From 2640a17607887dfa10cde38f2cb7031cd2752db1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Duchesneau?= Date: Tue, 17 Oct 2017 14:52:43 -0400 Subject: [PATCH 1/7] add slack plugin --- config/blobs.yml | 5 +++-- packages/splunk/packaging | 3 +++ packages/splunk/spec | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/config/blobs.yml b/config/blobs.yml index 31d2711..2151682 100644 --- a/config/blobs.yml +++ b/config/blobs.yml @@ -24,7 +24,6 @@ python/pip-9.0.1-py2.py3-none-any.whl: sha: c70393185d27ae8b49a117e6dcc18bc5f8f3a1c3 python/pyldap-2.4.37.tar.gz: size: 303732 - object_id: 49e5b6d5-c2b0-41b0-5a8b-7577205c574d sha: 8ea28d03dd4b229dd7e296db404e598883070394 python/requests-v2.18.4.tar.gz: size: 3040025 @@ -50,6 +49,9 @@ splunk/rfc5424-syslog_11.tgz: size: 2321 object_id: c357f28b-215d-4cfb-535b-599b0ecd26be sha: 7ff46da6351183dfd8eefe92140c99307abce76b +splunk/slack-webhook-alert_201.tgz: + size: 555757 + sha: 90158e8554e0da79caea036c5ef95dbe9e5d59f1 splunk/splunk-add-on-for-cloud-foundry_020.tgz: size: 24761 object_id: 8f3aa816-6796-4af4-762e-34c98a3fd288 @@ -60,7 +62,6 @@ splunk/splunk-linux-x86_64.tgz: sha: 637043d9a5f4a3a093e8b01586357647e179f78c splunk/splunk-version.txt: size: 108 - object_id: 8a19c664-a72f-4456-62bd-505ed67a400b sha: ea02a4a7511b7d006fbd8bcd9bbb61ef0a05d4e3 splunk/website-monitoring_26.tgz: size: 1360994 diff --git a/packages/splunk/packaging b/packages/splunk/packaging index 34424db..b78a200 100644 --- a/packages/splunk/packaging +++ b/packages/splunk/packaging @@ -15,3 +15,6 @@ tar xzf splunk/splunk-add-on-for-cloud-foundry_020.tgz \ tar xzf splunk/website-monitoring_26.tgz \ -C ${BOSH_INSTALL_TARGET}/etc/apps + +tar xzf splunk/slack-webhook-alert_201.tgz \ + -C ${BOSH_INSTALL_TARGET}/etc/apps diff --git a/packages/splunk/spec b/packages/splunk/spec index 37f19eb..a16530d 100644 --- a/packages/splunk/spec +++ b/packages/splunk/spec @@ -7,5 +7,6 @@ files: - splunk/splunk-linux-x86_64.tgz - splunk/splunk-version.txt - splunk/rfc5424-syslog_11.tgz + - splunk/slack-webhook-alert_201.tgz - splunk/splunk-add-on-for-cloud-foundry_020.tgz - splunk/website-monitoring_26.tgz From 9630de08ec3e5f294290d8789f8a1eed3950ba0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Duchesneau?= Date: Tue, 17 Oct 2017 14:53:19 -0400 Subject: [PATCH 2/7] initial attempt at savedsearces --- jobs/splunk-full/spec | 1 + jobs/splunk-full/templates/ctl.sh.erb | 3 ++ ..._admin_search_local_savedsearches.conf.erb | 50 +++++++++++++++++++ 3 files changed, 54 insertions(+) create mode 100644 jobs/splunk-full/templates/users_admin_search_local_savedsearches.conf.erb diff --git a/jobs/splunk-full/spec b/jobs/splunk-full/spec index e38dd96..fc7535b 100644 --- a/jobs/splunk-full/spec +++ b/jobs/splunk-full/spec @@ -19,6 +19,7 @@ templates: mycerts_cert.pem.erb: config/mycerts/cert.pem sample_cf_ops_dashboard.xml.erb: config/Splunk_SA_CloudFoundry/local/sample_cf_ops_dashboard.xml savedsearches.conf.erb: config/Splunk_SA_CloudFoundry/local/savedsearches.conf + users_admin_search_local_savedsearches.conf.erb: config/users_admin_search_local/savedsearches.conf website_monitoring/app.conf: config/website_monitoring_local/app.conf website_monitoring/inputs.conf.erb: config/website_monitoring_local/inputs.conf website_monitoring/website_monitoring.conf: config/website_monitoring_local/website_monitoring.conf diff --git a/jobs/splunk-full/templates/ctl.sh.erb b/jobs/splunk-full/templates/ctl.sh.erb index 014818a..24f0473 100644 --- a/jobs/splunk-full/templates/ctl.sh.erb +++ b/jobs/splunk-full/templates/ctl.sh.erb @@ -25,6 +25,9 @@ case $1 in # install local config files ln -fs ${JOB_DIR}/config/system_local/* ${PACKAGE_DIR}/etc/system/local/ + mkdir -p ${PACKAGE_DIR}/etc/users/admin/search/local + ln -fs ${JOB_DIR}/config/users_admin_search_local/savedsearches.conf + # install idpCerts mkdir -p ${PACKAGE_DIR}/etc/auth/idpCerts ln -s ${JOB_DIR}/config/auth/idpCerts/* ${PACKAGE_DIR}/etc/auth/idpCerts/ diff --git a/jobs/splunk-full/templates/users_admin_search_local_savedsearches.conf.erb b/jobs/splunk-full/templates/users_admin_search_local_savedsearches.conf.erb new file mode 100644 index 0000000..68c9a85 --- /dev/null +++ b/jobs/splunk-full/templates/users_admin_search_local_savedsearches.conf.erb @@ -0,0 +1,50 @@ +<% if_p('cf_splunk.alerts') do |alerts| %><% alerts.each do |alert| -%> +[<%= alert['name'] %>] +description = <%= alert['description'] %> +<% if alert.has_key?('slack') -%> +action.slack_webhook_alert = 1 +action.slack_webhook_alert.param.slack_webhook = <%= alert['slack']['webhook'] %> +action.slack_webhook_alert.param.slack_message = <% if alert['slack'].has_key?('message') %><%= alert['slack']['message'] %><% else %>```$result._raw$```<% end %> +<% end -%> +<% if alert.has_key?('email') %> +action.email = 1 +action.email.sendresults = 1 +action.email.to = <%= alert['email'] %> +action.email.useNSSubject = 1 +<% end -%> +<% if alert.has_key?('script') %> +action.script = 1 +action.script.filename = <%= alert['script'] %> +<% end -%> +<% if alert.has_key?('schedule') %> +cron_schedule = <%= alert['schedule']['cron_schedule'] %> +<% else %> +cron_schedule = * * * * * +<% end %> +<% if alert.has_key?('conditions') %> +counttype = <%= alert['conditions']['counttype'] %> +dispatch.earliest_time = <%= alert['conditions']['earliest_time'] %> +dispatch.latest_time = <%= alert['conditions']['latest_time'] %> +relation = <%= alert['conditions']['relation'] %> +quantity = <%= alert['conditions']['quantity'] %> +<% else %> +dispatch.earliest_time = rt +dispatch.latest_time = rt +<% end %> +<% if alert.has_key?('suppress') -%> +alert.suppress = 1 +alert.suppress.period = <%= suppress %>s +alert.track = 0 +<% else -%> +alert.suppress = 0 +<% end %> +search = <%= alert['search'] %> +request.ui_dispatch_app = search +request.ui_dispatch_view = search +enableSched = 1 +<% end %><% end -%> + + + + + From 4f5601b4b74398e48099e56cb835ef89ced71811 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Duchesneau?= Date: Thu, 19 Oct 2017 10:25:42 -0400 Subject: [PATCH 3/7] move savedsearches location, add ui-prefs for default period=1d --- jobs/splunk-full/spec | 3 ++- ...hes.conf.erb => apps_search_local_savedsearches.conf.erb} | 0 .../templates/apps_search_local_ui-prefs.conf.erb | 3 +++ jobs/splunk-full/templates/ctl.sh.erb | 5 +++-- 4 files changed, 8 insertions(+), 3 deletions(-) rename jobs/splunk-full/templates/{users_admin_search_local_savedsearches.conf.erb => apps_search_local_savedsearches.conf.erb} (100%) create mode 100644 jobs/splunk-full/templates/apps_search_local_ui-prefs.conf.erb diff --git a/jobs/splunk-full/spec b/jobs/splunk-full/spec index fc7535b..f91ad3a 100644 --- a/jobs/splunk-full/spec +++ b/jobs/splunk-full/spec @@ -19,7 +19,8 @@ templates: mycerts_cert.pem.erb: config/mycerts/cert.pem sample_cf_ops_dashboard.xml.erb: config/Splunk_SA_CloudFoundry/local/sample_cf_ops_dashboard.xml savedsearches.conf.erb: config/Splunk_SA_CloudFoundry/local/savedsearches.conf - users_admin_search_local_savedsearches.conf.erb: config/users_admin_search_local/savedsearches.conf + apps_search_local_savedsearches.conf.erb: config/apps_search_local/savedsearches.conf + apps_search_local_ui-prefs.conf.erb: config/apps_search_local/ui-prefs.conf website_monitoring/app.conf: config/website_monitoring_local/app.conf website_monitoring/inputs.conf.erb: config/website_monitoring_local/inputs.conf website_monitoring/website_monitoring.conf: config/website_monitoring_local/website_monitoring.conf diff --git a/jobs/splunk-full/templates/users_admin_search_local_savedsearches.conf.erb b/jobs/splunk-full/templates/apps_search_local_savedsearches.conf.erb similarity index 100% rename from jobs/splunk-full/templates/users_admin_search_local_savedsearches.conf.erb rename to jobs/splunk-full/templates/apps_search_local_savedsearches.conf.erb diff --git a/jobs/splunk-full/templates/apps_search_local_ui-prefs.conf.erb b/jobs/splunk-full/templates/apps_search_local_ui-prefs.conf.erb new file mode 100644 index 0000000..0f7259a --- /dev/null +++ b/jobs/splunk-full/templates/apps_search_local_ui-prefs.conf.erb @@ -0,0 +1,3 @@ +[search] +dispatch.earliest_time = @d +dispatch.latest_time = now \ No newline at end of file diff --git a/jobs/splunk-full/templates/ctl.sh.erb b/jobs/splunk-full/templates/ctl.sh.erb index 24f0473..3deb368 100644 --- a/jobs/splunk-full/templates/ctl.sh.erb +++ b/jobs/splunk-full/templates/ctl.sh.erb @@ -25,8 +25,9 @@ case $1 in # install local config files ln -fs ${JOB_DIR}/config/system_local/* ${PACKAGE_DIR}/etc/system/local/ - mkdir -p ${PACKAGE_DIR}/etc/users/admin/search/local - ln -fs ${JOB_DIR}/config/users_admin_search_local/savedsearches.conf + mkdir -p ${PACKAGE_DIR}/etc/apps/search/local + ln -fs ${JOB_DIR}/config/apps_search_local/savedsearches.conf ${PACKAGE_DIR}/etc/apps/search/local/ + ln -fs ${JOB_DIR}/config/apps_search_local/ui-prefs.conf ${PACKAGE_DIR}/etc/apps/search/local/ # install idpCerts mkdir -p ${PACKAGE_DIR}/etc/auth/idpCerts From 2e68d4d88d48dbe3838599f2c21444667e0e890a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Duchesneau?= Date: Thu, 19 Oct 2017 10:28:26 -0400 Subject: [PATCH 4/7] allow empty cf_splunk.mailuser --- jobs/splunk-full/templates/system_alert_actions.conf.erb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/jobs/splunk-full/templates/system_alert_actions.conf.erb b/jobs/splunk-full/templates/system_alert_actions.conf.erb index 9ceea49..243d974 100644 --- a/jobs/splunk-full/templates/system_alert_actions.conf.erb +++ b/jobs/splunk-full/templates/system_alert_actions.conf.erb @@ -1,6 +1,8 @@ [email] mailserver = <%= p('cf_splunk.mailserver') %> +<% if_p('cf_splunk_mailuser') -%> auth_username = <%= p('cf_splunk.mailuser') %> auth_password = <%= p('cf_splunk.mailpassword') %> +<% end -%> use_tls = <%= p('cf_splunk.mail_use_tls') %> use_ssl = <%= p('cf_splunk.mail_use_ssl') %> From 3856d13d502a86adf99581c22d96c394d1d71a0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Duchesneau?= Date: Thu, 19 Oct 2017 10:35:22 -0400 Subject: [PATCH 5/7] allow empty cf_splunk.mailuser --- jobs/splunk-full/templates/system_alert_actions.conf.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jobs/splunk-full/templates/system_alert_actions.conf.erb b/jobs/splunk-full/templates/system_alert_actions.conf.erb index 243d974..566bcb8 100644 --- a/jobs/splunk-full/templates/system_alert_actions.conf.erb +++ b/jobs/splunk-full/templates/system_alert_actions.conf.erb @@ -1,7 +1,7 @@ [email] mailserver = <%= p('cf_splunk.mailserver') %> -<% if_p('cf_splunk_mailuser') -%> -auth_username = <%= p('cf_splunk.mailuser') %> +<% if_p('cf_splunk.mailuser') do |mailuser| -%> +auth_username = <%= mailuser %> auth_password = <%= p('cf_splunk.mailpassword') %> <% end -%> use_tls = <%= p('cf_splunk.mail_use_tls') %> From 1c4c24ee5dbdc5ca52957eeae5421c103ee359ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Duchesneau?= Date: Thu, 19 Oct 2017 10:35:56 -0400 Subject: [PATCH 6/7] fix savesearches template generating empty lines with -%> --- .../apps_search_local_savedsearches.conf.erb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/jobs/splunk-full/templates/apps_search_local_savedsearches.conf.erb b/jobs/splunk-full/templates/apps_search_local_savedsearches.conf.erb index 68c9a85..7423b99 100644 --- a/jobs/splunk-full/templates/apps_search_local_savedsearches.conf.erb +++ b/jobs/splunk-full/templates/apps_search_local_savedsearches.conf.erb @@ -6,38 +6,38 @@ action.slack_webhook_alert = 1 action.slack_webhook_alert.param.slack_webhook = <%= alert['slack']['webhook'] %> action.slack_webhook_alert.param.slack_message = <% if alert['slack'].has_key?('message') %><%= alert['slack']['message'] %><% else %>```$result._raw$```<% end %> <% end -%> -<% if alert.has_key?('email') %> +<% if alert.has_key?('email') -%> action.email = 1 action.email.sendresults = 1 action.email.to = <%= alert['email'] %> action.email.useNSSubject = 1 <% end -%> -<% if alert.has_key?('script') %> +<% if alert.has_key?('script') -%> action.script = 1 action.script.filename = <%= alert['script'] %> <% end -%> -<% if alert.has_key?('schedule') %> +<% if alert.has_key?('schedule') -%> cron_schedule = <%= alert['schedule']['cron_schedule'] %> -<% else %> +<% else -%> cron_schedule = * * * * * -<% end %> -<% if alert.has_key?('conditions') %> +<% end -%> +<% if alert.has_key?('conditions') -%> counttype = <%= alert['conditions']['counttype'] %> dispatch.earliest_time = <%= alert['conditions']['earliest_time'] %> dispatch.latest_time = <%= alert['conditions']['latest_time'] %> relation = <%= alert['conditions']['relation'] %> quantity = <%= alert['conditions']['quantity'] %> -<% else %> +<% else -%> dispatch.earliest_time = rt dispatch.latest_time = rt -<% end %> +<% end -%> <% if alert.has_key?('suppress') -%> alert.suppress = 1 alert.suppress.period = <%= suppress %>s alert.track = 0 <% else -%> alert.suppress = 0 -<% end %> +<% end -%> search = <%= alert['search'] %> request.ui_dispatch_app = search request.ui_dispatch_view = search From 72e836e461235669048b7897add642a0fe4e90d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Duchesneau?= Date: Thu, 19 Oct 2017 10:45:11 -0400 Subject: [PATCH 7/7] add fun examples to splunk alerts --- manifests/splunk-dev-example.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/manifests/splunk-dev-example.yml b/manifests/splunk-dev-example.yml index 1adc886..e93c2d7 100644 --- a/manifests/splunk-dev-example.yml +++ b/manifests/splunk-dev-example.yml @@ -49,8 +49,19 @@ instance_groups: - name: splunk-full release: cf-splunk properties: - cf_splunk: + alerts: + - name: alert_printer + description: is an alert for when your printer is on fire + slack: + webhook: "https://hooks.slack.com/services/ABC12345/XYZ54321/H0H0H0" + message: "This is a fake test alert" + search: index=my_index printer fire + - name: alert_banana + description: is an alert for some banana + email: banana@example.com + search: index=bananas banana + script: eat_banana.sh ldap_server_url: ldap://example.com:389 ldap_search_base: dc=example,dc=com cf_url: https://cf.example.com