b84da2
status: succeeded
parameters:
  query: search * | head 1
result:
  exit_code: 0
  result:
  - _bkt: main~3~DD5C5A84-8334-433E-89BC-7AD42FFE7E6F
    _cd: 3:237
    _indextime: '1500593568'
    _raw: 'Jul 20 16:32:48 10.25.101.2 Jul 20 16:32:33 mlx16-1 Security: ssh terminated by lhill from src IP 10.125.101.160 from USER EXEC mode using RSA as Server Host Key. Reason Code: 11, Description:disconnected by user. '
    _serial: '0'
    _si:
    - Splunk
    - main
    _sourcetype: syslog
    _time: '2017-07-20T16:32:48.000-07:00'
    host: 10.25.101.2
    index: main
    linecount: '1'
    source: udp:514
    sourcetype: syslog
    splunk_server: Splunk
  stderr: ''
  stdout: ''
lhill@st2:~$

get_user

Retrieves user info by name. E.g., st2 run splunk.get_user user=admin.

Sensors

No sensors yet...but pull requests welcome!

See https://stackstorm.com/2016/10/21/auto-remediation-stackstorm-splunk/ for an example of how to submit events from Splunk into StackStorm

Maintainers

Active pack maintainers with review & write repository access and expertise with Splunk:

About

Splunk integration pack

exchange.stackstorm.org/

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

9 watching

Forks

11 forks
Report repository

Releases

17 tags

Packages

No packages published

Contributors 17

+ 3 contributors

Languages