Skip to content

Instantly share code, notes, and snippets.

@hozez
Last active November 29, 2017 13:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hozez/917089bd9afe237b33d5f9d7601345b5 to your computer and use it in GitHub Desktop.
Save hozez/917089bd9afe237b33d5f9d7601345b5 to your computer and use it in GitHub Desktop.
Splunk Standalone Readme

Abstract

The setup_splunk_standalone.py script is used to prepare a Splunk standalone installation for integration with the Intsights Virtual Appliance.

Connecting to the appliance in expert mode

SSH to the TIP Appliance and enter expert mode by typing 2 and then 4.

Script usage

$ docker exec -it agent-integrator python3 integrator/integrators/splunk/scripts/setup_splunk_standalone.py --help

usage: setup_splunk_standalone.py [-h] -H HOSTNAME --ssh-username SSH_USERNAME
                                  --api-username API_USERNAME
                                  [--restart | --reload-transforms]

Setup script for Intsights <-> Splunk integration.

optional arguments:
  -h, --help            show this help message and exit
  -H HOSTNAME, --hostname HOSTNAME
                        The hostname for Splunk.
  --ssh-username SSH_USERNAME
                        The SSH user for Splunk.
  --api-username API_USERNAME
                        The REST API username for Splunk.

Apply transforms.conf configuration:
  --restart             Restart Splunk after finishing the configuration.
  --reload-transforms   Reload the transforms.conf for Splunk after finishing
                        the configuration.

Script usage examples

Example that applies the new transforms.conf via the Splunk debug API:

$ docker exec -it agent-integrator python3 integrator/integrators/splunk/scripts/setup_splunk_standalone.py -H 192.168.0.27 --ssh-username root --api-username admin --reload-transforms

Please enter the Splunk REST API password for user admin:
Please enter the Splunk SSH password for user localuser:
Deleting Splunk App intsights_ioc_app (if it exists).
Creating Splunk App intsights_ioc_app.
Deleting IOC KV store "intsights_ioc_store" (if it exists).
Creating IOC KV store "intsights_ioc_store".
Configuring IOC KV store "intsights_ioc_store".
Getting Splunk UI login.
Reloading transforms.conf
Splunk configuration finished successfully.

Example that applies the new transforms.conf by restarting Splunk:

$ docker exec -it agent-integrator python3 integrator/integrators/splunk/scripts/setup_splunk_standalone.py -H 192.168.0.27 --ssh-username root --api-username admin --restart

Please enter the Splunk REST API password for user admin:
Please enter the Splunk SSH password for user localuser:
Deleting Splunk App intsights_ioc_app (if it exists).
Creating Splunk App intsights_ioc_app.
Deleting IOC KV store "intsights_ioc_store" (if it exists).
Creating IOC KV store "intsights_ioc_store".
Configuring IOC KV store "intsights_ioc_store".
Restarting Splunk.
Splunk configuration finished successfully.

Example with debug output:

$ docker exec -it agent-integrator python3 integrator/integrators/splunk/scripts/setup_splunk_standalone.py -H 192.168.0.27 --ssh-username root --api-username admin --reload-transforms --debug

Please enter the Splunk REST API password for user admin:
Please enter the Splunk SSH password for user root:
Deleting Splunk App intsights_ioc_app (if it exists).
Performing HTTP DELETE request to URL https://192.168.0.27:8089/services/apps/local/intsights_ioc_app, args: (), kwargs: {}.
HTTP status code was 200, headers "{'Content-Type': 'text/xml; charset=UTF-8', 'X-Frame-Options': 'SAMEORIGIN', 'Date': 'Wed, 29 Nov 2017 12:06:49 GMT', 'Connection': 'Keep-Alive', 'X-
Content-Type-Options': 'nosniff', 'Content-Encoding': 'gzip', 'Server': 'Splunkd', 'Cache-Control': 'no-store, no-cache, must-revalidate, max-age=0', 'Content-Length': '504', 'Expires'
: 'Thu, 26 Oct 1978 00:00:00 GMT', 'Vary': 'Accept-Encoding, Cookie, Authorization'}", body: "<?xml version="1.0" encoding="UTF-8"?>

--- Trimmed for brevity ---

Refreshing admin/transforms-lookup      OK
DONE
Splunk configuration finished successfully.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment