Forge Home
❮ Return to Configuration Management

Getting started with PE and Splunk

by Puppet
Posted: June 5, 2020

With the Splunk Hec module you can send Puppet report and inventory data to Splunk for analysis. Install the module on your Puppet master and configure a complementary Splunkbase app called the Puppet Report Viewer. Once installed and populated with data, the Puppet Report Viewer looks something like the dashboard below.

Puppet Report Viewer screen in Splunk

Before you begin

2. Create an HEC token in Splunk

  1. Navigate to Settings > Data Input in your Splunk console.
  2. Enable HEC if not already enabled:
    1. Click HTTP Event Collector.
    2. Click Global Settings.
    3. In the All Tokens toggle button, select Enabled.
    4. Click Save.
  3. Add a new HTTP Event Collector with a name of your choice.
  4. Ensure indexer acknowledgement is not enabled.
  5. Click Next and select the puppet:summary source type located under the Puppet Data category.
  6. Ensure the App Context is set to Puppet Report Viewer.
  7. Select the main index.
  8. Set the Default Index to main.
  9. Click Review and then Submit.

When editing your new token, it should look similar to the screenshot below.

Edit token form in Splunk

3. Add the class splunk_hec to the PE Master node group

  1. Install the splunk_hec module on your Puppet master by running $ puppet module install puppetlabs-splunk_hec --version 0.7.1
  2. In the PE console, navigate to Classification and expand the PE Infrastructure group.
  3. Select PE Master and then Configuration.
  4. Add the splunk_hec class.
  5. Enable these parameters:
    enable_reports = true
    manage_routes = true
    token = something like F5129FC8-7272-442B-983C-203F013C1948
    url = something like https://splunk-8.splunk.internal:8088/services/collector
  6. Click Add parameter and commit your changes.
  7. Run Puppet on the node group. This restarts the Puppet Server service.

4. Log into the Splunk Console

Search index=* sourcetype=puppet:summary and if everything was done properly, you should see the reports (and soon facts) from the systems in your Puppet environment.

Want to know more?

There are many additional ways to configure the Splunk Hec module not covered in these instructions, such as only sending Puppet data to Splunk for failed Puppet runs. These topics are covered in the Splunk Hec README. In addition, PE users can install the Puppet Alert Actions app and trigger Bolt tasks and more based on Puppet data in Splunk.