All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Data not coming to ansible

lmjoin
Explorer
‎03-02-2019 09:37 AM

Hello,

No data on Ansible apps on splunk, i have done as below

1.Install this Ansible Monitoring & Diagnostics using the normal Splunk process
2.In Splunk add a HTTP Event Collector data input with a sourcetype of _json. Ensure to enable tokens and disable SSL
3.copy the splunk.py Ansible callback file, currently in the apps bin directory, into a directory within the root of your Ansible playbook called callback_plugins
4.Update your "ansible.cfg" with settings from the Splunk HTTP Event Collector data input as below
In ansible.cfg
at bottom
callback_whitelist = splunk

[callback_splunk]
url = http://35.200.188.84:8088/services/collector/event
authtoken = 2ecefa94-ffa5-4c81-af22-8e3eff29c612

0 Karma
Reply

dbagdanoff
Explorer
‎02-03-2020 11:22 AM

i had the same issue until i placed the callback_whitelist = splunk in the [defaults] section of anisible.cfg

0 Karma
Reply

tsaikumar009
Explorer
‎03-05-2019 06:52 AM

which index are you routing the events to from HEC. Did you verify if that index exists in the indexer?,which index are you routing the ansible events to from HEC, did you verify if that index has been created in the indexers?

0 Karma
Reply

mgbhm
New Member
‎05-15-2019 01:15 AM

Just on the same problem... see my Ansible-info in my own index, if I search it via "search and reporting" index="myownindex" I see the ansible data. Therefore the ansible-data is inserted. the Ansible Splunk app is empty... I miss a config where to set the index the app is looking into, the Event Collector-Box doesnt show the HEC.
I had a look into the Settings->Indexes and the Index is bound to app Ansibe_Splunk

0 Karma
Reply

mgbhm
New Member
‎05-15-2019 02:35 AM

ah!
Found something, didnt remember to see that in the documents in:
/opt/splunk/etc/apps/Ansible_Splunk/default/macros.conf there is a
[AnsibleData]
definition = index=main

I changed the main to "myownindex" and it works

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-02-2019 10:19 AM

What search are you using to look for the Ansible data?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jbrocks
Communicator
‎03-04-2019 01:18 PM

Is the data only missing in the app or in general Splunk environment?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...