Try SpotterSplunk Data Inputs of type Monitor resource module
| "added in version" 2.1.0 of splunk.es"
Authors: Ansible Security Automation Team (@pranav-bhatt) <https://github.com/ansible-security>
This plugin has a corresponding action plugin.
Install with ansible-galaxy collection install splunk.es:==3.0.0
collections:
- name: splunk.es
version: 3.0.0Module to add/modify or delete, File and Directory Monitor Data Inputs in Splunk.
Tested against Splunk Enterprise Server 8.2.3
# Using gathered
# --------------
- name: Gather config for specified Data inputs monitors
splunk.es.splunk_data_inputs_monitor:
config:
- name: "/var/log"
- name: "/var"
state: gathered
# RUN output:
# -----------
# "gathered": [
# {
# "blacklist": "//var/log/[a-z0-9]/gm",
# "crc_salt": "<SOURCE>",
# "disabled": false,
# "host": "$decideOnStartup",
# "host_regex": "/(test_host)/gm",
# "host_segment": 3,
# "index": "default",
# "name": "/var/log",
# "recursive": true,
# "sourcetype": "test_source",
# "whitelist": "//var/log/[0-9]/gm"
# }
# ]
#
# Using merged
# ------------
- name: Update Data inputs monitors config
splunk.es.splunk_data_inputs_monitor:
config:
- name: "/var/log"
blacklist: "//var/log/[a-z]/gm"
check_index: true
check_path: true
crc_salt: <SOURCE>
rename_source: "test"
whitelist: "//var/log/[0-9]/gm"
state: merged
# RUN output:
# -----------
# "after": [
# {
# "blacklist": "//var/log/[a-z]/gm",
# "crc_salt": "<SOURCE>",
# "disabled": false,
# "host": "$decideOnStartup",
# "host_regex": "/(test_host)/gm",
# "host_segment": 3,
# "index": "default",
# "name": "/var/log",
# "recursive": true,
# "sourcetype": "test_source",
# "whitelist": "//var/log/[0-9]/gm"
# }
# ],
# "before": [
# {
# "blacklist": "//var/log/[a-z0-9]/gm",
# "crc_salt": "<SOURCE>",
# "disabled": false,
# "host": "$decideOnStartup",
# "host_regex": "/(test_host)/gm",
# "host_segment": 3,
# "index": "default",
# "name": "/var/log",
# "recursive": true,
# "sourcetype": "test_source",
# "whitelist": "//var/log/[0-9]/gm"
# }
# ],
# Using replaced
# --------------
- name: To Replace Data inputs monitors config
splunk.es.splunk_data_inputs_monitor:
config:
- name: "/var/log"
blacklist: "//var/log/[a-z0-9]/gm"
crc_salt: <SOURCE>
index: default
state: replaced
# RUN output:
# -----------
# "after": [
# {
# "blacklist": "//var/log/[a-z0-9]/gm",
# "crc_salt": "<SOURCE>",
# "disabled": false,
# "host": "$decideOnStartup",
# "index": "default",
# "name": "/var/log"
# }
# ],
# "before": [
# {
# "blacklist": "//var/log/[a-z0-9]/gm",
# "crc_salt": "<SOURCE>",
# "disabled": false,
# "host": "$decideOnStartup",
# "host_regex": "/(test_host)/gm",
# "host_segment": 3,
# "index": "default",
# "name": "/var/log",
# "recursive": true,
# "sourcetype": "test_source",
# "whitelist": "//var/log/[0-9]/gm"
# }
# ],
# Using deleted
# -----------
- name: To Delete Data inpur monitor config
splunk.es.splunk_data_inputs_monitor:
config:
- name: "/var/log"
state: deleted
state:
choices:
- merged
- replaced
- deleted
- gathered
default: merged
description:
- The state the configuration should be left in
type: str
config:
description:
- Configure file and directory monitoring on the system
elements: dict
suboptions:
blacklist:
description:
- Specify a regular expression for a file path. The file path that matches this
regular expression is not indexed.
type: str
check_index:
description:
- If set to C(true), the index value is checked to ensure that it is the name
of a valid index.
- This parameter is not returned back by Splunk while obtaining object information.
It is therefore left out while performing idempotency checks
type: bool
check_path:
description:
- If set to C(true), the name value is checked to ensure that it exists.
- This parameter is not returned back by Splunk while obtaining object information.
It is therefore left out while performing idempotency checks
type: bool
crc_salt:
description:
- A string that modifies the file tracking identity for files in this input. The
magic value <SOURCE> invokes special behavior (see admin documentation).
type: str
disabled:
default: false
description:
- Indicates if input monitoring is disabled.
type: bool
follow_tail:
description:
- If set to C(true), files that are seen for the first time is read from the end.
type: bool
host:
default: $decideOnStartup
description:
- The value to populate in the host field for events from this data input.
type: str
host_regex:
description:
- Specify a regular expression for a file path. If the path for a file matches
this regular expression, the captured value is used to populate the host field
for events from this data input. The regular expression must have one capture
group.
type: str
host_segment:
description:
- Use the specified slash-separate segment of the filepath as the host field value.
type: int
ignore_older_than:
description:
- Specify a time value. If the modification time of a file being monitored falls
outside of this rolling time window, the file is no longer being monitored.
- This parameter is not returned back by Splunk while obtaining object information.
It is therefore left out while performing idempotency checks
type: str
index:
default: default
description:
- Which index events from this input should be stored in. Defaults to default.
type: str
name:
description:
- The file or directory path to monitor on the system.
required: true
type: str
recursive:
description:
- Setting this to False prevents monitoring of any subdirectories encountered
within this data input.
type: bool
rename_source:
description:
- The value to populate in the source field for events from this data input. The
same source should not be used for multiple data inputs.
- This parameter is not returned back by Splunk while obtaining object information.
It is therefore left out while performing idempotency checks
type: str
sourcetype:
description:
- The value to populate in the sourcetype field for incoming events.
type: str
time_before_close:
description:
- When Splunk software reaches the end of a file that is being read, the file
is kept open for a minimum of the number of seconds specified in this value.
After this period has elapsed, the file is checked again for more data.
- This parameter is not returned back by Splunk while obtaining object information.
It is therefore left out while performing idempotency checks
type: int
whitelist:
description:
- Specify a regular expression for a file path. Only file paths that match this
regular expression are indexed.
type: str
type: list
running_config:
description:
- The module, by default, will connect to the remote device and retrieve the current
running-config to use as a base for comparing against the contents of source. There
are times when it is not desirable to have the task get the current running-config
for every task in a playbook. The I(running_config) argument allows the implementer
to pass in the configuration to use as the base config for comparison. This value
of this option should be the output received from device by executing command.
type: str
after:
description: The configuration as structured data after module completion.
returned: when changed
sample: The configuration returned will always be in the same format of the parameters
above.
type: list
before:
description: The configuration as structured data prior to module invocation.
returned: always
sample: The configuration returned will always be in the same format of the parameters
above.
type: list