Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
attributes
files/default
recipes
templates/default
test/integration
.gitignore
.kitchen.yml
Berksfile
README.md
metadata.rb

README.md

Description

This cookbook extends the chef-splunk and chef-splunk-windows cookbooks to add variables for controlling which data sources are monitored and forwarded. It is dependent on the chef-splunk and chef-splunk-windows cookbooks.

Requirements

'chef-splunk' cookbook 'chef-splunk-windows' cookbook

Attributes

[splunk][monitors] : The default recipe will look for this attribute as an array, with each index formatted as a hash. Each hash's key serves as a short name for a monitor to configure, and its value should be a hash of attributes for the monitor. In these "sub-hashes", a 'location' hash (specificying the file or directory to be monitored) is required; 'index', 'sourcetype', or 'hostname' hashs are optional.

[splunk][hostname_source] : Optional attribute to override the host field forwarded by splunk. Set the atribute to the value 'node_name' to use the node's node name (by default the node's fqdn) as the default host field in Splunk forwarded events.

[splunk][transforms] : Optional attribute to set transforms entries. Expected to be an array, with each index formatted as a hash. Each hash's key serves as the stanza name for the transform, and its value should be a hash of attributes for the transform. In these "sub-hashes", 'regex', 'format', and 'dest_key' hashes are required (for the transforms.conf file).

[splunk][props] : Optional attribute to set props.conf entries to put the above transforms into effect. Expected to be an array, with each index formatted as a hash. Each hash's key serves as the spec for the transform, and its value should be a hash of attributes for the spec. In these "sub-hashes", 'class' and 'transforms_stanza' hashes are required (for the transforms.conf file).

transforms & props naming referenced from http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments

Usage

* Add a 'monitors' array to node[splunk]. Populate it with 1 or more values. The following is an example from a knife role edit:

"override_attributes": { "splunk": { "monitors": [ { "thisistheshortlogname": { "location": "/var/log/fileordirectory", "index": "couldomitthis", "sourcetype": "", #optional "whitelist": "", #optional "blacklist": "", #optional "crcSalt": "" #optional } } ], ...

* Finally, apply the splunk_monitor::default recipe to the role/node.

Additional Recipes

* The [splunk_monitor::biolasecuritymonitoring] recipe will install the "TA-biola_security_monitoring" technology add-on into splunk. See the technology add-on's homepage for more information. * The [splunk_monitor::vmwareapp] recipe will install and configure the Splunk App for VMware. Apply this to your indexers, and apply attributes to them to indicate a URL for downloading the app zip/tgz * The [splunk_monitor::vcenter_ta] recipe accompanies the vmwareapp recipe. Apply it to your vCenter host nodes to run after the Splunk UF is installed * The [splunk_monitor::imagenow_ta] recipe will install a technology add-on onto a Windows node and periodically poll an ImageNow server for license usage