{"id":19249281,"url":"https://github.com/sous-chefs/chef-splunk","last_synced_at":"2025-04-09T15:06:41.668Z","repository":{"id":13132332,"uuid":"15814426","full_name":"sous-chefs/chef-splunk","owner":"sous-chefs","description":"Development repository for the chef-splunk cookbook","archived":false,"fork":false,"pushed_at":"2024-12-04T18:07:41.000Z","size":1140,"stargazers_count":74,"open_issues_count":6,"forks_count":122,"subscribers_count":28,"default_branch":"main","last_synced_at":"2025-04-09T15:06:34.963Z","etag":null,"topics":["chef","chef-cookbook","chef-resource","chef-splunk","hacktoberfest","managed-by-terraform"],"latest_commit_sha":null,"homepage":"https://supermarket.chef.io/cookbooks/chef-splunk","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sous-chefs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null},"funding":{"open_collective":"sous-chefs"}},"created_at":"2014-01-11T01:14:21.000Z","updated_at":"2025-02-07T20:17:38.000Z","dependencies_parsed_at":"2024-02-20T17:13:21.211Z","dependency_job_id":null,"html_url":"https://github.com/sous-chefs/chef-splunk","commit_stats":{"total_commits":604,"total_committers":46,"mean_commits":"13.130434782608695","dds":0.8311258278145696,"last_synced_commit":"b7c255e2d23e4584c6d5bb048c4358b5b4774970"},"previous_names":[],"tags_count":88,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fchef-splunk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fchef-splunk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fchef-splunk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fchef-splunk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sous-chefs","download_url":"https://codeload.github.com/sous-chefs/chef-splunk/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248055284,"owners_count":21040157,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chef","chef-cookbook","chef-resource","chef-splunk","hacktoberfest","managed-by-terraform"],"created_at":"2024-11-09T18:13:32.468Z","updated_at":"2025-04-09T15:06:41.646Z","avatar_url":"https://github.com/sous-chefs.png","language":"Ruby","funding_links":["https://opencollective.com/sous-chefs"],"categories":[],"sub_categories":[],"readme":"# chef-splunk Cookbook\n\n[![Cookbook Version](https://img.shields.io/cookbook/v/chef-splunk.svg)](https://supermarket.chef.io/cookbooks/chef-splunk)\n[![CI State](https://github.com/sous-chefs/chef-splunk/workflows/ci/badge.svg)](https://github.com/sous-chefs/chef-splunk/actions?query=workflow%3Aci)\n[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)\n[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)\n[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)\n\nThis cookbook manages a Splunk Universal Forwarder (client) or a\nSplunk Enterprise (server) installation, including a Splunk clustered\nenvironment.\n\nThe Splunk default user is admin and the password is changeme. See the\n`setup_auth` recipe below for more information about how to manage\nchanging the password with Chef and Chef Vault.\n\nThis recipe downloads packages from Splunk directly. There are\nattributes to set a URL to retrieve the packages, so if the packages\nare mirrored locally, supply the local URL instead. At this time the\ncookbook doesn't support installing from networked package managers\n(like apt or yum), since Splunk doesn't provide package repositories.\n\n## Maintainers\n\nThis cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.\n\n## Requirements\n\nChef 15.5 or newer\n\n## License Acceptance\n\nIn the past, it was sufficient to set the `node['splunk']['accept_license']` attribute\neither in a wrapper cookbook, role, or chef environment, and the recipes in this cookbook\nwould enable and run the splunk service with `--accept-license`. Starting with version 3.0.0,\nthis attribute must be set to boolean `true`. A value resulting in anything other than boolean true will\nbe considered as not accepting the Splunk EULA.\n\nFor example, these will not accept the Splunk license:\n\n```ruby\nnode['splunk']['accept_license'] = false\nnode['splunk'] = { 'accept_license' =\u003e nil }\nnode['splunk']['accept_license'] = ''\nnode['splunk']['accept_license'] = 'true'\n```\n\nOnly this will accept the license:\n\n```ruby\nnode['splunk']['accept_license'] = true\n```\n\n### Platforms\n\nThis cookbook uses Test Kitchen to do cross-platform convergence and\npost-convergence tests. The tested platforms are considered supported.\nThis cookbook may work on other platforms or platform versions with or\nwithout modification.\n\n- Debian 9, 10\n- Ubuntu 18.04, 20.04\n- CentOS 7, 8\n- Redhat 7, 8\n- openSUSE Leap 15\n\nBy default, only 64-bit Splunk server and Splunk Universal Forwarder will be installed or upgraded by this cookbook.\n\n### Debug Mode\n\nSince the splunk command requires authentication, many `execute` resources in this cookbook have STDOUT/STDERR suppressed (i.e., `sensitive true`). However, this setting can hide important diagnostic messages during a failed chef run when Chef Infra Client is run in normal logging levels, such as `:info` or `:auto`. In order to disable this suppression, Chef Infra Client must be run with `:debug` logging level (i.e., `chef-client -l debug`). Beware: Running Chef Infra Client this way can persist sensitive information, such as your Splunk admin user credentials, in the chef client log, and pose a security risk. *Do not leave this setting enabled on critical systems*\n\n### Cookbooks\n\nUsed for managing secrets, see __Usage__:\n\n- chef-vault, `~\u003e 4.0`\n\n:smile: Note: Using chef-vault is optional, but is a dependency for this cookbook. Please see the section [Chef-Vault encrypted data bag fallback](https://github.com/chef-cookbooks/chef-splunk#chef-vault-encrypted-data-bag-fallback) for an alternative method to manage Splunk secrets with standard encrypted data bags.\n\n## Attributes\n\nAttributes have default values set in `attributes/default.rb`. Where\npossible or appropriate, the default values from Splunk Enterprise are\nused.\n\nGeneral attributes:\n\n- `node['splunk']['accept_license']`: Whether to accept the Splunk\n  EULA. Default is false. This *-*must*-* be set to boolean true for Splunk to be\n  functional with this cookbook, which means end users must read the\n  EULA and agree to the terms.\n- `node['splunk']['is_server']`: Set this to true if the node is a\n  splunk server, for example in a role (Default: false)\n- `node['splunk']['data_bag']`: Set this to the name of the data bag where your splunk auth\n  and other secrets are stored (Default: `vault`)\n- `node['splunk']['disabled']`: Disable the splunk agent by setting\n  this to true (Default: false) and adding `recipe[chef-splunk::disabled]` to a node's run list\n- `node['splunk']['receiver_port']`: The port that the receiver\n  (server) listens to. This is set to the Splunk Enterprise default, 9997.\n- `node['splunk']['mgmt_port']`: The port that splunkd service\n  listens to, aka the management port. This is set to the Splunk\n  Enterprise default, 8089.\n- `node['splunk']['web_port']`: The port that the splunkweb service\n  listens to. This is set to the default for HTTPS, 443, as it is\n  configured by the `setup_ssl` recipe.\n- `node['splunk']['ratelimit_kilobytessec']`: The default splunk rate limiting rate can now easily be changed with an attribute.  Default is 2048KBytes/sec.\n\nThe two URL attributes below are selected by platform and architecture\nby default.\n\n- `node['splunk']['forwarder']['url']`: The URL to the Splunk Universal Forwarder package file.\n- `node['splunk']['server']['url']`: The URL to the Splunk Enterprise package file.\n- `node['splunk']['forwarder']['version']`: specifies the splunk universal forwarder version to install. This is ignored if forwarder URL is provided. (Default: 8.0.1)\n- `node['splunk']['server']['version']`: specifies the splunk server version to install. This is ignored if server URL is provided. (Default: 8.0.1)\n- Set these attributes to `nil` or empty string `''` to force installing the packages from the\n  OS package managers. In doing so, server owners are responsible for properly configuring their\n  package manager so chef can install the package.\n\n  For example, each line below will force the chef-client to install Splunk's Universal Forwarder\n  and server from the local package manager:\n\n  ```ruby\n  node.force_default['splunk']['forwarder']['url'] = ''\n  node.force_default['splunk']['server']['url'] = ''\n  node.force_default['splunk']['forwarder']['url'] = nil\n  node.force_default['splunk']['server']['url'] = nil\n  ```\n\nSpecial attributes for managing the Splunk user:\n\n- `node['splunk']['user']`: A hash of attributes to set for the splunk\n  user resource in the `user` recipe. It's unlikely that someone would\n  need to change these, other than the UID, but just in case...\n\n- `username`: the username\n- `comment`: gecos field\n- `home`: the home directory, defaults to `/opt/splunkforwarder`, will be set to `/opt/splunk` if `node['splunk']['is_server']` is true.\n- `shell`: the shell to use\n- `uid`: the numeric UID. The default, `396` is an integer arbitrarily chosen and doesn't conflict with anything on the supported platforms (see list above). It is within the `system` UID range on Linux systems.\n\n- `node['splunk']['server']['runasroot']`: if runasroot is true (which is the splunk upstream package default) then the splunk server runs as root.  If runasroot is false modify the init script to run as the `node['splunk']['user']`.  This does not apply to the splunk client as they may need root permissions to read logfiles.  NOTE1: you may also need to change `node['splunk']['web_port']` on a splunk server to run on a port \u003e1024 if you don't run as root (splunk user cannot bind to privelaged ports).  NOTE2: If you want to switch from root to the splunk user or vice versa on an existing install, please stop the splunk service first before changing the runasroot boolean value.\n\nThe following attributes are related to setting up `splunkweb` with\nSSL in the `setup_ssl` recipe.\n\n- `node['splunk']['ssl_options']`: A hash of SSL options used in the\n  `setup_ssl` recipe\n- `node['splunk']['ssl_options']['enable_ssl']`: Whether to enable\n  SSL, must be set to `true` to use the `setup_ssl` recipe. Defaults\n  to `false`, must be set using a boolean literal `true` or `false`.\n- `node['splunk']['ssl_options']['data_bag']`: The data bag name to\n  load, defaults to `vault` (as chef-vault is used).\n- `node['splunk']['ssl_options']['data_bag_item']`: The data bag item\n  name that contains the keyfile and crtfile, defaults to\n  `splunk_certificates`.\n- `node['splunk']['ssl_options']['keyfile']`: The name of the SSL key\n  file, and the content will be written to\n  `etc/auth/splunkweb/KEYFILE`. Must be an element under `data` in the\n  data bag item. See __Usage__ for instructions. Defaults to\n  '`self-signed.example.com.key`', and should be changed to something\n  relevant for the local site before use, in a role or wrapper cookbook.\n- `node['splunk']['ssl_options']['crtfile']`: The name of the SSL cert\n  (crt) file, and the content will be written to\n  `/etc/auth/splunkweb/CRTFILE`. Must be an element under `data` in\n  the data bag item. See __Usage__ for instructions. Defaults to\n  '`self-signed.example.com.crt`', and should be changed to something\n  relevant for the local site before use, in a role or wrapper cookbook.\n\nThe following attributes are related to setting up a Splunk server with indexer\nclustering in the `setup_clustering` recipe:\n\n- `node['splunk']['clustering']`: A hash of indexer clustering configurations\n  used in the `setup_clustering` recipe\n- `node['splunk']['clustering']['enabled']`: Whether to enable indexer clustering,\n  must be set to `true` to use the `setup_clustering` recipe. Defaults to `false`,\n  must be a boolean literal `true` or `false`.\n- `node['splunk']['clustering']['num_sites']`: The number of sites in the cluster.\n  Multisite is enabled automatically if num_sites \u003e 1. Defaults to 1, must be a positive integer.\n- `node['splunk']['clustering']['mode']`: The clustering mode of the node within\n  the indexer cluster. Must be set using string literal 'master',\n  'slave', or 'searchhead'.\n- `node['splunk']['clustering']['replication_port']`: The replication port\n  of the cluster peer member. Only valid when `node['splunk']['clustering']['mode']='slave'`.\n  Defaults to 9887.\n- [`node['splunk']['clustering']['mgmt_uri']`](Default: \u003chttps://fqdn:8089\u003e)\n  This attribute is for the indexer cluster members and cluster master. The cluster master\n  will set this node attribute to itself, while all cluster members will perform a chef search\n  to get the value from the cluster master's node data.\n\n- For single-site clustering (`node['splunk']['clustering']['num_sites']` = 1):\n\n   - `node['splunk']['clustering']['replication_factor']`: The replication factor\n     of the indexer cluster. Defaults to 3, must be a positive integer. Only valid\n     when `node['splunk']['clustering']['mode']='master'` and\n     `node['splunk']['clustering']['num_sites']`=1 (single-site clustering).\n   - `node['splunk']['clustering']['search_factor']`: The search factor\n     of the indexer cluster. Only valid when `node['splunk']['clustering']['mode']='master'` and\n     `node['splunk']['clustering']['num_sites']`=1 (single-site clustering). Defaults to 2, must be a positive integer.\n\n- For multisite clustering (`node['splunk']['clustering']['num_sites']` \u003e 1):\n\n   - `node['splunk']['clustering']['site']`: The site the node belongs to. Valid values include site1 to site63\n   - `node['splunk']['clustering']['site_replication_factor']`: The per-site replication policy\n     of any given bucket. This is represented as a comma-separated list of per-site entries. Only valid\n     when `node['splunk']['clustering']['mode']='master'` and multisite is true. Defaults to 'origin:2,total:3'.\n     Refer to [Splunk Admin docs](http://docs.splunk.com/Documentation/Splunk/latest/Admin/serverconf) for exact syntax and more details.\n   - `node['splunk']['clustering']['site_search_factor']`: The per-site search policy for searchable copies\n     for any given bucket. This is represented as a comma-separated list of per-site entires. Only valid when\n     `node['splunk']['clustering']['mode']='master'` and multisite is true. Defaults to 'origin:1,total:2'.\n     Refer to [Splunk Admin docs](http://docs.splunk.com/Documentation/Splunk/latest/Admin/serverconf) for exact syntax and more details.\n\nThe following attributes are related to setting up a Splunk server with search head\nclustering in the `setup_shclustering` recipe:\n\n- `node['splunk']['shclustering']`: A hash of search head clustering configurations\n  used in the `setup_shclustering` recipe\n- `node['splunk']['shclustering']['app_dir']`: the path where search head clustering configuration will\n  be installed (Default: /opt/splunk/etc/apps/0_autogen_shcluster_config)\n- `node['splunk']['shclustering']['enabled']`: Whether to enable search head clustering,\n  must be set to `true` to use the `setup_shclustering` recipe. Defaults to `false`,\n  must be a boolean literal `true` or `false`.\n- `node['splunk']['shclustering']['mode']`: The search head clustering mode of the node within\n  the cluster. This is used to determine if the node needs to bootstrap the shcluster and initialize\n  the node as the captain. Must be set using string literal 'member' or 'captain'.\n- `node['splunk']['shclustering']['label']`: The label for the shcluster. Used to differentiate\n  from other shclusters in the environment. Must be a string. Defaults to `shcluster1`.\n  captain election. Must be set using string literal 'member' or 'captain'.\n- `node['splunk']['shclustering']['replication_factor']`: The replication factor\n  of the shcluster. Defaults to 3, must be a positive integer.\n- `node['splunk']['shclustering']['replication_port']`: The replication port\n  of the shcluster members. Defaults to 9900.\n- `node['splunk']['shclustering']['deployer_url']`: The management url for the\n  shcluster deployer server, must be set to a string such as: `https://deployer.domain.tld:8089`.\n  This attribute is optional. Defaults to empty.\n- `node['splunk']['shclustering']['mgmt_uri']`: The management url for the\n  shcluster member node, must be set to a string such as: `https://shx.domain.tld:8089`. You can\n  use the node's IP address instead of the FQDN if desired. Defaults to `https://#{node['fqdn']}:8089`.\n- `node['splunk']['shclustering']['shcluster_members']`: An array of all search head\n  cluster members referenced by their `mgmt_uri`. Currently this will do a Chef search for nodes that\n  are in the same environment, with search head clustering enabled, and with the same\n  cluster label. Alternatively, this can be hard-coded with a list of all shcluster\n  members including the current node. Must be an array of strings. Defaults to an empty array.\n\nThe following attributes are related to setting up a splunk forwarder\nwith the `client` recipe\n\n`node['splunk']['outputs_conf']` is a hash of configuration values that are used to dynamically populate the `outputs.conf` file's \"`tcpout:splunk_indexers_PORT`\" configuration section. Each key/value pair in the hash is used as configuration in the file. For example the `attributes/default.rb` has this:\n\n```ruby\ndefault['splunk']['outputs_conf'] = {\n  'forwardedindex.0.whitelist' =\u003e '.*',\n  'forwardedindex.1.blacklist' =\u003e '_.*',\n  'forwardedindex.2.whitelist' =\u003e '_audit',\n  'forwardedindex.filter.disable' =\u003e 'false'\n}\n```\n\nThis will result in the following being rendered in `outputs.conf`:\n\n```toml\n[tcpout:splunk_indexers_9997]\nserver=10.0.2.47:9997\nforwardedindex.0.whitelist = .*\nforwardedindex.1.blacklist = _.*\nforwardedindex.2.whitelist = _audit\nforwardedindex.filter.disable = false\n```\n\nAs an example of `outputs_conf` attribute usage, to add an `sslCertPath` directive, define the attribute in your role or wrapper cookbook as such:\n\n```ruby\nnode.default['splunk']['outputs_conf']['sslCertPath'] = '$SPLUNK_HOME/etc/certs/cert.pem'\n```\n\nThe `server` attribute in `tcpout:splunk_indexers_9997` stanza above is populated by default from Chef search results for Splunk servers, or, alternatively, is statically defined in node attribute `node['splunk']['server_list']`.\n\n`node['splunk']['server_list']` is an optional comma-separated listed of server IPs and the ports. It's only applicable when there are no Splunk servers managed by Chef, e.g. sending data to Splunk Cloud which has managed indexers.\n\nFor example:\n\n```ruby\nnode.default['splunk']['server_list'] = '10.0.2.47:9997, 10.0.2.49:9997'\n```\n\n`node['splunk']['inputs_conf']` is a hash of configuration values that are used to populate the `inputs.conf` file.\n\n- `node['splunk']['inputs_conf']['host']`: A string that specifies the default host name used in the inputs.conf file. The inputs.conf file is not overwritten if this is not set or is an empty string.\n- `node['splunk']['inputs_conf']['ports']`: An array of hashes that contain the input port configuration necessary to generate the inputs.conf file.\n- `node['splunk']['inputs_conf']['inputs']`: An array of hashes that contain the input configuration necessary to generate the inputs.conf file. This attribute supports all input types.\n\nFor example:\n\n```ruby\nnode.default['splunk']['inputs_conf']['ports'] = [\n  {\n    port_num =\u003e 123123,\n    config =\u003e {\n      'sourcetype' =\u003e 'syslog'\n    }\n  }\n]\n\nnode.default['splunk']['inputs_conf']['inputs'] = [\n  {\n    input_path =\u003e 'monitor:///var/log/syslog',\n    config =\u003e {\n      'sourcetype' =\u003e 'syslog'\n    }\n  }\n]\n```\n\nThe following attributes are related to upgrades in the `upgrade`\nrecipe. __Note__ The default upgrade version is set to 7.3.2 and should be modified to\nsuit in a role or wrapper, since we don't know what upgrade versions\nmay be relevant. Enabling the upgrade and blindly using the default\nURLs may have undesirable consequences, hence this is not enabled, and\nmust be set explicitly elsewhere on the node(s).\n\n- `node['splunk']['upgrade_enabled']`: Controls whether the upgrade is enabled and the `attributes/upgrade.rb` file should be loaded. Set this in a role or wrapper cookbook to perform an upgrade.\n\n- `node['splunk']['server']['upgrade']['url']`: This is the URL to the desired server upgrade package only if `upgrade_enabled` is set.\n- `node['splunk']['server']['upgrade']['version']`: specifies the target splunk server version for an upgrade. This is ignored if server upgrade URL is provided. (Default: 8.0.1)\n- `node['splunk']['forwarder']['upgrade']['url']`: This is the URL to the desired forwarder upgrade package only if `upgrade_enabled` is set.\n- `node['splunk']['forwarder']['upgrade']['version']`: specifies the target splunk universal forwarder version for an upgrade. This is ignored if forwarder upgrade URL is provided. (Default: 8.0.1)\n\n- All URLs set in attributes must be direct download links and not redirects\n- Set these attributes to `nil` or empty string `''` to force installing the packages from the\n  OS package managers. In doing so, server owners are responsible for properly configuring their\n  package manager so chef can install the package.\n\n  For example, each line below will force the chef-client to install Splunk's Universal Forwarder and server\n  from the local package manager:\n\n  ```ruby\n  node.force_default['splunk']['forwarder']['upgrade']['url'] = ''\n  node.force_default['splunk']['server']['upgrade']['url'] = ''\n  node.force_default['splunk']['forwarder']['upgrade']['url'] = nil\n  node.force_default['splunk']['server']['upgrade']['url'] = nil\n  ```\n\n## Helper methods\n\n### splunk_cmd\n\nWhen wrapping this cookbook, it is often beneficial to run Splunk Enterprise or Universal Forwarder as a non-root user. This is, in fact, a security recommendation to run Splunk as a non-root user. To this end, `#splunk_cmd` will return the properly constructed command to run a Splunk CLI command with arguments.\n\nExample:\n\n```ruby\nexecute 'set servername' do\n  command splunk_cmd(['set', 'servername', node.name, '-auth', node.run_state['splunk_auth_info'])\n  sensitive true\n  notifies :restart, 'service[splunk]'\nend\n```\n\nanother way that will result in the same command:\n\n```ruby\nexecute 'set servername' do\n  command splunk_cmd(\"set servname #{node.name} -auth '#{node.run_state['splunk_auth_info']}'\")\n  sensitive true\n  notifies :restart, 'service[splunk]'\nend\n```\n\n## Custom Resources\n\n### splunk_app\n\nThis resource will install a Splunk app or deployment app into the appropriate locations\non a Splunk Enterprise server. Some custom \"apps\" simply install with a few files to override\ndefault Splunk settings. The latter is desirable for maintaining settings after an upgrade of the\nSplunk Enterprise server software.\n\n**Breaking Change**\nAs of v6.0.0, sub-resources of the `splunk_app` provider will no longer notify restarts to the `service[splunk]` resource. Restarts of the service must be handled explicitly by the `splunk_app` caller. This allows end-users of the resource more control of when splunkd gets restarted; especially in cases where an app does not require a restart when its files are updated.\n\n#### Actions\n\n- `:install`: Installs a Splunk app or deployment app. This action will also update existing app config files, as needed\n- `:remove`: Completely removes a Splunk app or deployment app from the Splunk Enterprise server\n\n#### Properties\n\n### TODO: document the rest of the splunk_app properties\n\n- `app_dir`: Specifies the application's installation path. Apps installed with this property will be done relative\n  to the Splunk installation directory (Default: /opt/splunk).\n- `local_file`: specifies a local path where an app will be sourced. This will not download an app from a remote\n  source, as it assumes the file or bundle has been done so outside of this resource. With so many ways to \"unpack\" a compressed bundle file (e.g., tar.gz, zip, bz2), this feature will not attempt to support any/all of the possibilities. In contrast, this feature will support installing an app from any local source on the chef node and into the /opt/splunk/etc/apps directory, unless otherwise specified by the `app_dir` property.\n- `templates`: This is either an array of template names or a Hash consisting of a target destination path and template names\n  For example: `['server.conf.erb']` or `{ 'etc/deployment-apps' =\u003e 'server.conf.erb' }`.\n- `template_variables`: This is a Hash with embedded Hash to specify variables that can be passed into the templates keyed by\n  the name of the template, matching the template names in `templates` property above. The format of this Hash is such that\n  a `default` Hash can specify variables/values passed to all templates or it can specify different variables/values for any and all\n  templates.\n\n  For example, this will pass the default Hash of variables/values into all of the templates, but the `foo.erb` template will be fed a unique Hash of variables/values.\n\n  ```ruby\n  splunk_app 'my app' do\n    templates %w(foo.erb bar.erb server.conf.erb app.conf.erb outputs.conf.erb)\n    template_variables {\n      {\n        'default' =\u003e { 'var1' =\u003e 'value1', 'var2' =\u003e 'value2' },\n        'foo.erb' =\u003e { 'x' =\u003e 'snowflake template' }\n      }\n    }\n  end\n  ```\n\n#### Examples\n\n  Install and enable a deployment client configuration that overrides default Splunk Enterprise configurations\n\n   - Given a wrapper cookbook called MyDeploymentClientBase with a folder structure as below:\n\n  ```ruby\n  MyDeploymentClientBase\n      /templates\n          /MyDeploymentClientBase\n              deploymentclient.conf.erb\n  ```\n\n  ```ruby\n  splunk_auth_info = data_bag_item('vault', \"splunk_#{node.chef_environment}\")['auth']\n\n  splunk_app 'MyDeploymentClientBase' do\n    splunk_auth splunk_auth_info\n    templates ['deploymentclient.conf.erb']\n    cookbook 'MyDeploymentClientBase'\n    action %i(install enable)\n  end\n  ```\n\n  The Splunk Enterprise server will have a filesystem created, as follows:\n\n  ```ruby\n  /opt/splunk/etc/apps/MyDeploymentClientBase/local/deploymentclient.conf\n  ```\n\n### splunk_index\n\nThis resource helps manage Splunk indexes that are defined in an `indexes.conf` file in a \"chef way\" using standard Chef DSL vernacular. For information and specifications about Splunk indexes, please review and understand [https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf](https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf).\n\nUpon convergence, this resource will add a new stanza to the `indexes.conf` file, as needed, and modify or add new lines to the section based on properties given to the resource. If the current stanza in the `indexes.conf` file has any extra lines that are not listed as a valid property in this resource, those lines are automatically removed.\n\n#### Actions\n\n- `:create` - Installs or updates a `monitor://` stanza into the inputs.conf file\n- `:remove` - Removes a stanza from the inputs.conf file\n\n#### Properties\n\n- `index_name` - this is the String naming each Splunk index. The resource will verify that the name of the index satisifies Splunk's naming requirements, which are below:\n\n  \u003e User-defined index names must consist of only numbers, lowercase letters, underscores, and hyphens. They cannot begin with an underscore or hyphen, or contain the word \"kvstore\".\n\n- `indexes_conf_path` - this is the target path and filename to the `indexes.conf`\n- `backup` - similar to the backup property of other file/template resources in chef, this specifies a number of backup files to retain or false to disable (Default: 5)\n- `options` - This is a Hash that contains all of the key/value pairs that define an index. For reference, please see Splunk's online documentation to understand what the valid options are for this property.\n\n### Example\n\nA test recipe is embedded in this cookbook. Please look at `test/fixtures/cookbooks/test/recipes/splunk_index.rb`.\n\n### splunk_monitor\n\nAdds a Splunk monitor stanza into a designated `inputs.conf` file in a \"chef-erized\" way using standard Chef DSL vernacular. This resource also validates supported monitors and index names as documented by Splunk. The dictionary is created from documentation on [Splunk's website](https://docs.splunk.com/@documentation/Splunk/8.0.2/Data/Listofpretrainedsourcetypes).\n\nUpon convergence, this resource will add a new stanza to the inputs.conf file, as needed, and modify or add new lines to the section based on properties given to the resource. If the current stanza in the inputs.conf file has any extra lines that are not listed as a valid property in this resource, those lines are automatically removed.\n\n#### Actions\n\n- `:create` - Installs or updates a `monitor://` stanza into the inputs.conf file\n- `:remove` - Removes a stanza from the inputs.conf file\n\n#### Properties\n\nThese properties are specific to this resource:\n\n- `monitor_name` - this is the text naming each monitoring stanza (e.g., `monitor:///opt/splunk/var/log/splunk/splunkd.log`). Only the path to the file that Splunk should monitor is required in this property. The resource will prepend the necessary `monitor://` to this property.\n- `inputs_conf_path` - this is the target path and filename to the `inputs.conf`\n- `backup` - similar to the backup property of other file/template resources in chef, this specifies a number of backup files to retain or false to disable (Default: 5)\n\nThese resource properties are drawn from Splunk's @documentation. Refer to [https://docs.splunk.com/@documentation/Splunk/8.0.2/Data/Monitorfilesanddirectorieswithinputs.conf](https://docs.splunk.com/@documentation/Splunk/8.0.2/Data/Monitorfilesanddirectorieswithinputs.conf) for more detailed description of these properties.\n\n- `host`\n- `index`\n- `sourcetype`\n- `queue`\n- `_TCP_ROUTING`\n- `host_regex`\n- `host_segment`\n\nThe following are additional settings you can use when defining `monitor` input stanzas.\n\n- `source`\n- `crcSalt`\n- `ignoreOlderThan`\n- `followTail`\n- `whitelist`\n- `blacklist`\n- `alwaysOpenFile`\n- `recursive`\n- `time_before_close`\n- `followSymlink`\n\n#### Example\n\nA test recipe is embedded in this cookbook. Please look at `test/fixtures/cookbooks/test/recipes/splunk_monitor.rb`\n\n### splunk_installer\n\nThe Splunk Enterprise and Splunk Universal Forwarder package\ninstallation is the same, save for the name of the package and the URL to\ndownload. This custom resource abstracts the package installation to a\ncommon baseline. Any new platform installation support should be added\nby modifying the custom resource as appropriate. One goal of this\ncustom resource is to have a single occurrence of a `package` resource,\nusing the appropriate \"local package file\" provider per platform. For\nexample, on RHEL, we use `rpm` and on Debian we use `dpkg`.\n\nPackage files will be downloaded to Chef's file cache path (e.g.,\n`file_cache_path` in `/etc/chef/client.rb`, `/var/chef/cache` by\ndefault).\n\n#### Actions\n\n- `:run`: install the splunk server or splunk universal forwarder\n- `:remove`: uninstall the splunk server or splunk universal forwarder\n- `:upgrade`: upgrade an existing splunk or splunk universal forwarder package\n\nThe custom resource has two parameters.\n\n- `name`: The name of the package (e.g., `splunk`, `splunkforwarder`).\n- `url`: The URL to the package file.\n- `package_name`: This is the name of the package to install, if it is different from\n  the resource name.\n- `version`: install/upgrade to this version, if `url` is not given\n\n#### Examples\n\nFor example, if the nodes in the environment are all Debian-family,\nand the desired splunkforwarder package is provided locally as\n`splunkforwarder.deb` on an internal HTTP server:\n\n```ruby\nsplunk_installer 'splunkforwarder' do\n  url 'https://www-int.example.com/splunk/splunkforwarder.deb'\nend\n```\n\nThe `install_forwarder` and `install_server` recipes use the\ncustom resource with the appropriate `url` attribute.\n\n## Recipes\n\nThis cookbook has several composable recipes that can be used in a\nrole, or a local \"wrapper\" cookbook. The `default`, `client`, and\n`server` recipes are intended to be used wholesale with all the\nassumptions they contain.\n\nThe general default assumption is that a node including the `default`\nrecipe will be a Splunk Universal Forwarder (client).\n\n### client\n\nThis recipe encapsulates a completely configured \"client\" - a Splunk\nUniversal Forwarder configured to talk to a node that is the splunk\nserver (with node['splunk']['is_server'] true). The recipes can be\nused on their own composed in a wrapper cookbook or role. This recipe\nwill include the `user`, `install_forwarder`, `service`, and\n`setup_auth` recipes.\n\nIt will also search a Chef Server for a Splunk Enterprise (server)\nnode with `splunk_is_server:true` in the same `chef_environment` and\nwrite out `etc/system/local/outputs.conf` with the server's IP and the\n`receiver_port` attribute in the Splunk install directory\n(`/opt/splunkforwarder`).\n\nSetting node['splunk']['outputs_conf'] with key value pairs\nupdates the outputs.conf server configuration with those key value pairs.\nThese key value pairs can be used to setup SSL encryption on messages\nforwarded through this client:\n\n```ruby\n# Note that the ssl CA and certs must exist on the server.\nnode['splunk']['outputs_conf'] = {\n  'sslCommonNameToCheck' =\u003e 'sslCommonName',\n  'sslCertPath' =\u003e '$SPLUNK_HOME/etc/certs/cert.pem',\n  'sslPassword' =\u003e 'password'\n  'sslRootCAPath' =\u003e '$SPLUNK_HOME/etc/certs/cacert.pem'\n  'sslVerifyServerCert' =\u003e false\n}\n```\n\nThe inputs.conf file can also be managed through this recipe if you want to\nsetup a splunk forwarder just set the  default host:\n\n```ruby\nnode['splunk']['inputs_conf']['host'] = 'myhost'\n```\n\nThen set up the port configuration for each input port:\n\n```ruby\nnode['splunk']['inputs_conf']['ports'] =\n[\n  {\n    port_num =\u003e 123123,\n    config =\u003e {\n      'sourcetype' =\u003e 'syslog',\n      ...\n    }\n  },\n  ...\n]\n```\n\n### default\n\nIt will include the `client` or `server` recipe depending on whether\nthe `is_server` attribute is set.\n\nThe attribute use allows users to control the included recipes by\neasily manipulating the attributes of a node, or a node's roles, or\nthrough a wrapper cookbook.\n\n### disabled\n\nIn some cases it may be required to disable Splunk on a particular\nnode. For example, it may be sending too much data to Splunk and\nexceed the local license capacity. To use the `disabled` recipe, set\nthe `node['splunk']['disabled']` attribute to `true`, and add `recipe[chef-splunk::disabled]` to a node's run list\n\n### install_forwarder\n\nThis recipe uses the `splunk_installer` custom resource to install the\nsplunkforwarder package from the specified URL (via the\n`node['splunk']['forwarder']['url']` attribute).\n\n### install_server\n\nThis recipe uses the `splunk_installer` custom resource to install the\nsplunk (Enterprise server) package from the specified URL (via the\n`node['splunk']['server']['url']` attribute).\n\n### server\n\nThis recipe encapsulates a completely configured \"server\" - Splunk\nEnterprise configured to receive data from Splunk Universal Forwarder\nclients. The recipe sets the attribute `node['splunk']['is_server']`\nto true, and is included from the `default` recipe if the attribute is\ntrue as well. The recipes can be used on their own composed in a\nwrapper cookbook or role, too. This recipe will include the `user`,\n`install_server`, `service`, and `setup_auth` recipes. It will also\nconditionally include the `setup_ssl` and `setup_clustering` recipes\nif enabled via the corresponding node attributes, as defined\nin __Attributes__ above.\n\nIt will also enable Splunk Enterprise as an indexer, listening on the\n`node['splunk']['receiver_port']`.\n\n## service\n\nThis recipe sets up the `splunk` service, and applies to both client\nand server use, since `splunk` is the same service for both\ndeployments of Splunk.\n\nThe attribute `node['splunk']['accept_license']` must be true in order\nto set up the boot script. If it's true, then the boot script gets put\ninto place (`/etc/init.d/splunk` on Linux/Unix systems), with the\nlicense accepted. The service is managed using the Chef `init` service\nprovider, which operates by using the `/etc/init.d/splunk` script for\nstart, stop, restart, etc commands.\n\n## setup_auth\n\nThis recipe loads an encrypted data bag with the Splunk user\ncredentials as an `-auth` string, '`user:password`', using the\n[chef-vault cookbook](https://supermarket.chef.io/cookbooks/chef-vault) helper method,\n`chef_vault_item`. See __Usage__ for how to set this up. The recipe\nwill edit the specified user (assuming `admin`), and then write a\nstate file to `etc/.setup_admin_password` to indicate in future Chef\nruns that it has set the password. If the password should be changed,\nthen that file should be removed.\n\n## setup_clustering\n\nThis recipe sets up Splunk indexer clustering based on the node's\nclustering mode or `node['splunk']['clustering']['mode']`. The attribute\n`node['splunk']['clustering']['enabled']` must be set to true in order to\nrun this recipe. Similar to `setup_auth`, this recipes loads\nthe same encrypted data bag with the Splunk `secret` key (to be shared among\ncluster members), using the [chef-vault cookbook](https://supermarket.chef.io/cookbooks/chef-vault)\nhelper method, `chef_vault_item`. See __Usage__ for how to set this up. The\nrecipe will edit the cluster configuration, and then write a state file to\n`etc/.setup_cluster_{master|slave|searchhead}` to indicate in future Chef\nruns that it has set the node's indexer clustering configuration. If cluster\nconfiguration should be changed, then that file should be removed.\n\nIt will also search a Chef Server for a Splunk Enterprise (server)\nnode of type cluster master, that is with `splunk_clustering_enable:true` and\n`splunk_clustering_mode:master` in the same `chef_environment` and\nuse that server's IP when configuring a cluster search head or a cluster\npeer node to communicate with the cluster master (Refer to `master_uri` attribute\nof clustering stanza in `etc/system/local/server.conf`).\n\nIndexer clustering is used to achieve some data availability \u0026 recovery. To learn\nmore about Splunk indexer clustering, refer to [Splunk Docs](http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Aboutclusters).\n\n## setup_shclustering\n\nThis recipe sets up Splunk search head clustering. The attribute\n`node['splunk']['shclustering']['enabled']` must be set to true in order to\nrun this recipe. Similar to `setup_auth`, this recipes loads\nthe same encrypted data bag with the Splunk `secret` key (to be shared among\ncluster members), using the [chef-vault cookbook](https://supermarket.chef.io/cookbooks/chef-vault)\nhelper method, `chef_vault_item`. See __Usage__ for how to set this up. The\nrecipe will edit the cluster configuration, and then write a state file to\n`etc/.setup_shcluster` to indicate in future Chef runs that it has set the node's\nsearch head clustering configuration. If cluster configuration should be changed,\nthen that file should be removed.\n\nIt will also search a Chef Server for a Splunk Enterprise (server)\nnode of type cluster master, that is with `splunk_shclustering_enable:true` and\nthe same `splunk_shclustering_label` in the same `chef_environment` and\nuse that server's IP when building the list of `shcluster_members`.\n\nThe search head cluster configuration is deployed as a custom Splunk app that\nis written to `etc/apps/0_autogen_shcluster_config` to take advantage of Splunk's\nbuilt in config layering. All nodes with `splunk_shclustering_enable:true` will\nreceive this app.\n\nOn the first Chef run on a node with `splunk_shclustering_mode:captain`, this recipe\nwill build and execute the Splunk command to bootstrap the search head cluster and\ninitiate the captain election process.\n\nIn addition to using this recipe for configuring the search head cluster members, you\nwill also have to manually configure a search head instance to serve as the\nsearch head cluster's deployer. This is done by adding a `[shclustering]` stanza to\nthat instance's `etc/system/local/server.conf` with the same `pass4SymmKey = \u003csecret\u003e`\nand the same `shcluster_label = \u003csplunk_shclustering_label\u003e`. This deployer is optional, but should be configured prior to\nrunning the bootstrap on the captain and then the search head cluster member nodes\nconfigured with this deployer node's mgmt_uri set in the member node's `splunk_shclustering_deployer_url`\n\nSearch head clustering is used to achieve high availability \u0026 scaling. To learn\nmore about Splunk search head clustering, refer to [Splunk Docs](http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/AboutSHC).\n\n## upgrade\n\n**Important** Read the upgrade documentation and release notes for any\n  particular Splunk version upgrades before performing an upgrade.\n  Also back up the Splunk directory, configuration, etc.\n\nThis recipe can be used to upgrade a splunk installation, for example\nfrom an existing 7.3.2 to 8.0.1. The default recipe can be used for\n8.0.1 after upgrading earlier versions have been completed. Note that the\nattributes file is only loaded w/ the URLs to the splunk packages to\nupgrade if the `node['splunk']['upgrade_enabled']` attribute is set to\ntrue. We recommend setting the actual URL attributes needed in a\nwrapper cookbook or role.\n\n## user\n\nThis recipe manages the `splunk` user and group. On Linux systems, the\nuser and group will be created with the `system` attribute; other\nplatforms may not be aware of `system` users/groups (e.g.,\nillumos/solaris). Both resources will be created with the UID or GID\nof the `node['splunk']['user']['uid']` attribute. The default value is\n396, arbitrarily chosen to fall under the `system` UID/GID set by\n`/etc/login.defs` on both RHEL and Debian family Linux systems. If\nthis is a conflicting UID/GID, then modify the attribute as required.\n\n## Usage\n\n### Data Bag Items\n\n#### Splunk Secrets \u0026 Admin User Authentication\n\nSplunk secret key and admin user authentication information should be stored in a\ndata bag item that is encrypted using Chef Vault. Create a data bag\nnamed `vault`, with an item `splunk_CHEF-ENVIRONMENT`, where\n`CHEF-ENVIRONMENT` is the `node.chef_environment` that the Splunk\nEnterprise server will be assigned. If environments are not used, use\n`_default`. For example in a Chef Repository (not in a cookbook):\n\n```ruby\n# data_bags/vault/splunk__default.json\n{\n  \"id\": \"splunk__default\",\n  \"auth\": \"admin:notarealpassword\",\n  \"secret\": \"notarealsecret\"\n}\n```\n\nOr with an environment, '`production`':\n\n```ruby\n# data_bags/vault/splunk_production.json\n{\n  \"id\": \"splunk_production\",\n  \"auth\": \"admin:notarealpassword\",\n  \"secret\": \"notarealsecret\"\n}\n```\n\nThen, upload the data bag item to the Chef Server using the\n`chef-vault` `knife encrypt` plugin (first example, `_default`\nenvironment):\n\n```shell\nknife encrypt create vault splunk__default \\\n    --json data_bags/vault/splunk__default.json \\\n    --search 'splunk:*' --admins 'yourusername' \\\n    --mode client\n```\n\nMore information about Chef Vault is available on the\n[GitHub Project Page](https://github.com/Nordstrom/chef-vault).\n\n#### Chef-Vault encrypted data bag fallback\n\nThe use of chef-vault is entirely optional. However, this cookbook maintains the structure of the encrypted data bags used throughout for those folks who prefer chef-vault. If you are one of the folks that don't want or can't use chef-vault, here is what you do.\n\nFirst, chef-vault has a built-in mechanism to fallback to a standard encrypted data bag. So, in order to make use of this, set the following attribute:\n\n```ruby\nnode.force_default['chef-vault']['data_bag_fallback'] = true\n```\n\nThe next step is to create a standard encrypted data bag. There are only two requirements to ensure your encrypted data bag is compatible with this cookbook, as follows. The steps below are very similar to the previous section; however, you will notice these steps are not using chef-vault.\n\n- Your data bag must conform to the data bag that is created by chef-vault.\n- Data bag items created in the data bag must also conform to the names created by chef-vault.\n\nCreate a data bag named `vault`, with an item `splunk_CHEF-ENVIRONMENT`, where\n`CHEF-ENVIRONMENT` is the `node.chef_environment` that the Splunk\nEnterprise server will be assigned. If environments are not used, use\n`_default`. For example in a Chef Repository (not in a cookbook):\n\n```ruby\n# data_bags/vault/splunk__default.json\n{\n  \"id\": \"splunk__default\",\n  \"auth\": \"admin:notarealpassword\",\n  \"secret\": \"notarealsecret\"\n}\n```\n\nOr with an environment, '`production`':\n\n```ruby\n# data_bags/vault/splunk_production.json\n{\n  \"id\": \"splunk_production\",\n  \"auth\": \"admin:notarealpassword\",\n  \"secret\": \"notarealsecret\"\n}\n```\n\nBelow is an example for a node that is in the `_default` chef environment using the json file above.\n\n```shell\nknife data bag create vault\nknife data bag from file vault data_bags/vault/splunk__default.json --secret-file ~/.chef/your_encrypted_data_bag_secret.key\n```\n\nThat's all there is to it!\n\n#### Web UI SSL\n\nA Splunk server should have the Web UI available via HTTPS. This can\nbe set up using self-signed SSL certificates, or \"real\" SSL\ncertificates. This loaded via a data bag item with chef-vault. Using\nthe defaults from the attributes:\n\n```ruby\n# data_bags/vault/splunk_certificates.json\n{\n  \"id\": \"splunk_certificates\",\n  \"data\": {\n    \"self-signed.example.com.crt\": \"-----BEGIN CERTIFICATE-----\\n...SNIP\",\n    \"self-signed.example.com.key\": \"-----BEGIN RSA PRIVATE KEY-----\\n...SNIP\"\n  }\n}\n```\n\nLike the authentication credentials above, run the `knife encrypt`\ncommand. Note the search here is for the splunk server only:\n\n```shell\nknife encrypt create vault splunk_certificates \\\n    --json data_bags/vault/splunk_certificates.json \\\n    --search 'splunk_is_server:true' --admins 'yourusername' \\\n    --mode client\n```\n\n## Contributors\n\nThis project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890\u0026button=false)\n\n### Backers\n\nThank you to all our backers!\n\n![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600\u0026avatarHeight=40)\n\n### Sponsors\n\nSupport this project by becoming a sponsor. Your logo will show up here with a link to your website.\n\n![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsous-chefs%2Fchef-splunk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsous-chefs%2Fchef-splunk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsous-chefs%2Fchef-splunk/lists"}