admingit
/
Splunk_Deploiement
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial

Browse Source
masterdev
Splunk User 1 year ago
parent 385d360100
commit 8307fa1250
70 changed files with 1409 additions and 0 deletions
Show Stats Download Patch File Download Diff File

0
.ui_login
Unescape View File

225
datetime.xml
Unescape View File

@ -0,0 +1,225 @@
<!-- Version 5.0 -->
<!-- datetime.xml -->
<!-- This file contains the general formulas for parsing date/time formats. -->
<datetime>
<define name="_year" extract="year">
<text><![CDATA[(20\d\d|19\d\d|[9012]\d(?!\d))]]></text>
</define>
<define name="_month" extract="month">
<text><![CDATA[(0?[1-9]|1[012])(?!:)]]></text>
</define>
<define name="_litmonth" extract="litmonth">
<text><![CDATA[(?<![\d\w])(jan|\x{4E00}\x{6708}|feb|\x{4E8C}\x{6708}|mar|\x{4E09}\x{6708}|apr|\x{56DB}\x{6708}|may|\x{4E94}\x{6708}|jun|\x{516D}\x{6708}|jul|\x{4E03}\x{6708}|aug|\x{516B}\x{6708}|sep|\x{4E5D}\x{6708}|oct|\x{5341}\x{6708}|nov|\x{5341}\x{4E00}\x{6708}|dec|\x{5341}\x{4E8C}\x{6708})[a-z,\.;]*]]></text>
</define>
<define name="_allmonth" extract="litmonth, month">
<text><![CDATA[(?:]]></text>
<use name="_litmonth"/>
<text><![CDATA[|]]></text>
<use name="_month"/>
<text><![CDATA[)]]></text>
</define>
<define name="_day" extract="day">
<text><![CDATA[(0?[1-9]|[12]\d|3[01])]]></text>
</define>
<define name="_usday" extract="day">
<use name="_day"/>
<text><![CDATA[(?:st|nd|rd|th|[,\.;])?]]></text>
</define>
<define name="_hour" extract="hour">
<text><![CDATA[([01]?[0-9]|[012][0-3])(?!\d)]]></text>
</define>
<define name="_minute" extract="minute">
<text><![CDATA[([0-6]\d)(?!\d)]]></text>
</define>
<define name="_second" extract="second">
<text><![CDATA[([0-6]\d)(?!\d)]]></text>
</define>
<define name="_zone" extract="zone">
<text><![CDATA[((?:(?:UT|UTC|GMT(?![+-])|CET|CEST|CETDST|MET|MEST|METDST|MEZ|MESZ|EET|EEST|EETDST|WET|WEST|WETDST|MSK|MSD|IST|JST|KST|HKT|AST|ADT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|CAST|CADT|EAST|EADT|WAST|WADT|Z)|(?:GMT)?[+-]\d\d?:?(?:\d\d)?)(?!\w))?]]></text>
</define>
<define name="_ampm" extract="ampm">
<text><![CDATA[([ap]m(?:[^A-Za-z0-9]|$)|[\x{4E0A}\x{4E0B}]\x{5348})?]]></text>
</define>
<define name="_time" extract="hour, minute, second, subsecond, ampm, zone">
<text><![CDATA[(?<!\d)]]></text>
<use name="_hour"/>
<text><![CDATA[:]]></text>
<use name="_minute"/>
<text><![CDATA[:]]></text>
<use name="_second"/>
<text><![CDATA[(?:(?: \d{4})?[:,\.](\d+))? {0,2}]]></text>
<use name="_ampm"/>
<text><![CDATA[ {0,2}]]></text>
<use name="_zone"/>
<text><![CDATA[(?!:\d)]]></text>
</define>
<define name="_hmtime" extract="hour, minute, ampm">
<text><![CDATA[(?<!\d)]]></text>
<use name="_hour"/>
<text><![CDATA[:]]></text>
<use name="_minute"/>
<text><![CDATA[(?: ([ap]m(?:[^A-Za-z0-9]|$)|[\x{4E0A}\x{4E0B}]\x{5348}))?(?!:[:\d])]]></text>
</define>
<define name="_dottime" extract="hour, minute, second, subsecond, zone">
<text><![CDATA[(?<![\d\.])([01]\d|2[0-3])\.]]></text>
<use name="_minute"/>
<text><![CDATA[(?:\.?]]></text>
<use name="_second"/>
<text><![CDATA[(?:[:,]\d+)?(?:\.(\d\d\d\d+))?) {0,2}]]></text>
<use name="_zone"/>
<text><![CDATA[(?![0-9\.])]]></text>
</define>
<define name="_combdatetime" extract="year, month, day, hour, minute, second, subsecond">
<!-- ... 20060502-000002 GMT ... -->
<text><![CDATA[(?<![\d\.])(20\d\d)(0\d|1[012])([012]\d|3[01])[.-]?([01]\d|2[0123])([0-6]\d)([0-6]\d)(?:\.?(\d+))?]]>\s*</text>
<use name="_zone"/>
</define>
<define name="_combdatetime2" extract="year, ignored_sep, month, day, hour, minute, second, zone">
<!-- ... 2007-3-22 0:0:2 GMT ...' -->
<!-- ... 2007/3/22 0:0:2 GMT ...' -->
<text><![CDATA[(?<![\d\.])(20\d\d)([-/])([01]?\d)\2([012]?\d|3[01])\s+([012]?\d):([0-6]?\d):([0-6]?\d)]]>\s*</text>
<use name="_zone"/>
</define>
<define name="_usdate" extract="litmonth, month, ignored_sep, day, zone, ignored_sep2, year">
<text><![CDATA[(?<!\w|\d[:\.\-])]]></text>
<use name="_allmonth"/>
<text><![CDATA[([/\- ]) {0,2}]]></text>
<use name="_day"/>
<text><![CDATA[(?!:) {0,2}(?:\d\d:\d\d:\d\d(?:[\.\,]\d+)? {0,2}]]></text>
<use name="_zone"/>
<text><![CDATA[)?((?:\3|,) {0,2}]]></text>
<use name="_year"/>
<text><![CDATA[)?(?!/|\w|\.\d)]]></text>
</define>
<!-- Jan 21, 09. allows spaces with litmonth only -->
<define name="_usdate1" extract="litmonth, ignored_sep, day, zone, ignored_sep2, year">
<text><![CDATA[(?<!\w|\d[:\.\-])]]></text>
<use name="_litmonth"/>
<text><![CDATA[([/\- ]) {0,2}]]></text>
<use name="_day"/>
<text><![CDATA[(?!:) {0,2}(?:\d\d:\d\d:\d\d(?:[\.\,]\d+)? {0,2}]]></text>
<use name="_zone"/>
<text><![CDATA[)?((?:\2|,) {0,2}]]></text>
<use name="_year"/>
<text><![CDATA[)?(?!/|\w|\.\d)]]></text>
</define>
<!-- 10/21/09. doesn't allow spaces (e.g. 10 21 09) with numeric month -->
<define name="_usdate2" extract="month, ignored_sep, day, zone, ignored_sep2, year">
<text><![CDATA[(?<!\w|\d[:\.\-])]]></text>
<use name="_month"/>
<text><![CDATA[([/\-])]]></text>
<use name="_day"/>
<text><![CDATA[(?!:)(?:\d\d:\d\d:\d\d(?:[\.\,]\d+)? {0,2}]]></text>
<use name="_zone"/>
<text><![CDATA[)?((?:\2)]]></text>
<use name="_year"/>
<text><![CDATA[)?(?!/|\w|\.\d)]]></text>
</define>
<define name="_isodate" extract="year, ignored_sep, litmonth, month, day">
<text><![CDATA[(?<![\w\d])]]></text>
<use name="_year"/>
<text><![CDATA[([\./\- ])]]></text>
<use name="_allmonth"/>
<text><![CDATA[(?!\d)(?:[\./\- ] {0,2})?]]></text>
<use name="_day"/>
<text><![CDATA[(?!/)(?:(?=T)|(?!\w)(?!\.\d))]]></text>
</define>
<!-- eurodate format. period/dot delim separated out to eurodate2 -->
<define name="_eurodate1" extract="day, ignored_sep, litmonth, month, year">
<text><![CDATA[(?<![\w\.])]]></text>
<use name="_usday"/>
<text><![CDATA[([\- /]) {0,2}]]></text>
<use name="_allmonth"/>
<text><![CDATA[\2 {0,2}]]></text>
<use name="_year"/>
<text><![CDATA[(?![\w\.])]]></text>
</define>
<!-- just period/dot delimiter. do not allow any spaces after dots (e.g. "version 5.4. 10" -->
<define name="_eurodate2" extract="day, litmonth, month, year">
<text><![CDATA[(?<![\w\.])]]></text>
<use name="_usday"/>
<text><![CDATA[\.]]></text>
<use name="_allmonth"/>
<text><![CDATA[\.]]></text>
<use name="_year"/>
<text><![CDATA[(?![\w\.])]]></text>
</define>
<define name="_bareurlitdate" extract="day, litmonth, year">
<text><![CDATA[(\d\d?)\|\|(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\|\|(20\d\d)]]></text>
</define>
<define name="_orddate" extract="year, ord">
<text><![CDATA[\s([01]\d)([0123]\d\d)\s]]></text>
</define>
<!-- due to high number of false positive matches, this format is
limited to special cases. either at the start of a line or in
filename matches only, by prefixing with a "source::" -->
<!-- don't allow multiple spaces after mashed date. indicates number in column -->
<define name="_masheddate" extract="year, month, day">
<text><![CDATA[(?:^|source::).*?(?<!\d|\d\.|-)(?:20)?([9012]\d)(0\d|1[012])([012]\d|3[01])(?!\d|-| {2,})]]></text>
</define>
<define name="_masheddate2" extract="month, day, year">
<text><![CDATA[(?:^|source::).*?(?<!\d|\d\.)(0\d|1[012])([012]\d|3[01])(?:20)?([9012]\d)(?!\d| {2,})]]></text>
</define>
<define name="_utcepoch" extract="utcepoch, subsecond">
<!-- update regex before '2030' -->
<text><![CDATA[((?<=^|[\s#,"=\(\[\|\{])(?:1[012345678])\d{8}|^@[\da-fA-F]{16,24})(?:\.?(\d{1,6}))?(?![\d\(])]]></text>
</define>
<timePatterns>
<use name="_time"/>
<use name="_hmtime"/>
<use name="_hmtime"/>
<use name="_dottime"/>
<use name="_combdatetime"/>
<use name="_utcepoch"/>
<use name="_combdatetime2"/>
</timePatterns>
<datePatterns>
<use name="_usdate1"/>
<use name="_usdate2"/>
<use name="_isodate"/>
<use name="_eurodate1"/>
<use name="_eurodate2"/>
<use name="_bareurlitdate"/>
<use name="_orddate"/>
<use name="_combdatetime"/>
<use name="_masheddate"/>
<use name="_masheddate2"/>
<use name="_combdatetime2"/>
</datePatterns>
</datetime>

11
deployment-apps/01-Conf_license_slave/default/app.conf
Unescape View File

@ -0,0 +1,11 @@
[launcher]
version = 1.0.0
author = VABOS
description = Configure instance as License Slave
[package]
id = Conf_license_slave
[ui]
is_visible = false

9
deployment-apps/01-Conf_license_slave/default/server.conf
Unescape View File

@ -0,0 +1,9 @@
# In distributed environments, it's common to have a lone search head acting
# as the license master as well. In this configuration, providing the URI
# of the license master is easiest within the indexer_base configuration.
# In the event that there are multiple search heads, you could instead use
# the org_all_license app, shipped to the non-license SH, as well as all of
# the indexers. In either event, the settings are the same.
[license]
master_uri = https://SRVLM01.jpit.com:8089

1
deployment-apps/01-Conf_license_slave/local/app.conf
Unescape View File

@ -0,0 +1 @@
# Autogenerated file

11
deployment-apps/01-idx_kvstore_base/default/app.conf
Unescape View File

@ -0,0 +1,11 @@
[launcher]
version = 1.0.0
author = VABOS
description = Disable Kvstore on Indexers
[package]
id = edf_idx_kvstore_base
[ui]
is_visible = false

4
deployment-apps/01-idx_kvstore_base/default/server.conf
Unescape View File

@ -0,0 +1,4 @@
# kvstore not needed on indexers, let's disable it
# even when distributing collection via bundle, it won't be used on indexer as this use lookups in the background
[kvstore]
disabled = true

1
deployment-apps/01-idx_kvstore_base/local/app.conf
Unescape View File

@ -0,0 +1 @@
# Autogenerated file

11
deployment-apps/01-idx_receiver_port/default/app.conf
Unescape View File

@ -0,0 +1,11 @@
[launcher]
version = 1.0.0
author = VABOS
description = Enable receiving on Indexer layer
[package]
id = edf_idx_receiver_port
[ui]
is_visible = false

1
deployment-apps/01-idx_receiver_port/default/inputs.conf
Unescape View File

@ -0,0 +1 @@
[splunktcp://9997]

1
deployment-apps/01-idx_receiver_port/local/app.conf
Unescape View File

@ -0,0 +1 @@
# Autogenerated file

BIN
deployment-apps/01-idx_volume_indexes/.DS_Store vendored
View File

Binary file not shown.

11
deployment-apps/01-idx_volume_indexes/default/app.conf
Unescape View File

@ -0,0 +1,11 @@
[launcher]
version = 1.0.0
author = VABOS
description = Contient la configuration des volumes de données
[package]
id = edf_idx_volume_indexes
[ui]
is_visible = false

7
deployment-apps/01-idx_volume_indexes/default/indexes.conf
Unescape View File

@ -0,0 +1,7 @@
[volume:primary]
path = /data/splunk_data
maxVolumeDataSizeMB = 60000
[volume:secondary]
path = /data_cold/splunk_data
maxVolumeDataSizeMB = 240000

1
deployment-apps/01-idx_volume_indexes/local/app.conf
Unescape View File

@ -0,0 +1 @@
# Autogenerated file

3
deployment-apps/01-idx_volume_indexes/metadata/local.meta
Unescape View File

@ -0,0 +1,3 @@
[]
access = read : [ * ], write : [ admin ]
export = system

BIN
deployment-apps/01-idx_web_base/.DS_Store vendored
View File

Binary file not shown.

11
deployment-apps/01-idx_web_base/default/app.conf
Unescape View File

@ -0,0 +1,11 @@
[launcher]
version = 1.0.0
author = Mattys Hervé (OBS)
description = Disable Web access on Indexers
[package]
id = odin_idx_web_base
[ui]
is_visible = false

12
deployment-apps/01-idx_web_base/default/web.conf
Unescape View File

@ -0,0 +1,12 @@
# In larger environments, where there are more than, say, three indexers,
# it's common to disable the Splunk UI. This helps avoid configuration issues
# caused by logging in to the UI to do something directly via the manager,
# as well as saving some system resources.
[settings]
startwebserver = 0
# avoid timeout when indexer loaded
splunkdConnectionTimeout = 120

1
deployment-apps/01-idx_web_base/local/app.conf
Unescape View File

@ -0,0 +1 @@
# Autogenerated file

27
deployment-apps/For_MC/local/distsearch.conf
Unescape View File

@ -0,0 +1,27 @@
[distributedSearch]
servers = https://SPLCLM01.jpit.com:8089,https://SPLSH01.jpit.com:8089,https://SPLSH02.jpit.com:8089
[distributedSearch:dmc_group_deployment_server]
servers = localhost:localhost
[distributedSearch:dmc_group_kv_store]
servers = SPLCLM01.jpit.com:8089,SPLSH01.jpit.com:8089,SPLSH02.jpit.com:8089
[distributedSearch:dmc_group_license_master]
servers = SPLCLM01.jpit.com:8089
[distributedSearch:dmc_group_shc_deployer]
servers = localhost:localhost
[distributedSearch:dmc_group_cluster_master]
servers = SVLCTMLOGCLM01.unit-c.edf.fr:8089
[distributedSearch:dmc_group_indexer]
default = true
servers = SPLIDX01.jpit.com:8089,SPLIDX02.jpit.com:8089
[distributedSearch:dmc_group_search_head]
servers = SSPLCLM01.jpit.com:8089,SPLSH01.jpit.com:8089,SPLSH02.jpit.com:8089
[distributedSearch:dmc_searchheadclustergroup_Cluster_SH_M-TIC]
servers = localhost:localhost,SPLSH01.jpit.com:8089,SPLSH02.jpit.com:8089

6
deployment-apps/README
Unescape View File

@ -0,0 +1,6 @@
This directory is the default repository location for deployable apps in a deployment server
configuration.
For details on configuring as a deployment server, see
$SPLUNK_HOME/etc/system/README/serverclass.conf.spec, serverclass.conf.example or the Admin manual
at http://docs.splunk.com/Documentation.

11
deployment-apps/all_forwarding_outputs/default/app.conf
Unescape View File

@ -0,0 +1,11 @@
[launcher]
version = 1.0
author = VABOS
description = Enable forwarding to Indexer layer
[package]
id = m-tic_all_forwarding_outputs
[ui]
is_visible = false

11
deployment-apps/all_forwarding_outputs/default/outputs.conf
Unescape View File

@ -0,0 +1,11 @@
# BASE SETTINGS
[tcpout]
# Change here to specify the indexer group
defaultGroup = indexer
maxQueueSize = 7MB
useACK = true
forceTimebasedAutoLB = true
[tcpout:indexer]
server = SPLIDX01.jpit.com:9997, SPLIDX02.jpit.com:9997

1
deployment-apps/all_forwarding_outputs/local/app.conf
Unescape View File

@ -0,0 +1 @@
# Autogenerated file

9
deployment-apps/catchall_forwarders_inputs/local/app.conf
Unescape View File

@ -0,0 +1,9 @@
[install]
state = enabled
[package]
check_for_updates = false
[ui]
is_visible = false
is_manageable = false

4
deployment-apps/catchall_forwarders_inputs/local/inputs.conf
Unescape View File

@ -0,0 +1,4 @@
[monitor:///var/rsyslog/*/catchother/*/*/*.log]
disabled = false
index = idx_catchall
sourcetype = catchall

3
deployment-apps/catchall_forwarders_inputs/metadata/local.meta
Unescape View File

@ -0,0 +1,3 @@
[]
access = read : [ * ], write : [ admin ]
export = system

9
deployment-apps/cisco_forwarders_inputs/local/app.conf
Unescape View File

@ -0,0 +1,9 @@
[install]
state = enabled
[package]
check_for_updates = false
[ui]
is_visible = false
is_manageable = false

4
deployment-apps/cisco_forwarders_inputs/local/inputs.conf
Unescape View File

@ -0,0 +1,4 @@
[monitor:///var/rsyslog/*/cisco/.../*.log]
disabled = false
index = idx_m-tic_cisco
sourcetype = cisco

3
deployment-apps/cisco_forwarders_inputs/metadata/local.meta
Unescape View File

@ -0,0 +1,3 @@
[]
access = read : [ * ], write : [ admin ]
export = system

9
deployment-apps/cluster_forwarder_outputs/local/app.conf
Unescape View File

@ -0,0 +1,9 @@
[install]
state = enabled
[package]
check_for_update = false
[ui]
is_visible = false
is_manageable = false

12
deployment-apps/cluster_forwarder_outputs/local/outputs.conf
Unescape View File

@ -0,0 +1,12 @@
[tcpout]
defautlGroup = primary_indexers
maxQueuSize = 100MB
useACK = true
forceTimebaseAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
[tcpout:primary_indexers]
server = SPLIDX01.jpit.com:9997, SPLIDX02.jpit.com:9997
#clientCert = $SPLUNK_HOME/etc/auth/server.pem
#sslPassword =

2
deployment-apps/cluster_forwarder_outputs/local/server.conf
Unescape View File

@ -0,0 +1,2 @@
[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem

9
deployment-apps/deployer_base/local/app.conf
Unescape View File

@ -0,0 +1,9 @@
[install]
state = enabled
[package]
check_for_update = false
[ui]
is_visible = false
is_manageable = false

3
deployment-apps/deployer_base/local/server.conf
Unescape View File

@ -0,0 +1,3 @@
[shclustering]
pass4SymmKey = $7$iQ3wl+w1tMlCZXopQ/BDXHv8e+xGXGR10mvQYOiCdPxZuIkKX87oMm85MSkitkPk3PYW2Qhjc/kSMq2B5M0=
shcluster_label = shcluster

9
deployment-apps/esxi_forwarders_inputs/local/app.conf
Unescape View File

@ -0,0 +1,9 @@
[install]
state = enabled
[package]
check_for_updates = false
[ui]
is_visible = false
is_manageable = false

4
deployment-apps/esxi_forwarders_inputs/local/inputs.conf
Unescape View File

@ -0,0 +1,4 @@
[monitor:///var/rsyslog/*/esxi/*/*/*.log]
disabled = false
index = idx_esxi
sourcetype = esxi

3
deployment-apps/esxi_forwarders_inputs/metadata/local.meta
Unescape View File

@ -0,0 +1,3 @@
[]
access = read : [ * ], write : [ admin ]
export = system

9
deployment-apps/fortigate_forwarders_inputs/local/app.conf
Unescape View File

@ -0,0 +1,9 @@
[install]
state = enabled
[package]
check_for_updates = false
[ui]
is_visible = false
is_manageable = false

4
deployment-apps/fortigate_forwarders_inputs/local/inputs.conf
Unescape View File

@ -0,0 +1,4 @@
[monitor:///var/rsyslog/*/fortigate/*/*/*.log]
disabled = false
index = idx_fortigate
sourcetype = fortigate

3
deployment-apps/fortigate_forwarders_inputs/metadata/local.meta
Unescape View File

@ -0,0 +1,3 @@
[]
access = read : [ * ], write : [ admin ]
export = system

11
deployment-apps/idx_indexes_base/default/app.conf
Unescape View File

@ -0,0 +1,11 @@
[launcher]
version = 1.0.0
author = VABOS
description = Configure default optimisation on Indexers
[package]
id = edf_idx_indexes_base
[ui]
is_visible = false

75
deployment-apps/idx_indexes_base/default/indexes.conf
Unescape View File

@ -0,0 +1,75 @@
[default]
thawedPath = $SPLUNK_DB/$_index_name/thaweddb
coldPath = volume:secondary/$_index_name/colddb
homePath = volume:primary/$_index_name/db
tstatsHomePath = volume:primary/$_index_name/datamodel_summary
tsidxWritingLevel = 4
journalCompression = zstd
enableDataIntegrityControl = 0
enableTsidxReduction = 0
#archiver.enableDataArchive = 0
#bucketRebuildMemoryHint = 1
compressRawdata = 1
enableOnlineBucketRepair = 1
rtRouterQueueSize =
rtRouterThreads =
selfStorageThreads =
suspendHotRollByDeleteQuery = 0
syncMeta = 1
repFactor = auto
coldPath.maxDataSizeMB = 5000
[_dsappevent]
[_dsclient]
[_dsphonehome]
[_metrics]
[_telemetry]
[_internal]
[_introspection]
[idx_windows]
[idx_fortigate]
[idx_linux]
[idx_esxi]
[vmware-esxilog]
[vmware-perf-metrics]
datatype = metric
[vmware-inv]
[vmware-taskevent]
[vmware-vclog]
[idx_alcatel]
[idx_cisco]
[idx_switch]
[idx_catchall]
[idx_catchother]
[idx_other]
[idx_glpi]
[idx_glpi_vm]
[idx_glpi_kb]
[idx_glpi_sep]
[idx_glpi_obsolescence]
[idx_genetec_sc]
[idx_ldap]
[idx_synology]

1
deployment-apps/idx_indexes_base/local/app.conf
Unescape View File

@ -0,0 +1 @@
# Autogenerated file

9
deployment-apps/linux_forwarders_inputs/local/app.conf
Unescape View File

@ -0,0 +1,9 @@
[install]
state = enabled
[package]
check_for_updates = false
[ui]
is_visible = false
is_manageable = false

5
deployment-apps/linux_forwarders_inputs/local/inputs.conf
Unescape View File

@ -0,0 +1,5 @@
[monitor:///var/rsyslog/*/linux/.../*.log]
disabled = 0
host_segment = 6
index = idx_m-tic_linux
sourcetype = syslog_linux

3
deployment-apps/linux_forwarders_inputs/metadata/local.meta
Unescape View File

@ -0,0 +1,3 @@
[]
access = read : [ * ], write : [ admin ]
export = system

9
deployment-apps/sh_cluster_base/default/app.conf
Unescape View File

@ -0,0 +1,9 @@
[install]
state = enabled
[package]
check_for_updates = false
[ui]
is_visible = false
is_manageable = false

0
deployment-apps/sh_cluster_base/default/authorize.conf
Unescape View File

20
deployment-apps/sh_cluster_base/default/distsearch.conf
Unescape View File

@ -0,0 +1,20 @@
[distributedSearch]
servers = https://SPLIDX01.jpit.com:8089,https://SPLIDX02.jpit.com:8089
[distributedSearch:dmc_group_deployment_server]
[distributedSearch:dmc_group_kv_store]
servers = localhost:localhost
[distributedSearch:dmc_group_license_master]
[distributedSearch:dmc_group_shc_deployer]
[distributedSearch:dmc_group_cluster_master]
[distributedSearch:dmc_group_indexer]
default = false
servers = SPLIDX01.jpit.com:8089,SPLIDX02.jpit.com:8089
[distributedSearch:dmc_group_search_head]
servers = localhost:localhost

0
deployment-apps/sh_cluster_base/default/fields.conf
Unescape View File

17
deployment-apps/sh_cluster_base/default/server.conf
Unescape View File

@ -0,0 +1,17 @@
[clustering]
mode = searchhead
manager_uri = clustermanager:one
[clustermanager:one]
manager_uri = https://SPLCLM01.jpit.com:8089
pass4SymmKey = $7$S9wq9h/bAbFgNYLo/9vsjHEwpY2z8IkPYQ663LGXb6cLu5YmhyEQnSS3+7jNTRzFBQ==
multisite = false
[shclustering]
shcluster_label = shcluster
conf_deploy_fetch_url = https://SPLDSMC.jpit.com:8089
pass4SymmKey = $7$S9wq9h/bAbFgNYLo/9vsjHEwpY2z8IkPYQ663LGXb6cLu5YmhyEQnSS3+7jNTRzFBQ==
[httpServer]
maxThreads = 150000
maxSockets = 250000

3
deployment-apps/sh_cluster_base/metadata/default.meta
Unescape View File

@ -0,0 +1,3 @@
[]
acces = read : [ * ], write : [ admin ]
export = system

11
deployment-apps/sh_idxcluster_base/default/app.conf
Unescape View File

@ -0,0 +1,11 @@
[launcher]
version = 1.0.0
author = VABOS
description = Configure Search Head for IDX Clustering
[package]
id = M-TIN_sh_idxcluster_base
[ui]
is_visible = false

9
deployment-apps/sh_idxcluster_base/default/server.conf
Unescape View File

@ -0,0 +1,9 @@
[general]
site = site2
[clustering]
multisite = true
master_uri = https://SPLCLM01.jpit.com:8089
mode = searchhead
pass4SymmKey = $7$i7IqoiyC1DpnVbSVtwGzuVTO5rmVyPCI2CMacpHEFs3N2oFAaF0EJ049Otza

1
deployment-apps/sh_idxcluster_base/local/app.conf
Unescape View File

@ -0,0 +1 @@
# Autogenerated file

9
deployment-apps/sh_volume_indexes/default/app.conf
Unescape View File

@ -0,0 +1,9 @@
[install]
state = enabled
[package]
check_for_update = false
[ui]
is_visible = false
is_manageable = false

6
deployment-apps/sh_volume_indexes/default/indexes.conf
Unescape View File

@ -0,0 +1,6 @@
# One Volume for Hot and Cold
[volume:primary]
path = /opt/splunk/var/lib/splunk
[volume:secondary]
path = /opt/splunk/var/lib/splunk

1
deployment-apps/splunk_ingest_actions/local/app.conf
Unescape View File

@ -0,0 +1 @@
# Autogenerated file

2
deployment-apps/splunk_ingest_actions/metadata/default.meta
Unescape View File

@ -0,0 +1,2 @@
[]
access = read : [ * ], write : [ admin, power ]

3
deployment-apps/splunk_monitoring_console/local/splunk_monitoring_console_assets.conf
Unescape View File

@ -0,0 +1,3 @@
[settings]
disabled = 0
configuredPeers = SPLSH01.jpit.com:8089,SPLSH02.jpit.com:8089,SPLIDX01.jpit.com:8089,SPLIDX02.jpit.com:8089,SPLCLM01.jpit.com:8089

9
deployment-apps/windows_forwarders_inputs/local/app.conf
Unescape View File

@ -0,0 +1,9 @@
[install]
state = enabled
[package]
check_for_updates = false
[ui]
is_visible = false
is_manageable = false

7
deployment-apps/windows_forwarders_inputs/local/inputs.conf
Unescape View File

@ -0,0 +1,7 @@
[WinEventLog]
interval=60
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=
index = idx_m-tic_windows
sourcetype = events_windows

3
deployment-apps/windows_forwarders_inputs/metadata/local.meta
Unescape View File

@ -0,0 +1,3 @@
[]
access = read : [ * ], write : [ admin ]
export = system

19
packages/exporter-metrics.yaml
Unescape View File

@ -0,0 +1,19 @@
exporters:
prometheus:
endpoint: "127.0.0.1:4318"
processors:
batch: {}
service:
pipelines:
metrics:
exporters:
- prometheus
processors:
- batch
receivers:
- prometheus
telemetry:
logs:
level: info
metrics:
level: none

38
packages/manifest.yaml
Unescape View File

@ -0,0 +1,38 @@
packages:
- file: identity-0.0.1-898de82.tar.gz
name: identity
signature: '-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEWMMzELejVMEnnbZpXvoB7bPNRCAFAmU2sEAACgkQXvoB7bPN
RCA4gRAAuExobEwHGBuFXmnJyAuJPtjFjNe837ru0hgtfFOGH/xdIQ7sCXTCfze/
yjjE+yhFsu0XLWpdCCLchPKU5oSk7XlqH1qdKSWvfBBUTtmxz2dKXx01gJRyLpXg
X0vaGdD7Oft8G7tsvH/rBnPL4JOgpr7GolkeDmlHl9BozjjXLKS8KzYdeU0N1ufK
dtq7+73k19HS4y+TOi7KjHodxqJ8ReBL2ZnGG04tyDtqbYSyqSSfu7wC0ocScUuo
+e/D+O6f6fBfafd725M/XmA4YpdHkpK7a5xPULyVxdXEdNMP2yuuPDefZ88RN3Eu
QS3MgfIlQbVhAXNCMaSQPw1Wl4/F3tZZ4lGuUZzqkw8UuM/XYSs/583bhUxUZq8Y
CU+tANZVgU9f/3zQhYxr3Oa9QeDKb80OaawcxU0rLsVwYN9uot0Un9CWLrxEZ8aC
wwKq4gmQIrl36lpj0eka6fPPEehZXTyAcdu8WNFt+rzHcV4T8jUsbQV6vdChriVM
ExysKUC3KeN1kKYMl1FBbGDz69aDGcQuR/bjBX+mzHswShHC1bVxkiZOMrSSZOtO
EIneYsMqBa6laofxWaTkjlbp9G+Fjqw4Q09vdaZm6x3KnEkHG3Gz5zePYbiv40U2
zmrZch58iyYY5BNaIPpwFaFOFU6cLckQV6DlOvRiRlAeFwhpigg=
=mW3t
-----END PGP SIGNATURE-----
'
version:
id: 0.0.1-898de82
semver: v0.1.1

632
searchLanguage.xml
Unescape View File

@ -0,0 +1,632 @@
<!-- Version 4.0 -->
<language>
<options>
<useAdvancedQuery>false</useAdvancedQuery>
</options>
<controls>
<control>
<token>SEARCH</token>
<modules>
<module>
<name>savedSplunkLoader</name>
<requiredArgs>
<arg>savedsplunk</arg>
</requiredArgs>
</module>
<module>
<name>savedSplunkLoader</name>
<requiredArgs>
<arg>savedsearch</arg>
</requiredArgs>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>startdaysago</arg>
</requiredArgs>
<defaults>
<startdaysago>1</startdaysago>
</defaults>
</module>
<module>
<name>sortmeta</name>
<requiredArgs>
<arg>sort</arg>
</requiredArgs>
<optionalArgs>
<arg>order</arg>
</optionalArgs>
</module>
<module>
<name>lastby</name>
<requiredArgs>
<arg>lastby</arg>
</requiredArgs>
</module>
<module>
<name>readtimeout</name>
<requiredArgs>
<arg>readtimeout</arg>
</requiredArgs>
<defaults>
<readtimeout>5</readtimeout>
</defaults>
</module>
<module>
<name>queryid</name>
<requiredArgs>
<arg>queryid</arg>
</requiredArgs>
</module>
<module>
<name>sortorder</name>
<requiredArgs>
<arg>!resultsetsortby</arg>
</requiredArgs>
</module>
<module>
<name>readlevel</name>
<requiredArgs>
<arg>readlevel</arg>
</requiredArgs>
</module>
<module>
<name>readlimit</name>
<requiredArgs>
<arg>readlimit</arg>
</requiredArgs>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>startminutesago</arg>
</requiredArgs>
<defaults>
<startminutesago>1</startminutesago>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>starthoursago</arg>
</requiredArgs>
<defaults>
<starthoursago>1</starthoursago>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>startmonthsago</arg>
</requiredArgs>
<defaults>
<startmonthsago>1</startmonthsago>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>enddaysago</arg>
</requiredArgs>
<defaults>
<enddaysago>1</enddaysago>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>endminutesago</arg>
</requiredArgs>
<defaults>
<endminutesago>1</endminutesago>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>endhoursago</arg>
</requiredArgs>
<defaults>
<endhoursago>1</endhoursago>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>endmonthsago</arg>
</requiredArgs>
<defaults>
<endmonthsago>1</endmonthsago>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>searchtimespanhours</arg>
</requiredArgs>
<defaults>
<searchtimespanhours>1</searchtimespanhours>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>searchtimespanminutes</arg>
</requiredArgs>
<defaults>
<searchtimespanminutes>1</searchtimespanminutes>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>searchtimespandays</arg>
</requiredArgs>
<defaults>
<searchtimespandays>1</searchtimespandays>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>searchtimespanmonths</arg>
</requiredArgs>
<defaults>
<searchtimespanmonths>1</searchtimespanmonths>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>starttime</arg>
</requiredArgs>
<optionalArgs>
<arg>timeformat</arg>
</optionalArgs>
<defaults>
<starttime>12/31/1969:16:00:00</starttime>
<timeformat>%m/%d/%Y:%H:%M:%S</timeformat>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>endtime</arg>
</requiredArgs>
<optionalArgs>
<arg>timeformat</arg>
</optionalArgs>
<defaults>
<endtime>12/31/2022:16:00:00</endtime>
<timeformat>%m/%d/%Y:%H:%M:%S</timeformat>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>starttimeu</arg>
</requiredArgs>
<defaults>
<starttimeu>0</starttimeu>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>endtimeu</arg>
</requiredArgs>
<defaults>
<endtimeu>1672531200</endtimeu>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>daysago</arg>
</requiredArgs>
<defaults>
<daysago>1</daysago>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>minutesago</arg>
</requiredArgs>
<defaults>
<minutesago>1</minutesago>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>hoursago</arg>
</requiredArgs>
<defaults>
<hoursago>1</hoursago>
</defaults>
</module>
<module>
<name>time</name>
<requiredArgs>
<arg>monthsago</arg>
</requiredArgs>
<defaults>
<monthsago>1</monthsago>
</defaults>
</module>
<module>
<name>maxtime</name>
<requiredArgs>
<arg>maxtime</arg>
</requiredArgs>
<defaults>
<maxtime>60</maxtime>
</defaults>
</module>
<module>
<name>countSetter</name>
<requiredArgs>
<arg>maxevents</arg>
</requiredArgs>
<defaults>
<maxevents>typeahead_suppress</maxevents>
</defaults>
</module>
<module>
<name>eventtypeResolver</name>
<requiredArgs>
<arg>eventtype</arg>
</requiredArgs>
</module>
<module>
<name>eventtypeResolver</name>
<requiredArgs>
<arg>tag</arg>
</requiredArgs>
</module>
<module>
<name>eventtypeResolver</name>
<requiredArgs>
<arg>typetag</arg>
</requiredArgs>
</module>
<module>
<name>eventtypeResolver</name>
<requiredArgs>
<arg>eventtypetag</arg>
</requiredArgs>
</module>
<module>
<name>hosttagResolver</name>
<requiredArgs>
<arg>hosttag</arg>
</requiredArgs>
</module>
<module>
<name>sourcetypeResolver</name>
<requiredArgs>
<arg>sourcetype</arg>
</requiredArgs>
</module>
<module>
<name>domainFinder</name>
<requiredArgs>
<arg>index</arg>
</requiredArgs>
</module>
<module>
<name>connectedbytype</name>
<requiredArgs>
<arg>relatedbytype</arg>
</requiredArgs>
<optionalArgs>
<arg>minrelationbytype</arg>
</optionalArgs>
</module>
<module>
<name>historyuser</name>
<requiredArgs>
<arg>user</arg>
</requiredArgs>
</module>
<module>
<name>regexFilter</name>
<requiredArgs>
<arg>grep</arg>
</requiredArgs>
</module>
<module>
<name>debugCommand</name>
<requiredArgs>
<arg>!++cmd++</arg>
</requiredArgs>
<optionalArgs>
<arg>!++param1++</arg>
<arg>!++param2++</arg>
</optionalArgs>
</module>
</modules>
</control>
<control>
<token>GET</token>
<modules>
<module>
<name>eventGetter</name>
<requiredArgs>
<arg>events</arg>
</requiredArgs>
<optionalArgs>
<arg>summarize</arg>
</optionalArgs>
<requiredControls>
<token>SEARCH</token>
</requiredControls>
</module>
<module>
<name>timebucketsGetter</name>
<requiredArgs>
<arg>timebuckets</arg>
</requiredArgs>
<requiredControls>
<token>SEARCH</token>
</requiredControls>
</module>
<module>
<name>reportGetter</name>
<requiredArgs>
<arg>report</arg>
</requiredArgs>
</module>
<module>
<name>typeGetter</name>
<requiredArgs>
<arg>types</arg>
</requiredArgs>
<optionalArgs>
<arg>samplesfortypes</arg>
</optionalArgs>
</module>
<module>
<name>searchGetter</name>
<requiredArgs>
<arg>searches</arg>
</requiredArgs>
<optionalArgs>
<arg>samplesfortypes</arg>
</optionalArgs>
</module>
<module>
<name>hostGetter</name>
<requiredArgs>
<arg>hosts</arg>
</requiredArgs>
</module>
<module>
<name>sourceTypeGetter</name>
<requiredArgs>
<arg>sourcetypes</arg>
</requiredArgs>
</module>
<module>
<name>eventTagGetter</name>
<requiredArgs>
<arg>eventtags</arg>
</requiredArgs>
</module>
<module>
<name>hostTagGetter</name>
<requiredArgs>
<arg>hosttags</arg>
</requiredArgs>
</module>
<module>
<name>sourceTypeTagGetter</name>
<requiredArgs>
<arg>sourcetypetags</arg>
</requiredArgs>
</module>
<module>
<name>sourceGetter</name>
<requiredArgs>
<arg>sources</arg>
</requiredArgs>
</module>
<module>
<name>reportGetter</name>
<requiredArgs>
<arg>report</arg>
</requiredArgs>
</module>
<module>
<name>formatGetter</name>
<requiredArgs>
<arg>formats</arg>
</requiredArgs>
</module>
</modules>
</control>
<control>
<token>OUTPUT</token>
<modules>
<module>
<name>emailOut</name>
<requiredArgs>
<arg>email</arg>
</requiredArgs>
<optionalArgs>
<arg>format</arg>
</optionalArgs>
<requiredControls>
<token>GET</token>
</requiredControls>
</module>
<module>
<name>schedOut</name>
<requiredArgs>
<arg>scheduler</arg>
</requiredArgs>
<optionalArgs>
<arg>resolveids</arg>
</optionalArgs>
</module>
<module>
<name>schedOut</name>
<requiredArgs>
<arg>summary</arg>
</requiredArgs>
<optionalArgs>
<arg>resolveids</arg>
</optionalArgs>
</module>
<module>
<name>rssOut</name>
<requiredArgs>
<arg>rssfeed</arg>
</requiredArgs>
<requiredControls>
<token>GET</token>
</requiredControls>
</module>
<module>
<name>splunkUIOut</name>
<requiredArgs>
<arg>splunkui</arg>
</requiredArgs>
<optionalArgs>
<arg>format</arg>
<arg>idcount</arg>
<arg>maxlines</arg>
<arg>timeformat</arg>
</optionalArgs>
<requiredControls>
<token>GET</token>
</requiredControls>
</module>
<module>
<name>exportOut</name>
<requiredArgs>
<arg>exportto</arg>
</requiredArgs>
<optionalArgs>
<arg>format</arg>
</optionalArgs>
<requiredControls>
<token>GET</token>
</requiredControls>
</module>
<module>
<name>raweventsOut</name>
<requiredArgs>
<arg>rawevents</arg>
</requiredArgs>
<requiredControls>
<token>GET</token>
</requiredControls>
</module>
<module>
<name>magicgraph</name>
<requiredArgs>
<arg>magicgraph</arg>
</requiredArgs>
<requiredControls>
<token>GET</token>
</requiredControls>
</module>
</modules>
</control>
</controls>
<!--
Examples :
Running a normal splunk ui query
SEARCH get NOT post NOT( eventtype::error OR connected::foo:1:123544 ) count::100000 domain::splunkdb1
GET events::0-20 types::all sourcetypes::all timebuckets::all
OUTPUT splunkui::ajax format::heavy
Running a query to email all the sources in the system to brian@splunk.com with html email format
GET sources::all
OUTPUT email::brian@splunk.com format::htmlmail
-->
</language>

26
splunk-launch.conf
Unescape View File

@ -0,0 +1,26 @@
# Version 9.3.1
# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk
# CLI executable.
#
# SPLUNK_HOME=/home/build/build-home
# By default, Splunk stores its indexes under SPLUNK_HOME in the
# var/lib/splunk subdirectory. This can be overridden
# here:
#
# SPLUNK_DB=/home/build/build-home/var/lib/splunk
# Splunkd daemon name
SPLUNK_SERVER_NAME=Splunkd
# If SPLUNK_OS_USER is set, then Splunk service will only start
# if the 'splunk [re]start [splunkd]' command is invoked by a user who
# is, or can effectively become via setuid(2), $SPLUNK_OS_USER.
# (This setting can be specified as username or as UID.)
#
# SPLUNK_OS_USER
PYTHONHTTPSVERIFY=0
PYTHONUTF8=1
ENABLE_CPUSHARES=true
OPTIMISTIC_ABOUT_FILE_LOCKING=1

4
splunk.version
Unescape View File

@ -0,0 +1,4 @@
VERSION=9.3.1
BUILD=0b8d769cb912
PRODUCT=splunk
PLATFORM=Linux-x86_64
Write Preview
Loading…
Cancel
Save