ansible-role-for-splunk icon indicating copy to clipboard operation
ansible-role-for-splunk copied to clipboard
verified publisher icon splunk

Enhancement : Install app from Splunkbase

Open lmnogues opened this issue 4 years ago • 3 comments

As a Splunk Admin with a restricted git repo size, I want to be able to automatically install application from Splunk Base instead of GIT.

lmnogues avatar Mar 05 '21 15:03 lmnogues

So, I actually did a POC playbook for this last year that we may be able to reuse and incorporate into this role. There are some drawbacks and constraints to pulling apps from Splunkbase, namely:

  1. Apps can be removed or retired from Splunkbase.
  2. Splunkbase does not offer service accounts so a personal login is required to authenticate for downloads.
  3. Splunkbase does not provide a way to pull the "latest" version. You have to specify the version number of each app/addon that you want to download.
  4. Splunkbase download URLs are not human readable (e.g. TA NIX is only identified as "833") so we may want to include an extra var in Ansible with the human readable app name for our own sanity.
  5. Downloading and installing straight from Splunkbase may be undesirable in some cases (e.g. if you want to disable/enable inputs, change index names, or customize anything before deploying).

All that said, this is possible. Here's the POC playbook that I wrote for reference:

# ansible-playbook --connection=local --inventory 127.0.0.1, install_splunkbase_app_rest.yml 
- hosts:
    - localhost
  gather_facts: no
  vars:
    - splunkbase_username: [email protected]
    - splunkbase_password: somepassword
    - splunkbase_auth_url: https://splunkbase.splunk.com/api/account:login/
    - splunk_host: mysplunkhost
    - splunk_user: admin
    - splunk_password: somepassword
    - app_url: https://splunkbase.splunk.com/app/833/release/8.1.0/download
  tasks:
    - name: Get splunkbase authentication token
      uri:
        url: "{{ splunkbase_auth_url }}"
        method: POST
        return_content: yes
        body_format: form-urlencoded
        body:
          username: "{{ splunkbase_username }}"
          password: "{{ splunkbase_password }}"
      register: login

    - name: Create splunkbase_token var
      set_fact:
        splunkbase_token: "{{ login.content | regex_search('<id>(.*)<\\/id>', '\\1' ) | first }}"

    - name: Install Splunkbase app
      uri:
        url: "https://{{ splunk_host }}:8089/services/apps/local"
        method: POST
        user: "{{ splunk_user }}"
        password: "{{ splunk_password }}"
        validate_certs: false
        body:
          name: "{{ app_url }}"
          update: "true"
          filename: "true"
          auth: "{{ splunkbase_token }}"
        body_format: "form-urlencoded"
        status_code: [ 200, 201 ]
        timeout: 300
      when:
        - "'splunkbase.splunk.com' in app_url"
        - splunkbase_token is defined
        - splunkbase_token != None

mason-splunk avatar Mar 05 '21 19:03 mason-splunk

One consideration for implementing this task: We will likely want to support installing apps from both Splunkbase and from Git on the same host.

mason-splunk avatar Mar 05 '21 19:03 mason-splunk

For splunkbase url you can do https://splunkbase.splunk.com/apps/id/lookup_editor to get the app number

lmnogues avatar Mar 05 '21 21:03 lmnogues