splunk_search
¶
Interface with the Splunk search API.
Important
This module requires the general Splunk setup.
- saltext.splunk.modules.splunk_search.get(name, profile='splunk')[source]¶
Get a splunk search
CLI Example:
splunk_search.get ‘my search name’
- saltext.splunk.modules.splunk_search.update(name, profile='splunk', **kwargs)[source]¶
Update a splunk search
CLI Example:
splunk_search.update ‘my search name’ sharing=app
- saltext.splunk.modules.splunk_search.create(name, profile='splunk', **kwargs)[source]¶
Create a splunk search
CLI Example:
splunk_search.create ‘my search name’ search=’error msg’
- saltext.splunk.modules.splunk_search.delete(name, profile='splunk')[source]¶
Delete a splunk search
CLI Example:
splunk_search.delete ‘my search name’
- saltext.splunk.modules.splunk_search.list_(profile='splunk')[source]¶
List splunk searches (names only)
CLI Example:
splunk_search.list
- saltext.splunk.modules.splunk_search.list_all(prefix=None, app=None, owner=None, description_contains=None, name_not_contains=None, profile='splunk')[source]¶
Get all splunk search details. Produces results that can be used to create an sls file.
if app or owner are specified, results will be limited to matching saved searches.
if description_contains is specified, results will be limited to those where “description_contains in description” is true if name_not_contains is specified, results will be limited to those where “name_not_contains not in name” is true.
If prefix parameter is given, alarm names in the output will be prepended with the prefix; alarms that have the prefix will be skipped. This can be used to convert existing alarms to be managed by salt, as follows:
CLI Example:
- Make a “backup” of all existing searches
$ salt-call splunk_search.list_all –out=txt | sed “s/local: //” > legacy_searches.sls
- Get all searches with new prefixed names
$ salt-call splunk_search.list_all “prefix=**MANAGED BY SALT** “ –out=txt | sed “s/local: //” > managed_searches.sls
- Insert the managed searches into splunk
$ salt-call state.sls managed_searches.sls
Manually verify that the new searches look right
Delete the original searches $ sed s/present/absent/ legacy_searches.sls > remove_legacy_searches.sls $ salt-call state.sls remove_legacy_searches.sls
Get all searches again, verify no changes $ salt-call splunk_search.list_all –out=txt | sed “s/local: //” > final_searches.sls $ diff final_searches.sls managed_searches.sls