Try SpotterManage Splunk Data Inputs of type TCP or UDP
| "added in version" 1.0 of splunk.es"
Authors: Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
Install with ansible-galaxy collection install splunk.es:==0.0.2
collections:
- name: splunk.es
version: 0.0.2This module allows for addition or deletion of TCP and UDP Data Inputs in Splunk.
- name: Example adding data input network with splunk.es.data_input_network
splunk.es.data_input_network:
name: "8099"
protocol: "tcp"
state: "present"
ssl:
description:
- Enable or disble ssl for the data stream
required: false
type: bool
host:
description:
- Host from which the indexer gets data.
required: false
type: str
name:
description:
- The input port which receives raw data.
required: true
type: str
index:
description:
- default Index to store generated events.
type: str
queue:
choices:
- parsingQueue
- indexQueue
default: parsingQueue
description:
- Specifies where the input processor should deposit the events it reads. Defaults
to parsingQueue.
- Set queue to parsingQueue to apply props.conf and other parsing rules to your data.
For more information about props.conf and rules for timestamping and linebreaking,
refer to props.conf and the online documentation at "Monitor files and directories
with inputs.conf"
- Set queue to indexQueue to send your data directly into the index.
required: false
type: str
state:
choices:
- present
- absent
- enabled
- disable
default: present
description:
- Enable, disable, create, or destroy
required: false
type: str
source:
description:
- Sets the source key/field for events from this input. Defaults to the input file
path.
- 'Sets the source key initial value. The key is used during parsing/indexing, in
particular to set the source field during indexing. It is also the source field
used at search time. As a convenience, the chosen string is prepended with ''source::''.
'
- 'Note: Overriding the source key is generally not recommended. Typically, the input
layer provides a more accurate string to aid in problem analysis and investigation,
accurately recording the file from which the data was retrieved. Consider use of
source types, tagging, and search wildcards before overriding this value.
'
type: str
datatype:
choices:
- cooked
- raw
default: raw
description: 'Forwarders can transmit three types of data: raw, unparsed, or parsed.
C(cooked) data refers to parsed and unparsed formats.
'
required: false
type: str
protocol:
choices:
- tcp
- udp
description:
- Choose between tcp or udp
required: true
type: str
sourcetype:
description:
- Set the source type for events from this input.
- '"sourcetype=" is automatically prepended to <string>.'
- Defaults to audittrail (if signedaudit=True) or fschange (if signedaudit=False).
type: str
restrictToHost:
description:
- Allows for restricting this input to only accept data from the host specified here.
required: false
type: str
connection_host:
choices:
- ip
- dns
- none
default: ip
description:
- Set the host for the remote server that is sending data.
- C(ip) sets the host to the IP address of the remote server sending data.
- C(dns) sets the host to the reverse DNS entry for the IP address of the remote server
sending data.
- C(none) leaves the host as specified in inputs.conf, which is typically the Splunk
system hostname.
required: false
type: str
rawTcpDoneTimeout:
default: 10
description:
- Specifies in seconds the timeout value for adding a Done-key.
- If a connection over the port specified by name remains idle after receiving data
for specified number of seconds, it adds a Done-key. This implies the last event
is completely received.
required: false
type: int