community.general.splunk callback – Sends task result events to Splunk HTTP Event Collector

Note

This callback plugin is part of the community.general collection (version 4.8.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.splunk.

Synopsis

  • This callback plugin will send task results as JSON formatted events to a Splunk HTTP collector.

  • The companion Splunk Monitoring & Diagnostics App is available here “https://splunkbase.splunk.com/app/4023/

  • Credit to “Ryan Currah (@ryancurrah)” for original source upon which this is based.

Requirements

The below requirements are needed on the local controller node that executes this callback.

  • Whitelisting this callback plugin

  • Create a HTTP Event Collector in Splunk

  • Define the url and token in ansible.cfg

Parameters

Parameter

Comments

authtoken

string

Token to authenticate the connection to the Splunk HTTP collector

Configuration:

  • INI entry:

    [callback_splunk]
authtoken = None

  • Environment variable: SPLUNK_AUTHTOKEN

batch

string

added in 3.3.0 of community.general

Correlation ID which can be set across multiple playbook executions.

Configuration:

  • INI entry:

    [callback_splunk]
batch = None

  • Environment variable: SPLUNK_BATCH

include_milliseconds

boolean

added in 2.0.0 of community.general

Whether to include milliseconds as part of the generated timestamp field in the event sent to the Splunk HTTP collector

Choices:

  • no ← (default)

  • yes

Configuration:

  • INI entry:

    [callback_splunk]
include_milliseconds = no

  • Environment variable: SPLUNK_INCLUDE_MILLISECONDS

url

string

URL to the Splunk HTTP collector source

Configuration:

  • INI entry:

    [callback_splunk]
url = None

  • Environment variable: SPLUNK_URL

validate_certs

boolean

added in 1.0.0 of community.general

Whether to validate certificates for connections to HEC. It is not recommended to set to false except when you are sure that nobody can intercept the connection between this plugin and HEC, as setting it to false allows man-in-the-middle attacks!

Choices:

  • no

  • yes ← (default)

Configuration:

  • INI entry:

    [callback_splunk]
validate_certs = yes

  • Environment variable: SPLUNK_VALIDATE_CERTS

Examples

examples: >
  To enable, add this to your ansible.cfg file in the defaults block
    [defaults]
    callback_whitelist = community.general.splunk
  Set the environment variable
    export SPLUNK_URL=http://mysplunkinstance.datapaas.io:8088/services/collector/event
    export SPLUNK_AUTHTOKEN=f23blad6-5965-4537-bf69-5b5a545blabla88
  Set the ansible.cfg variable in the callback_splunk block
    [callback_splunk]
    url = http://mysplunkinstance.datapaas.io:8088/services/collector/event
    authtoken = f23blad6-5965-4537-bf69-5b5a545blabla88

Authors

  • Stuart Hirst

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.