{"id":50520934,"url":"https://github.com/dryvist/ansible-splunk","last_synced_at":"2026-06-14T02:05:08.479Z","repository":{"id":333364310,"uuid":"1136622691","full_name":"dryvist/ansible-splunk","owner":"dryvist","description":"Ansible role for deploying and configuring Splunk Enterprise - includes HEC input, indexes, apps, and multi-disk storage with Doppler secrets integration","archived":false,"fork":false,"pushed_at":"2026-05-26T00:55:03.000Z","size":518,"stargazers_count":0,"open_issues_count":8,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-26T02:32:53.766Z","etag":null,"topics":["ansible","automation","devops","enterprise","infrastructure-as-code","log-management","logging","monitoring","observability","security","siem","splunk"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dryvist.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-01-18T02:53:28.000Z","updated_at":"2026-05-25T20:15:53.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/dryvist/ansible-splunk","commit_stats":null,"previous_names":["jacobpevans/ansible-splunk","dryvist/ansible-splunk"],"tags_count":33,"template":false,"template_full_name":null,"purl":"pkg:github/dryvist/ansible-splunk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dryvist%2Fansible-splunk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dryvist%2Fansible-splunk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dryvist%2Fansible-splunk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dryvist%2Fansible-splunk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dryvist","download_url":"https://codeload.github.com/dryvist/ansible-splunk/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dryvist%2Fansible-splunk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33847265,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-03T02:00:06.370Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","automation","devops","enterprise","infrastructure-as-code","log-management","logging","monitoring","observability","security","siem","splunk"],"created_at":"2026-06-03T04:00:35.417Z","updated_at":"2026-06-14T02:05:08.474Z","avatar_url":"https://github.com/dryvist.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Ansible Splunk Enterprise\n\n[![CI][ci-badge]][ci-url]\n\n[ci-badge]: https://github.com/dryvist/ansible-splunk/actions/workflows/ci-gate.yml/badge.svg\n[ci-url]: https://github.com/dryvist/ansible-splunk/actions/workflows/ci-gate.yml\n\nDeploy and configure Splunk Enterprise (Docker) on a Proxmox VM.\n\n## Quick Facts\n\n| Property | Value |\n| --- | --- |\n| **Type** | Ansible role + playbooks |\n| **Target** | Splunk VM (VMID 200) — addressed from the tofu inventory, or DNS-first as `splunk-aio.{PROXMOX_DOMAIN}` |\n| **Role** | `roles/splunk_docker` |\n| **Entry point** | `playbooks/site.yml` |\n| **Secrets** | Doppler (`iac-conf-mgmt` / `prd`) |\n| **Version** | See `VERSION` |\n\n## Pipeline Architecture\n\n```text\nCribl Edge (181/182) ──HEC :8088──\u003e Splunk (200)\n                                      │\n                                  Splunk indexes:\n                                    ai, claude, firewall, gemini,\n                                    mac_perf, netflow, netmon, network,\n                                    openai, os, otel, unifi, unifi_metrics,\n                                    vscode\n```\n\n## Installation\n\nThis repo uses a [Nix dev shell][nix-develop] from\n[nix-devenv](https://github.com/JacobPEvans/nix-devenv) to provide all tools\n(`ansible-playbook`, `ansible-lint`, `molecule`, etc.). Activate it once per worktree:\n\n```bash\ndirenv allow   # if using direnv (recommended) — activates nix-devenv#ansible-apps automatically\n# or: nix develop github:JacobPEvans/nix-devenv#ansible-apps\n```\n\n## Usage\n\n```bash\n# 1. Deploy Splunk\ndoppler run -- ansible-playbook playbooks/site.yml\n\n# 2. Validate deployment\ndoppler run -- ansible-playbook playbooks/validate.yml\n```\n\n## Custom Indexes\n\nAll indexes: 100 GiB max size, 365-day retention (except `netmon`: 90-day),\nstored at `/opt/splunk/\u003cindex\u003e/`.\n\n| Index | Purpose |\n| --- | --- |\n| `ai` | AI assistant activity and tool calls |\n| `claude` | Claude-specific events |\n| `firewall` | Palo Alto / Cisco firewall logs |\n| `gemini` | Gemini-specific events |\n| `mac_perf` | macOS performance metrics |\n| `netflow` | NetFlow / IPFIX flow data |\n| `netmon` | Per-WAN network-diagnosis probe telemetry (90-day retention) |\n| `network` | Network device syslog |\n| `openai` | OpenAI-specific events |\n| `os` | Linux / Windows system logs |\n| `otel` | OpenTelemetry spans / metrics |\n| `unifi` | UniFi network syslog |\n| `unifi_metrics` | UniFi controller device/port/client/WAN metrics (unpoller+Telegraf via Cribl, 90-day retention) |\n| `vscode` | VS Code / Copilot events |\n\n## Technology Add-ons\n\nArchives must be placed in `roles/splunk_docker/files/` before running (gitignored).\nSee [`roles/splunk_docker/files/README.md`](roles/splunk_docker/files/README.md) for download instructions.\n\n| Add-on | Source | Notes |\n| --- | --- | --- |\n| TA-unifi-cloud | Internal build | UniFi syslog parsing |\n| Duck Yeah | Splunkbase | App packaging utilities |\n| Splunk DB Connect | Splunkbase [#2686](https://splunkbase.splunk.com/app/2686) | DB connectivity |\n\n## Playbooks\n\n| Playbook | Purpose |\n| --- | --- |\n| `site.yml` | Full deployment: loads inventory, runs `splunk_docker` role |\n| `deploy.yml` | Bare deployment (no inventory load) |\n| `deploy_docker.yml` | Deploys Splunk container, assuming Docker is pre-installed |\n| `validate.yml` | Post-deploy validation: ports, HEC, web UI |\n| `configure_indexes.yml` | Index configuration only (idempotent) |\n\n## Role Structure\n\n```text\nroles/splunk_docker/\n├── defaults/main.yml       # Core Docker + Splunk configuration\n├── tasks/\n│   ├── main.yml            # Orchestrates all tasks\n│   ├── java.yml            # Optional JRE-21 for DB Connect\n│   └── wait_for_splunk.yml # Health check loop after container start\n├── templates/\n│   ├── docker-compose.yml.j2\n│   ├── indexes.conf.j2\n│   ├── inputs.conf.j2      # HEC token configuration\n│   ├── web.conf.j2\n│   ├── server.conf.j2\n│   └── firewall.sh.j2\n├── handlers/main.yml       # Restart Splunk container\n└── files/                  # TA archives (gitignored)\n```\n\n## Configuration Variables\n\nKey defaults in `roles/splunk_docker/defaults/main.yml`:\n\n| Variable | Default | Description |\n| --- | --- | --- |\n| `splunk_docker_image` | `splunk/splunk:latest` | Docker image. Pin to a specific version for production. |\n| `splunk_docker_web_port` | `8000` | Splunk Web UI port |\n| `splunk_docker_hec_port` | `8088` | HEC ingestion port |\n| `splunk_docker_data_dir` | `/opt/splunk` | Data volume mount path |\n| `splunk_docker_web_ssl` | `true` | Enable Splunk Web SSL |\n| `splunk_docker_java_enabled` | `false` | Enable JRE for DB Connect |\n| `splunk_docker_firewall_enabled` | `false` | Guest iptables (disabled; use Proxmox firewall) |\n| `splunk_docker_allow_internet_access` | `false` | Disables Splunkbase app browsing, update checks, and telemetry to prevent DNS timeouts on air-gapped VMs. |\n| `splunk_docker_index_default_max_size_mb` | `102400` | 100 GiB per index |\n| `splunk_docker_index_default_frozen_time_secs` | `31536000` | 365-day retention |\n\n## Secrets\n\nAll secrets via Doppler (`iac-conf-mgmt` / `prd`):\n\n| Doppler Secret | Ansible Variable | Purpose |\n| --- | --- | --- |\n| `SPLUNK_PASSWORD` | `splunk_docker_password` | Splunk admin password |\n| `HEC_NAMESPACE` | `splunk_docker_hec_namespace` | UUID namespace for per-index HEC token derivation (optional) |\n| `SPLUNK_HEC_TOKEN` | `splunk_docker_hec_token_values.legacy` | Shared legacy HEC token (always required) |\n| `SPLUNK_MCP_TOKEN` | — | MCP Server Bearer token (client-side, created via Splunk UI) |\n| `PROXMOX_SSH_KEY_PATH` | — | SSH key for VM access |\n\n```bash\n# Run any playbook with secrets injected\ndoppler run -- ansible-playbook playbooks/site.yml\n```\n\n\u003e **Rotating `SPLUNK_PASSWORD`:** the splunk/splunk image seeds the admin password\n\u003e from `SPLUNK_PASSWORD` only on the container's first boot, when\n\u003e `/opt/splunk/etc/passwd` is absent. Because `etc/` is a persistent disk mount,\n\u003e changing `SPLUNK_PASSWORD` afterward does **not** update the running admin — the\n\u003e entrypoint's Ansible then loops on a \"Get existing HEC token\" 401. After any\n\u003e rotation you must reset the container admin via the `user-seed.conf` procedure in\n\u003e terraform-proxmox `TROUBLESHOOTING.md` → \"Splunk Container (VM 200)\".\n\n## Testing\n\n```bash\n# Lint\nansible-lint\n\n# Syntax check\ndoppler run -- ansible-playbook playbooks/site.yml --syntax-check\n\n# Molecule (syntax-only CI test)\nmolecule test\n\n# Post-deploy validation\ndoppler run -- ansible-playbook playbooks/validate.yml\n```\n\n## Dependencies\n\n### Ansible Collections (`requirements.yml`)\n\n| Collection | Version |\n| --- | --- |\n| `ansible.posix` | `\u003e=2.1.0,\u003c3.0.0` |\n| `community.general` | `\u003e=12.4.0,\u003c13.0.0` |\n| `community.docker` | `\u003e=5.0.6,\u003c6.0.0` |\n| `amazon.aws` | `\u003e=9.0.0` |\n\n```bash\nansible-galaxy collection install -r requirements.yml\n```\n\n### External Services\n\n- **terraform-proxmox** — provisions Splunk VM (VMID 200)\n- **Doppler** — secrets management\n- **Proxmox firewall** — network access control (no guest iptables)\n\n## Links\n\n- [Changelog](CHANGELOG.md)\n- [Contributing](CONTRIBUTING.md)\n- [Splunk Docker image](https://hub.docker.com/r/splunk/splunk)\n- [ansible-proxmox-apps](https://github.com/JacobPEvans/ansible-proxmox-apps) — Cribl Edge (upstream sender)\n\n[nix-develop]: https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-develop.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdryvist%2Fansible-splunk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdryvist%2Fansible-splunk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdryvist%2Fansible-splunk/lists"}