Overview

Details

This app integrates Puppet Enterprise or Puppet open source with Splunk to:

* Send Puppet node inventory, node facts, report summaries and report details into Splunk from one or more Puppet masters.
* Automate taking action by triggering Bolt tasks from Actionable Alerts (Puppet Enterprise only, requires the Puppet Alert Actions Splunk app).
* Maintain an audit log of Bolt actions that were run.
* Trend Puppet inventory and fact data over time.
* Power example dashboards and searches on Puppet data.
* Provide operational metrics and dashboards for your Puppet deployment.

Use cases:

* Share Puppet's rich, detailed inventory and change data with other teams for searches, dashboards and alerts.
* Trend data over time to track progress or detect issues.
* Make decisions faster by automatically triggering gathering the information you need to make a decision after Splunk has recognized an issue (Puppet Enterprise only).
* Resolve issues faster by automatically triggering remediations after Splunk has recognized an issue (Puppet Enterprise only).
* Monitor the health of your Puppet deployment.
* Log and audit what ad hoc actions were run.
* If you also need to deploy, configure and manage Splunk forwarders there is a Puppet module for that available here (https://forge.puppet.com/puppet/splunk).

Included are:

* Source types for Puppet summary reports, detailed reports, facts, PE orchestrator and activity events, as well as Puppet Bolt runs.
* Actionable Alert to generate Puppet Detailed Reports on demand.
* Example dashboards to see analysis options of the content provided in a report.

This app requires installing the Splunk HEC Report Processor (https://forge.puppet.com/puppetlabs/splunk_hec) on the Puppet Servers one wishes to collect data from.

Puppet Report Viewer

Note: In order to use alert actions functionality, Please ensure you are running the latest version of the Report Viewer and have the Puppet Alert Actions add-on installed as well.

Description

This is a Splunk App that provides views into the status of the Puppet installation that is sending its reports to Splunk via the HEC. To use this viewer it has to be installed alongside the splunk_hec report processor provided in the Puppet Forge. The report processor sends data from Puppet to Splunk via the HTTP Event Collector.

The steps to get this app working are:

Install the Puppet Report Viewer app
Create atleast one HEC input (puppet:summary)
Install splunk_hec module in Puppet environment and configure with the HEC token and Splunk Server

Once configured, the overview page will start showing Puppet run report status, and information about changes over various windows of time. The views can be customized, updated, modified to suit your needs.

Reports Overview

For detailed report generation, a feature for Puppet Enterprise Users, there are additional steps one can perform that first require configuring the app with the appropriate credentials to talk to PuppetDB and to submit events to Splunk:

Create puppet:detailed HEC input
Create a Splunk user and role in the Puppet Enterprise console, with the permission to "View node data from PuppetDB" under the Nodes Type
Configure Puppet Enterprise to support long life authentication tokens
Generate an authentication token (example command) : curl -k -X POST -H 'Content-Type: application/json' -d '{"login": "splunk", "password": "password", "lifetime": "1y"}' https://localhost:4433/rbac-api/v1/auth/token
On the configuration page of the Puppet Alert Actions add-on provide the hostname of the PuppetDB server & auth token, along with the hostname of the Splunk instace running the HEC along with the puppet:detailed HEC token (this is important to use the puppet:detailed token and sourcetype, otherwise it is possible to create an alert action that continually calls itself)
With the Alert Actions add-on configured, perform a search for a specific event (such as a puppet run with a failed or changed status) sourcetype="puppet:summary"| spath status | search status=failed save it as an alert, and assign the action "Generate detailed report" from the action menu. No configuration of the action is needed.

Add-on Configuration Screen

Report Builder

Advanced Configuration

All report views support using custom indexes for storing event data. They accomplish this with a series of advanced search macros. The queries assume each sourcetype can be stored in it's own index (facts, summary reports, detailed reports, bolt events, action events, Puppet Enterprise metrics).

There is one top level macro, puppet_index which defaults to "", if you configure the HEC to use a different index and want all Puppet in that index, change that value here to be index=puppetindexname.

If you are using puppetlabs/splunk_hec version 0.5.0 or later, you can specify different HEC tokens for Summary Reports, Facts, and Metrics. Then create an index and an associated HEC token associated with those sourcetypes, and configure both the splunk_hec module in Puppet with those new values. Actions, Bolt Events, and Detailed Reports are all submitted via different tools and would need ot be changed according to use a different HEC token. Then the corresponding macro's updated to use those indexes.

For example, if you want most Puppet data to go to one index, but Facts, Metrics, and Detailed Reports to go to their own indexes, one would follow these steps:
- Create four indexes: puppet_data, puppet_facts_data, puppet_metrics_data, and puppet_detailed_data (or whatever name makes sense), each with their desired timespan, retention, etc.
- Create four HEC's (example names):
1. puppet with sourcetype of puppet:summary and the index puppet_data
2. puppet_facts with sourcetype of puppet:facts and the index of puppet_facts_data
3. puppet_metrics with sourcetype of puppet:metrics and the index of puppet_metrics_data
4. puppet_detailed with sourcetype of puppet:detailed and the index of puppet_detailed_data
- Configure the splunk_hec module with the corresponding tokens
1. splunk_hec::token with the value from the puppet HEC (since you want all Puppet using splunk_hec plugin to go here, except for facts and metrics)
2. splunk_hec::token_facts with the value from the puppet_facts HEC
3. splunk_hec::token_metrics with the value from the puppet_metrics HEC
- Update the Puppet Report Viewer's configuration to use the puppet_detailed HEC token, because detailed reports are pulled from Puppet and generated by the alert action in this application
- Update the advanced search macros to use the new values:
1. Open Advanced Search under the Settings -> Knowledge menu
2. Select Search Macros
3. Select puppet_index and change the definition to index=puppet_data, click save
4. Select puppet_facts_index and change the definition to index=puppet_facts_data, click save
5. Select puppet_metrics_index and change the definition to index=puppet_metrics_data, click save
6. Select puppet_detailed_index and change the definition to index=puppet_detailed_data, click save
- Reload the main view of the Puppet Report Viewer app, and you should see data, or perform the following search:

`puppet_all_index` sourcetype=puppet:*

More information

This app will be updated frequently with more dashboards and views to data as feedback is gathered. Contact Puppet via the developer link and watch the Puppet Community Office Hours calendar for future Splunk related events in our community Slack.

Release Notes

Version 3.1.2

Nov. 15, 2021

New Features:

New dashboard panels added to the metrics tab which track a number of useful metrics for PostgreSQL.

Fixes:

Reorganized the order of the navigation tabs in the app.

Version 3.1.1

Sept. 29, 2021

New Features:

puppet:activities_console, and puppet:activities_code_manager source types added.

Fixes:

In a distributed Splunk installation, it was previously required to have this add-on installed on both the Search Heads and the Indexers to ensure that the source types were available across the installation. Removing the AUTO_KV_JSON setting to allow for the default value (true); JSON parsing now occurs at search-time.

Version 3.1.0

Aug. 12, 2021

New Features:

This version replaces the default dashboards available in the Metrics tab with all new dashboards; measuring a number of useful metrics for Puppet Server, PuppetDB and Orchestrator.

Version 3.0.3

Jan. 20, 2021

3.0.3:
New Features:
- puppet:jobs, puppet:activities_rbac, and puppet:activities_classifier sourcetypes added.

Fixes:
- Some of the panels in the Overview dashboard still contain the "X" button in the upper right to close the pop-up panel when you click on the primary panel. Some of the other panels lost the X.

Changed the drilldown to set/unset the token that shows the drilldown panel on click. Effect of the change is that clicking on the panel with the drilldown hidden shows the drilldown. Clicking on the panel with the drilldown showing hides the drilldown.
Also removed the remaining "X" buttons.
Standardize some visual formatting - moved "units" to "captions" on the images to "hosts, seconds, etc" shows up underneath the reported numbers, rather than next to them, removed odd height settings.

Version 3.0.2

Dec. 10, 2020

New Features:
- puppet:events_summary and puppet:activity sourcetypes added.

Fixes:
- The searches that are used in the Overview tab to display resources under the "# of Resources" element and associated table used to display the number of reports. They have been corrected to display the number of resources.

Version 3.0.1

March 19, 2020

This is a Viewer only release Puppet Report Viewer, it does not contain any custom alert actions and upgrading to this will require also installing the new Puppet Alert Actions App.

2,141

Downloads

Share Subscribe

Version

Built by

Puppet, Inc.

Support

Developer Supported

Contact Developer Questions on Splunk Answers Flag as inappropriate

Compatibility

This version of the app (3.1.0) is not available for Splunk Cloud. However, version 3.0.3 of this app is available for Splunk Cloud.

Products: Splunk Enterprise, Splunk Cloud

Products: Splunk Enterprise

Products: Splunk Enterprise, Splunk Cloud

Splunk Versions: 8.1, 8.2