Ever wished you had a central interface to interact with all aspects of Splunk architecture and administration? Let's be honest, running Splunk is all about finding an efficient and scalable way to manage all .conf files and the other magic under the hood. At scale, the complexity often gives way to either speed or quality - if you don't find a way to automate it.
That is precisely what we've done for years, and now it's time to share how you can do it to. Our solution enables a full lifecycle management of Splunk using a Continuous Configuration Automation framework powered by Ansible.
Note
This is a free read-only open-source project, a fully working but limited and unsupported version based on the full enterprise solution hence the low amount of commits in this repo. For a better overview of all improvements check out release notes. For enterprise use, we recommend our subscription service which includes an expanded feature set, full end user support and optional premium extensions to expand the frameworks capabilities. For subscribing customers we also offer additional services including strategic advisory, implementation- and custom feature development projects.
- Table of Contents
- What is CCA for Splunk?
- Commercial version of CCA for Splunk?
- Features
- How to get started
The templates that we provide for configuring Splunk roles are used in our own Multisite Cluster implementations. After you have configured your project, the control is in your hands when it comes to deciding your settings. Adding or modifying parameters has no impact on the framework and are localized under your control.
Playbooks are DRY (Don't Repeat Yourself), with almost no tasks - instead they are using common code in roles. So an update of a task has just to be done in one place, keeping code updates much cleaner and easier to overview.
You can find a more in-depth Project Presentation as well as a Q&A section in the Wiki.
For a deep-dive in the technology behind CCA for Splunk please have a look at this documentation. Technical documentation.
The framework concept utilized in CCA for Splunk goes back several years and has proven to be absolutely critical in managing complex Splunk infrastructures with 100+ servers in several environments. 450+ tasks has been developed across 10 carefully created Ansible roles. We continuously invest hundreds of development hours for every release, so that you can get the scalability that you should expect out of a automation framework. Besides adding your servers to the ansible inventory file, there is less than 25 parameters that you have to set per environment - then off you go to much different Splunk journey going forward.
This is the free open-source version of this automation framework, a trickledown version from our premium option but with all features needed to administrate any size of Splunk environment.
CCA for Splunk is designed to be a companion tool for Splunk administrators in any type of Enterprise. As any tool, it requires a lot of competence from the user to wield effectively. For Splunk Enterprise or Splunk Cloud customers who want to start their automation journey with CCA for Splunk with support and additional enterprise functionality, we offer a complete package of both technology and supporting services in the CCA for Splunk Premium portfolio.
Visit our CCA for Splunk - Premium page and read more about who backs this project and what else you can do with CCA for Splunk.
Open Source and Premium:
| Feature | Open Source | Premium | Premium Extension |
|---|---|---|---|
| Templates for Splunk validated Architectures | ✅ | ✅ | |
| Server naming convention for all Splunk roles | ✅ | ✅ | |
| Setup Wizard for environment creation | ✅ | ✅ | |
| Automation Readiness helper | ✅ | ✅ | |
| Management of All in one Servers | ✅ | ✅ | |
| Management of Data Collection Nodes | ✅ | ✅ | |
| Management of Deployment Servers | ✅ | ✅ | |
| Management of Forwarders | ✅ | ✅ | |
| Management of Hybrid Search Heads | ✅ | ✅ | |
| Management of Index Clusters | ✅ | ✅ | |
| Management of License Managers | ✅ | ✅ | |
| Management of Monitoring Consoles | ✅ | ✅ | |
| Management of Search Head Clusters | ✅ | ✅ | |
| Management of Standalone Indexers | ✅ | ✅ | |
| Management of Standalone Search Heads | ✅ | ✅ | |
| Standard Data Onboarding | ✅ | ✅ | |
| App deployment to all Splunk Roles | ✅ | ✅ | |
| Rolling Splunk Enterprise Upgrade - Clusters | ✅ | ✅ | |
| Upgrade Splunk Enterprise - Standalone servers | ✅ | ✅ | |
| Configure Splunk to use self-signed Splunk certs | ✅ | ✅ | |
| Deploy Manually created organization certs | ✅ | ✅ | |
| Linux server configuration | ✅ | ✅ | |
| Splunkd service creation with non-privileged user support | ✅ | ✅ | |
| Setup of CCA Manager | ✅ | ✅ | |
| Docker image with CCA for Splunk | ✅ | ✅ | |
| Configure Splunk user profile | ✅ | ✅ | |
| Number of supported environments | ♾️ | ♾️ | |
| Number of supported Index Clusters per environment | 1️⃣ | 9️⃣ | |
| Number of supported Search Head clusters per environment | 2️⃣ | 9️⃣ | |
| Framework Support from Orange Cyberdefense | ➖ | ✅ | |
| Password and Secrets update in Setup Wizard | ➖ | ✅ | |
| Management of Forwarder Groups | ➖ | ✅ | |
| Management of Deployment Server Groups | ➖ | ✅ | |
| Advanced Data Onboarding | ➖ | ✅ | |
| Advanced App deployment to Cluster Managers | ➖ | ✅ | |
| Advanced App deployment to Deployment Servers | ➖ | ✅ | |
| Advanced App deployment to Search Head Clusters | ➖ | ✅ | |
| Support for Orange Cyberdefense Extensions | ➖ | ✅ | |
| Version control of Splunk Infrastructure changes | ➖ | ✅ | |
| Version control of Splunk Data Onboarding changes | ➖ | ✅ | |
| Framework upgrade support | ➖ | ✅ | |
| Framework Knowledge training | ➖ | ✅ | |
| Data onboarding Knowledge training | ➖ | ✅ | |
| Access to submit issues | ➖ | ✅ | |
| Access to pre-released | ➖ | ✅ | |
| Access to development resources for custom demands | ➖ | ✅ | |
| OS Disk setup and volume groups | ➖ | ✅ | |
| Rolling OS upgrade with minimal disruption on Splunk ingest | ➖ | ✅ | |
| Deployment of certificates retrieved by Certificate API service | ➖ | ✅ | |
| Configuration of Splunk Enterprise Authentication | ➖ | ✅ | |
| Cloud LCM for AWS | ➖ | ➖ | ✅ |
| Cloud LCM for Azure | ➖ | ➖ | ✅ |
| Splunk Cloud LCM | ➖ | ➖ | ✅ |
| Solutions for IT Serivce Intelligence | ➖ | ➖ | ✅ |
| Dev Ops LCM for Splunk Enterprise | ➖ | ➖ | ✅ |
| Dev Ops LCM for Splunk ITSI | ➖ | ➖ | ✅ |
| Dev Ops LCM for Splunk Cloud Platform | ➖ | ➖ | ✅ |
| Dev Ops LCM for Github | ➖ | ➖ | ✅ |
1: Plan your architecture
- CCA for Splunk can deploy anything from standalone servers to multisite clusters, and up to 9 clusters in each environment, controlled by the same automation framework. A proper planning is key to define the type of architecture(s) that will be created, their environment, individual specifications and requirements.
2: Setup the CCA manager
- The CCA manager is the host that orchestrates and manages the automation and configuration deployment.
There are currently two ways to deploy the manager.
- Use the docker image for cca_for_splunk
- Setup the manager on a regular host and pull CCA for Splunk.
For more in depth information check this guide: Setup CCA Manager
3: Setup your environment
Watch the video to see the steps of setup manager before you continue.
4: Update ansible inventory and variables
For more in depth information check this guide: Setup CCA Manager - Ansible configuration
5: Validate your environment variables
Before you start using CCA after an updating to a new release, run the playbook validate_cca_infrastructure_parameters.yml to verify that all files in your cca_splunk_infrastructure repo are up to date with the required versions in the CCA framework. The verification needs to run in check mode, see command below.
To run an infrastructure playbook:
cd ~/data/main/cca_splunk_infrastructure
./cca_ctrl -c
6: Configure environment using CCA
If you have servers that is not yet setup for Splunk Enterprise, start by running the configure_linux_servers.yml playbook that will prepare the server with users, services and settings to install Splunk Enterprise on it. See README.md
for cca.core.linux role.
When the server configuration is completed, run playbook for managing one of the architectures you want to setup.
If you are to install a multisite index and search head cluster. Start with configuring the index cluster using the playbook manage_index_clusters.yml before you run the playbook manage_searchhead_cluster.yml
7: Onboard data and apps
Now when your Splunk infrastructure is running smooth, it's time to onboard data and apps. Follow the documentation at cca.splunk.onboarding. When the apps and configuration are completed, run one of the deploy_* playbooks to deploy your apps to the destination server.
To run an onboarding playbook:
cd ~/data/main/cca_splunk_onboarding
./cca_ctrl -c
Note
Don't forget that we offer the service to setup and support CCA for you! Please check out our premium feature. CCA for Splunk - Premium