splunk.es.data_input_monitor – Manage Splunk Data Inputs of type Monitor
Note
This plugin is part of the splunk.es collection (version 1.0.2).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install splunk.es.
To use it in a playbook, specify: splunk.es.data_input_monitor.
New in version 1.0.0: of splunk.es
Synopsis
- This module allows for addition or deletion of File and Directory Monitor Data Inputs in Splunk.
Parameters
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| blacklist
string
|
Specify a regular expression for a file path. The file path that matches this regular expression is not indexed.
|
|
| check_index
boolean
|
|
If set to True, the index value is checked to ensure that it is the name of a valid index.
|
| check_path
boolean
|
|
If set to True, the name value is checked to ensure that it exists.
|
| crc_salt
string
|
A string that modifies the file tracking identity for files in this input. The magic value <SOURCE> invokes special behavior (see admin documentation).
|
|
| disabled
boolean
|
|
Indicates if input monitoring is disabled.
|
| followTail
boolean
|
|
If set to True, files that are seen for the first time is read from the end.
|
| host
string
|
The value to populate in the host field for events from this data input.
|
|
| host_regex
string
|
Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group.
|
|
| host_segment
integer
|
Use the specified slash-separate segment of the filepath as the host field value.
|
|
| ignore_older_than
string
|
Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored.
|
|
| index
string
|
Which index events from this input should be stored in. Defaults to default.
|
|
| name
string / required
|
The file or directory path to monitor on the system.
|
|
| recursive
boolean
|
|
Setting this to False prevents monitoring of any subdirectories encountered within this data input.
|
| rename_source
string
|
The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs.
|
|
| sourcetype
string
|
The value to populate in the sourcetype field for incoming events.
|
|
| state
string / required
|
|
Add or remove a data source.
|
| time_before_close
integer
|
When Splunk software reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data.
|
|
| whitelist
string
|
Specify a regular expression for a file path. Only file paths that match this regular expression are indexed.
|
Examples
- name: Example adding data input monitor with splunk.es.data_input_monitor
splunk.es.data_input_monitor:
name: "/var/log/example.log"
state: "present"
recursive: True
Authors
- Ansible Security Automation Team (@maxamillion) <https://github.com/ansible-security>
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/splunk/es/data_input_monitor_module.html