Overview

Details

This app integrates Puppet Enterprise or Puppet open source with Splunk to:

* Send Puppet node inventory, node facts, report summaries and report details into Splunk from one or more Puppet primary servers.
* Automate taking action by triggering Bolt tasks from Actionable Alerts (Puppet Enterprise only, requires the Puppet Alert Actions add-on for Splunk).
* Maintain an audit log of Bolt actions that were run.
* Trend Puppet inventory and fact data over time.
* Power example dashboards and searches on Puppet data.
* Provide operational metrics and dashboards for your Puppet deployment.

Use cases:

* Share Puppet's rich, detailed inventory and change data with other teams for searches, dashboards and alerts.
* Trend data over time to track progress or detect issues.
* Make decisions faster by automatically triggering gathering the information you need to make a decision after Splunk has recognized an issue (Puppet Enterprise only).
* Resolve issues faster by automatically triggering remediations after Splunk has recognized an issue (Puppet Enterprise only).
* Monitor the health of your Puppet deployment.
* Log and audit what ad hoc actions were run.
* If you also need to deploy, configure and manage Splunk forwarders there is a Puppet module for that available here (https://forge.puppet.com/puppet/splunk).

Included are:

* Source types for Puppet summary reports, detailed reports, facts, PE orchestrator and activity events, as well as Puppet Bolt runs.
* Actionable Alert to generate Puppet Detailed Reports on demand.
* Example dashboards to see analysis options of the content provided in a report.

This app requires installing the Splunk HEC Report Processor (https://forge.puppet.com/puppetlabs/splunk_hec) on the Puppet Servers one wishes to collect data from.

Puppet Report Viewer

Description
Configuration
Advanced Configuration
Troubleshooting and Verification

Description

This Splunk app provides views into the status of Puppet installations that are configured to send reports and metrics with the splunk_hec and puppet_metrics_collector Puppet modules.

Configuration

Once the application has been installed follow the steps below to configure the Puppet Report Viewer:

Create an Splunk HEC token for the app:

Select Puppet Report Viewer from the App dropdown in the Splunk console.
Navigate to Settings > Data Input.
Add a new HTTP Event Collector token with a name of your choice.
Ensure indexer acknowledgement is not enabled.
Click Next and set the source type to Automatic.
Add the main index
Set the Default Index to main.
Click Review and then Submit.
When complete the HEC token should look something like this:

hec_token

After configuring both splunk_hec and the puppet_metrics_collector the Overview tab will start showing data from Puppet reports, while the Metrics tab will start displaying graphs related to a number of useful Puppet metrics.

Reports Overview

Metrics

Advanced Configuration

All dashboard views support using custom indexes for storing event data. The searches assume each sourcetype can be stored in it's own index. There is one top level macro (puppet_index) which defaults to "".

As such, you can specify different HEC tokens for Summary Reports, Facts, and Metrics in splunk_hec. If you configure multiple HEC tokens to utilize different indexes, change the index value in the dashboards to reflect this.

Example Configuration:

Create five indexes named puppet_data, puppet_summary_data, puppet_facts_data, puppet_metrics_data, and puppet_detailed_data.

Create five HEC tokens:

puppet_data with sourcetype of automatic and the index puppet_data.
puppet_summary with sourcetype of puppet:summary and the index puppet_summary_data.
puppet_facts with sourcetype of puppet:facts and the index of puppet_facts_data.
puppet_metrics with sourcetype of puppet:metrics and the index of puppet_metrics_data.
puppet_detailed with sourcetype of puppet:detailed and the index of puppet_detailed_data.

Configure the splunk_hec module with the following token parameters:

splunk_hec::token with the puppet_data token value.
splunk_hec::token_summary with the puppet_summary token value.
splunk_hec::token_facts with the puppet_facts token value.
splunk_hec::token_metrics with the puppet_metrics token value.

Update the search macros to use the new values:

Open Advanced Search under Settings > Knowledge.
Select Search Macros.
Select puppet_index and change the definition to index=puppet_data, click save.
Select puppet_summary_index and change the definition to index=puppet_summary_data, click save.
Select puppet_facts_index and change the definition to index=puppet_facts_data, click save.
Select puppet_metrics_index and change the definition to index=puppet_metrics_data, click save.
Select puppet_detailed_index and change the definition to index=puppet_detailed_data, click save.

Upon reloading the Overview tab in the Puppet Report Viewer app, and you should begin seeing data. Alternatively, perform the following search:

`puppet_all_index` sourcetype=puppet:*

Troubleshooting and Verification

If the Puppet Report Viewer does not appear to show any data after you have followed the configuration steps for both this app and the splunk_hec module; first check that data is being successfully sent to the Splunk server by following the troubleshooting and verification steps in the splunk_hec documentation.

If events in the puppet:detailed source type are not showing up in search, it means that the "Generate a Detailed Report" Alert is not configured properly with the Puppet Alert Actions add-on. If this Alert is enabled, and the aforementioned add-on is configured, you can view the logs with the following Splunk search:

index=_internal sourcetype=splunkd component=sendmodalert (action="puppet_run_task_investigate" OR action="puppet_run_task" OR action="puppet_run_task_act" OR action="puppet_generate_detailed_report")

There is also a view into the Alert Actions logs under the Actions tab which will show these searches as well.

If there are no error messages, verify that the configured HEC works can be used to submit a report manually:

$ curl -k -H "Authorization: Splunk <yourHECtoken>" https://localhost:8088/services/collector/event -d '{"sourcetype": "puppet:detailed", "event": "exampletest"}'

The endpoint will respond with either a success or an error message. Follow steps in the HTTP Event Collector documentation to resolve issues with the HEC endpoint.

If there are other error messages in the logs related to PE RBAC tokens from the Puppet side, run the following command to query the PuppetDB API:

curl -k 'https://<your.puppetdb.server>:8081/pdb/query/v4/nodes' -H "X-Authentication: <token contents>"

Release Notes

Version 4.0.0

June 22, 2022

Breaking Changes:

This release adds new dashboards that depend on the status indicator visualization.

New Features:

Changes to Metrics dropdowns for better filtering.
Changes to Metrics view to chart a number of metrics by host for comparison view.
New PE Metrics tab contains Metrics and Status Checks.
- Adds PE Status Check Dashboards
- Note: Requires the puppetlabs-pe_status_check module.

Fixes:

Removes conditional filtering for PostgreSQL metric dashboards preventing them from properly loading.

Version 3.1.2

Nov. 15, 2021

New Features:

New dashboard panels added to the metrics tab which track a number of useful metrics for PostgreSQL.

Fixes:

Reorganized the order of the navigation tabs in the app.

Version 3.1.1

Sept. 29, 2021

New Features:

puppet:activities_console, and puppet:activities_code_manager source types added.

Fixes:

In a distributed Splunk installation, it was previously required to have this add-on installed on both the Search Heads and the Indexers to ensure that the source types were available across the installation. Removing the AUTO_KV_JSON setting to allow for the default value (true); JSON parsing now occurs at search-time.

Version 3.1.0

Aug. 12, 2021

New Features:

This version replaces the default dashboards available in the Metrics tab with all new dashboards; measuring a number of useful metrics for Puppet Server, PuppetDB and Orchestrator.

Version 3.0.3

Jan. 20, 2021

3.0.3:
New Features:
- puppet:jobs, puppet:activities_rbac, and puppet:activities_classifier sourcetypes added.

Fixes:
- Some of the panels in the Overview dashboard still contain the "X" button in the upper right to close the pop-up panel when you click on the primary panel. Some of the other panels lost the X.

Changed the drilldown to set/unset the token that shows the drilldown panel on click. Effect of the change is that clicking on the panel with the drilldown hidden shows the drilldown. Clicking on the panel with the drilldown showing hides the drilldown.
Also removed the remaining "X" buttons.
Standardize some visual formatting - moved "units" to "captions" on the images to "hosts, seconds, etc" shows up underneath the reported numbers, rather than next to them, removed odd height settings.

Version 3.0.2

Dec. 10, 2020

New Features:
- puppet:events_summary and puppet:activity sourcetypes added.

Fixes:
- The searches that are used in the Overview tab to display resources under the "# of Resources" element and associated table used to display the number of reports. They have been corrected to display the number of resources.

Version 3.0.1

March 19, 2020

This is a Viewer only release Puppet Report Viewer, it does not contain any custom alert actions and upgrading to this will require also installing the new Puppet Alert Actions App.

2,426

Downloads

Share Subscribe

Version

Built by

Puppet, Inc.

Support

Developer Supported

Contact Developer Questions on Splunk Answers Flag as inappropriate