def main():
argspec = dict(
name=dict(required=True, type="str"),
state=dict(choices=["present", "absent"], required=True),
blacklist=dict(required=False, type="str", default=None),
check_index=dict(required=False, type="bool", default=False),
check_path=dict(required=False, type="bool", default=None),
crc_salt=dict(required=False, type="str", default=None),
disabled=dict(required=False, type="bool", default=False),
followTail=dict(required=False, type="bool", default=False),
host=dict(required=False, type="str", default=None),
host_segment=dict(required=False, type="int", default=None),
host_regex=dict(required=False, type="str", default=None),
ignore_older_than=dict(required=False, type="str", default=None),
index=dict(required=False, type="str", default=None),
recursive=dict(required=False, type="bool", default=False),
rename_source=dict(required=False, type="str", default=None),
sourcetype=dict(required=False, type="str", default=None),
time_before_close=dict(required=False, type="int", default=None),
whitelist=dict(required=False, type="str", default=None),
)
module = AnsibleModule(argument_spec=argspec, supports_check_mode=True)
# map of keys for the splunk REST API that aren't pythonic so we have to
# handle the substitutes
keymap = {
"check_index": "check-index",
"check_path": "check-path",
"crc_salt": "crc-salt",
"ignore_older_than": "ignore-older-than",
"rename_source": "rename-source",
"time_before_close": "time-before-close",
}
splunk_request = SplunkRequest(
module,
headers={"Content-Type": "application/x-www-form-urlencoded"},
keymap=keymap,
not_rest_data_keys=["state"],
)
# This is where the splunk_* args are processed
request_data = splunk_request.get_data()
query_dict = splunk_request.get_by_path(
"servicesNS/nobody/search/data/inputs/monitor/{0}".format(
quote_plus(module.params["name"])))
if module.params["state"] == "present":
if query_dict:
needs_change = False
for arg in request_data:
if arg in query_dict["entry"][0]["content"]:
if to_text(
query_dict["entry"][0]["content"][arg]) != to_text(
request_data[arg]):
needs_change = True
if not needs_change:
module.exit_json(changed=False,
msg="Nothing to do.",
splunk_data=query_dict)
if module.check_mode and needs_change:
module.exit_json(
changed=True,
msg="A change would have been made if not in check mode.",
splunk_data=query_dict,
)
if needs_change:
splunk_data = splunk_request.create_update(
"servicesNS/nobody/search/data/inputs/monitor/{0}".format(
quote_plus(module.params["name"])))
module.exit_json(changed=True,
msg="{0} updated.",
splunk_data=splunk_data)
else:
# Create it
_data = splunk_request.get_data()
_data["name"] = module.params["name"]
splunk_data = splunk_request.create_update(
"servicesNS/nobody/search/data/inputs/monitor",
data=urlencode(_data))
module.exit_json(changed=True,
msg="{0} created.",
splunk_data=splunk_data)
if module.params["state"] == "absent":
if query_dict:
splunk_data = splunk_request.delete_by_path(
"servicesNS/nobody/search/data/inputs/monitor/{0}".format(
quote_plus(module.params["name"])))
module.exit_json(
changed=True,
msg="Deleted {0}.".format(module.params["name"]),
splunk_data=splunk_data,
)
module.exit_json(changed=False,
msg="Nothing to do.",
splunk_data=query_dict)
def main():
argspec = dict(
state=dict(
required=False,
choices=["present", "absent", "enabled", "disable"],
default="present",
type="str",
),
connection_host=dict(required=False,
choices=["ip", "dns", "none"],
default="ip",
type="str"),
host=dict(required=False, type="str", default=None),
index=dict(required=False, type="str", default=None),
name=dict(required=True, type="str"),
protocol=dict(required=True, type="str", choices=["tcp", "udp"]),
queue=dict(
required=False,
type="str",
choices=["parsingQueue", "indexQueue"],
default="parsingQueue",
),
rawTcpDoneTimeout=dict(required=False, type="int", default=10),
restrictToHost=dict(required=False, type="str", default=None),
ssl=dict(required=False, type="bool", default=None),
source=dict(required=False, type="str", default=None),
sourcetype=dict(required=False, type="str", default=None),
datatype=dict(required=False, choices=["cooked", "raw"],
default="raw"),
)
module = AnsibleModule(argument_spec=argspec, supports_check_mode=True)
splunk_request = SplunkRequest(
module,
headers={"Content-Type": "application/x-www-form-urlencoded"},
not_rest_data_keys=["state", "datatype", "protocol"],
)
# This is where the splunk_* args are processed
request_data = splunk_request.get_data()
query_dict = splunk_request.get_by_path(
"servicesNS/nobody/search/data/inputs/{0}/{1}/{2}".format(
quote_plus(module.params["protocol"]),
quote_plus(module.params["datatype"]),
quote_plus(module.params["name"]),
))
if module.params["state"] in ["present", "enabled", "disabled"]:
_data = splunk_request.get_data()
if module.params["state"] in ["present", "enabled"]:
_data["disabled"] = False
else:
_data["disabled"] = True
if query_dict:
needs_change = False
for arg in request_data:
if arg in query_dict["entry"][0]["content"]:
if to_text(
query_dict["entry"][0]["content"][arg]) != to_text(
request_data[arg]):
needs_change = True
if not needs_change:
module.exit_json(changed=False,
msg="Nothing to do.",
splunk_data=query_dict)
if module.check_mode and needs_change:
module.exit_json(
changed=True,
msg="A change would have been made if not in check mode.",
splunk_data=query_dict,
)
if needs_change:
splunk_data = splunk_request.create_update(
"servicesNS/nobody/search/data/inputs/{0}/{1}/{2}".format(
quote_plus(module.params["protocol"]),
quote_plus(module.params["datatype"]),
quote_plus(module.params["name"]),
data=urlencode(_data),
))
if module.params["state"] in ["present", "enabled"]:
module.exit_json(changed=True,
msg="{0} updated.",
splunk_data=splunk_data)
else:
module.exit_json(changed=True,
msg="{0} disabled.",
splunk_data=splunk_data)
else:
# Create it
splunk_data = splunk_request.create_update(
"servicesNS/nobody/search/data/inputs/{0}/{1}".format(
quote_plus(module.params["protocol"]),
quote_plus(module.params["datatype"]),
),
data=urlencode(_data),
)
module.exit_json(changed=True,
msg="{0} created.",
splunk_data=splunk_data)
elif module.params["state"] == "absent":
if query_dict:
splunk_data = splunk_request.delete_by_path(
"servicesNS/nobody/search/data/inputs/{0}/{1}/{2}".format(
quote_plus(module.params["protocol"]),
quote_plus(module.params["datatype"]),
quote_plus(module.params["name"]),
))
module.exit_json(
changed=True,
msg="Deleted {0}.".format(module.params["name"]),
splunk_data=splunk_data,
)
module.exit_json(changed=False, msg="Nothing to do.", splunk_data={})
def main():
argspec = dict(
name=dict(required=True, type="str"),
description=dict(required=True, type="str"),
state=dict(choices=["present", "absent", "enabled", "disabled"], required=True),
search=dict(required=True, type="str"),
app=dict(type="str", required=False, default="SplunkEnterpriseSecuritySuite"),
ui_dispatch_context=dict(type="str", required=False),
time_earliest=dict(type="str", required=False, default="-24h"),
time_latest=dict(type="str", required=False, default="now"),
cron_schedule=dict(type="str", required=False, default="*/5 * * * *"),
scheduling=dict(
type="str",
required=False,
default="real-time",
choices=["real-time", "continuous"],
),
schedule_window=dict(type="str", required=False, default="0"),
schedule_priority=dict(
type="str",
required=False,
default="Default",
choices=["Default", "Higher", "Highest"],
),
trigger_alert_when=dict(
type="str",
required=False,
default="number of events",
choices=[
"number of events",
"number of results",
"number of hosts",
"number of sources",
],
),
trigger_alert_when_condition=dict(
type="str",
required=False,
default="greater than",
choices=[
"greater than",
"less than",
"equal to",
"not equal to",
"drops by",
"rises by",
],
),
trigger_alert_when_value=dict(type="str", required=False, default="10"),
throttle_window_duration=dict(type="str", required=False),
throttle_fields_to_group_by=dict(type="str", required=False),
suppress_alerts=dict(type="bool", required=False, default=False),
)
module = AnsibleModule(argument_spec=argspec, supports_check_mode=True)
if module.params["state"] in ["present", "enabled"]:
module_disabled_state = False
else:
module_disabled_state = True
splunk_request = SplunkRequest(
module,
headers={"Content-Type": "application/x-www-form-urlencoded"},
not_rest_data_keys=["state"],
)
try:
query_dict = splunk_request.get_by_path(
"servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format(
quote_plus(module.params["name"])
)
)
except HTTPError as e:
# the data monitor doesn't exist
query_dict = {}
# Have to custom craft the data here because they overload the saved searches
# endpoint in the rest api and we want to hide the nuance from the user
request_post_data = {}
request_post_data["name"] = module.params["name"]
request_post_data["action.correlationsearch.enabled"] = "1"
request_post_data["is_scheduled"] = True
request_post_data["dispatch.rt_backfill"] = True
request_post_data["action.correlationsearch.label"] = module.params["name"]
request_post_data["description"] = module.params["description"]
request_post_data["search"] = module.params["search"]
request_post_data["request.ui_dispatch_app"] = module.params["app"]
if module.params["ui_dispatch_context"]:
request_post_data["request.ui_dispatch_context"] = module.params[
"ui_dispatch_context"
]
request_post_data["dispatch.earliest_time"] = module.params["time_earliest"]
request_post_data["dispatch.latest_time"] = module.params["time_latest"]
request_post_data["cron_schedule"] = module.params["cron_schedule"]
if module.params["scheduling"] == "real-time":
request_post_data["realtime_schedule"] = True
else:
request_post_data["realtime_schedule"] = False
request_post_data["schedule_window"] = module.params["schedule_window"]
request_post_data["schedule_priority"] = module.params["schedule_priority"].lower()
request_post_data["alert_type"] = module.params["trigger_alert_when"]
request_post_data["alert_comparator"] = module.params[
"trigger_alert_when_condition"
]
request_post_data["alert_threshold"] = module.params["trigger_alert_when_value"]
request_post_data["alert.suppress"] = module.params["suppress_alerts"]
request_post_data["disabled"] = module_disabled_state
if module.params["state"] in ["present", "enabled", "disabled"]:
if query_dict:
needs_change = False
for arg in request_post_data:
if arg in query_dict["entry"][0]["content"]:
if to_text(query_dict["entry"][0]["content"][arg]) != to_text(
request_post_data[arg]
):
needs_change = True
if not needs_change:
module.exit_json(
changed=False, msg="Nothing to do.", splunk_data=query_dict
)
if module.check_mode and needs_change:
module.exit_json(
changed=True,
msg="A change would have been made if not in check mode.",
splunk_data=query_dict,
)
if needs_change:
# FIXME - need to find a reasonable way to deal with action.correlationsearch.enabled
del request_post_data[
"name"
] # If this is present, splunk assumes we're trying to create a new one wit the same name
splunk_data = splunk_request.create_update(
"servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{0}".format(
quote_plus(module.params["name"])
),
data=urlencode(request_post_data),
)
module.exit_json(
changed=True, msg="{0} updated.", splunk_data=splunk_data
)
else:
# Create it
splunk_data = splunk_request.create_update(
"servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches",
data=urlencode(request_post_data),
)
module.exit_json(changed=True, msg="{0} created.", splunk_data=splunk_data)
elif module.params["state"] == "absent":
if query_dict:
splunk_data = splunk_request.delete_by_path(
"services/saved/searches/{0}".format(quote_plus(module.params["name"]))
)
module.exit_json(
changed=True,
msg="Deleted {0}.".format(module.params["name"]),
splunk_data=splunk_data,
)
module.exit_json(changed=False, msg="Nothing to do.", splunk_data=query_dict)