Try SpotterManage Splunk Data Inputs of type Monitor
| "added in version" 1.0 of splunk.es"
Authors: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
Install with ansible-galaxy collection install splunk.es:==0.0.2
collections:
- name: splunk.es
version: 0.0.2This module allows for addition or deletion of File and Directory Monitor Data Inputs in Splunk.
- name: Example adding data input monitor with splunk.es.data_input_monitor
splunk.es.data_input_monitor:
name: "/var/log/example.log"
state: "present"
recursive: True
host:
description:
- The value to populate in the host field for events from this data input.
required: false
type: str
name:
description:
- The file or directory path to monitor on the system.
required: true
type: str
index:
description:
- Which index events from this input should be stored in. Defaults to default.
required: false
type: str
state:
choices:
- present
- absent
description:
- Add or remove a data source.
required: true
type: str
crc_salt:
description:
- A string that modifies the file tracking identity for files in this input. The magic
value <SOURCE> invokes special behavior (see admin documentation).
required: false
type: str
disabled:
default: false
description:
- Indicates if input monitoring is disabled.
required: false
type: bool
blacklist:
description:
- Specify a regular expression for a file path. The file path that matches this regular
expression is not indexed.
required: false
type: str
recursive:
default: false
description:
- Setting this to False prevents monitoring of any subdirectories encountered within
this data input.
required: false
type: bool
whitelist:
description:
- Specify a regular expression for a file path. Only file paths that match this regular
expression are indexed.
required: false
type: str
check_path:
description:
- If set to C(True), the name value is checked to ensure that it exists.
required: false
type: bool
followTail:
default: false
description:
- If set to C(True), files that are seen for the first time is read from the end.
required: false
type: bool
host_regex:
description:
- Specify a regular expression for a file path. If the path for a file matches this
regular expression, the captured value is used to populate the host field for events
from this data input. The regular expression must have one capture group.
required: false
type: str
sourcetype:
description:
- The value to populate in the sourcetype field for incoming events.
required: false
type: str
check_index:
default: false
description:
- If set to C(True), the index value is checked to ensure that it is the name of a
valid index.
required: false
type: bool
host_segment:
description:
- Use the specified slash-separate segment of the filepath as the host field value.
required: false
type: int
rename_source:
description:
- The value to populate in the source field for events from this data input. The same
source should not be used for multiple data inputs.
required: false
type: str
ignore_older_than:
description:
- Specify a time value. If the modification time of a file being monitored falls outside
of this rolling time window, the file is no longer being monitored.
required: false
type: str
time_before_close:
description:
- When Splunk software reaches the end of a file that is being read, the file is kept
open for a minimum of the number of seconds specified in this value. After this
period has elapsed, the file is checked again for more data.
required: false
type: int