No data on Ansible apps on splunk, i have done as below
1.Install this Ansible Monitoring & Diagnostics using the normal Splunk process
2.In Splunk add a HTTP Event Collector data input with a sourcetype of json. Ensure to enable tokens and disable SSL
3.copy the splunk.py Ansible callback file, currently in the apps bin directory, into a directory within the root of your Ansible playbook called callbackplugins
4.Update your "ansible.cfg" with settings from the Splunk HTTP Event Collector data input as below
callback_whitelist = splunk
url = http://184.108.40.206:8088/services/collector/event
authtoken = 2ecefa94-ffa5-4c81-af22-8e3eff29c612
which index are you routing the events to from HEC. Did you verify if that index exists in the indexer?,which index are you routing the ansible events to from HEC, did you verify if that index has been created in the indexers?
Just on the same problem... see my Ansible-info in my own index, if I search it via "search and reporting" index="myownindex" I see the ansible data. Therefore the ansible-data is inserted. the Ansible Splunk app is empty... I miss a config where to set the index the app is looking into, the Event Collector-Box doesnt show the HEC.
I had a look into the Settings->Indexes and the Index is bound to app Ansibe_Splunk
Found something, didnt remember to see that in the documents in:
/opt/splunk/etc/apps/Ansible_Splunk/default/macros.conf there is a
definition = index=main
I changed the main to "myownindex" and it works