Contents Menu Expand Light mode Dark mode Auto light/dark, in light mode Auto light/dark, in dark mode Skip to content
Salt Extension for interacting with Splunk
Salt Extension for interacting with Splunk

Guides

  • Installation
  • Configuration

Provided Modules

  • Execution Modules
    • splunk
    • splunk_search
  • Returner Modules
    • splunk
  • State Modules
    • splunk
    • splunk_search

Reference

  • Changelog
Back to top
View this page

splunk_search¶

Interface with the Splunk search API.

Important

This module requires the general Splunk setup.

saltext.splunk.modules.splunk_search.get(name, profile='splunk')[source]¶

Get a splunk search

CLI Example:

splunk_search.get ‘my search name’

saltext.splunk.modules.splunk_search.update(name, profile='splunk', **kwargs)[source]¶

Update a splunk search

CLI Example:

splunk_search.update ‘my search name’ sharing=app

saltext.splunk.modules.splunk_search.create(name, profile='splunk', **kwargs)[source]¶

Create a splunk search

CLI Example:

splunk_search.create ‘my search name’ search=’error msg’

saltext.splunk.modules.splunk_search.delete(name, profile='splunk')[source]¶

Delete a splunk search

CLI Example:

splunk_search.delete ‘my search name’

saltext.splunk.modules.splunk_search.list_(profile='splunk')[source]¶

List splunk searches (names only)

CLI Example:

splunk_search.list

saltext.splunk.modules.splunk_search.list_all(prefix=None, app=None, owner=None, description_contains=None, name_not_contains=None, profile='splunk')[source]¶

Get all splunk search details. Produces results that can be used to create an sls file.

if app or owner are specified, results will be limited to matching saved searches.

if description_contains is specified, results will be limited to those where “description_contains in description” is true if name_not_contains is specified, results will be limited to those where “name_not_contains not in name” is true.

If prefix parameter is given, alarm names in the output will be prepended with the prefix; alarms that have the prefix will be skipped. This can be used to convert existing alarms to be managed by salt, as follows:

CLI Example:

  1. Make a “backup” of all existing searches

    $ salt-call splunk_search.list_all –out=txt | sed “s/local: //” > legacy_searches.sls

  2. Get all searches with new prefixed names

    $ salt-call splunk_search.list_all “prefix=**MANAGED BY SALT** “ –out=txt | sed “s/local: //” > managed_searches.sls

  3. Insert the managed searches into splunk

    $ salt-call state.sls managed_searches.sls

  4. Manually verify that the new searches look right

  5. Delete the original searches $ sed s/present/absent/ legacy_searches.sls > remove_legacy_searches.sls $ salt-call state.sls remove_legacy_searches.sls

  6. Get all searches again, verify no changes $ salt-call splunk_search.list_all –out=txt | sed “s/local: //” > final_searches.sls $ diff final_searches.sls managed_searches.sls

Next
Returner Modules
Previous
splunk
Copyright © 2024 - 2025, EITR Technologies, LLC
Made with Sphinx and @pradyunsg's Furo
On this page
  • splunk_search
    • get()
    • update()
    • create()
    • delete()
    • list_()
    • list_all()