Setup index, transform, RBAC on splunk_standalone?

[juju4]

Thanks for the collection. I'm using it with role splunk_standalone but have difficulties how to set up few things. Data is ingested from port 9997 and for, now everything goes to main index.

• I would want to create different index like linux and windows and sent corresponding logs there. I think this would be through transforms as per https://docs.splunk.com/Documentation/Splunk/9.0.4/Forwarding/Routeandfilterdatad but this seems to be only valid for heavy forwarder role. Or cluster master as per https://github.com/splunk/splunk-ansible/blob/develop/roles/splunk_cluster_master/tasks/configure_indexes.yml In role variable, only found smartstore with an index array but I believe it is different. I tried

  • forwarding working with transform in /opt/splunk/etc/system/local/props.conf and /opt/splunk/etc/system/local/transforms.conf but nok
  • get tcp data input losing all the json fields extract and only raw unusable data. Similar to https://community.splunk.com/t5/Getting-Data-In/Splunk-is-adding-weird-strings-like-quot-linebreaker-x00-x00/m-p/21598
  • set data receiver in forwarding section and setting index in inputs.conf but not getting data ingested even if data received from tcpdump.

• From above index, want to set RBAC with additional role like analyst one with just access to linux and windows index. is it possible inside collection? I have not seen any splunk users or roles variables, just the system one associated with splunk service.

It would be a nice example to add to documentation as this is common setup IMHO.

[juju4]

I managed to split index with multiple splunk HEC and matching index as defined in /opt/splunk/etc/apps/search/local/inputs.conf and /opt/splunk/etc/apps/search/local/indexes.conf but I believe this needs to be set outside of role as hec variable seems to define only a single entry.