🤝 Show your support - give a ⭐️ if you liked the tool | Share on | Follow us on

This library is an abstraction for Splunk-related development, maintenance, or migration operations. It provides a single CLI or SDK to conveniently perform various operations such as managing a local development container, retrieving sample-data, building applications, comparing instances, managing knowledge objects and hopefully much more in the future.

When I work with Splunk, my working directory is usually in the same layout. I work with a mono-repository or a higher-level one with submodules, which contains several applications and configuration. This can look generalized like this:

<Development Repository>
├── apps                          # Folder where to store applications
│   └── Defender_TA_nxtp          # Generic custom Splunk app
├── dist                          # Place for built packages and reports
├── scripts
├── config                        # Settings and secrets
│   └── settings.yaml             # General purpose settings for this lib
│   └── .secrets.yaml             # API settings for connections and secrets
└── share                         # Custom splunkbase or builtin app content

We have all found our ways and methods to develop applications on an instance and to configure and operate that instance to meet our needs and/or those of our customers. But what is usually rather painful is when we then need them on other instances as well. A good example are test instances, which should be as close to production as possible. However, in the last few years that I have been dealing as a user with Splunk, some needs for simplified handling and automation have emerged that I would like to address here.

• Spin up a local development container:

  spl docker start

• Put my local application(s) there for testing purposes:

  spl docker upload --app="Defender*"

• Get sample data for Eventgen:

  spl --src="onprem"  samples --path="./apps/SA-Eventgen" download --name="WinDefender"

• (De)activate streaming of event data.

• Download apps from development container to local folder:

  spl docker download --app="Defender*"

• Run AppInspect, Packaging, etc.:

  spl apps --name="Defender_TA*" validate

• List various objects on an instance:

  spl manager --conn="onprem" users list

• Create or modify objects on an instance:

  spl manager --conn="onprem" roles update --name "investigator"

• Sync objects and their properties from one instance to another:

  spl --src="onprem" --dest="localhost" sync users --create --update

and probably much more, so pull requests are welcome!

You can download the package from the package feed via pip install spl-manager or install from source with poetry after cloning the repository.

Then you can issue your first command to get the help page:

python -m spl -h

or poetry run python -m spl -h. Anyhow it's recommended to set the alias spl="python -m spl for easier handling.

You have to create a config\.secrets.yaml file by using the config\template.secrets.yaml file, which contains the credentials for the Development Docker-Container and Splunkbase.

Please note that, when using the library as an SDK you need to pass the interactive=False flag to not run into issues because in interactive mode it asks for user inputs via CLI methods.

from spl import SplManager

spl = SplManager(interactive=False)

If you wish to get more information about any command within spl, you can pass the -h parameter.

• --interactive: Wether or not to run in interactive mode.
• --src: The name of the source connection provided in settings.
• --dest: The name of the destination connection provided in settings.

• connections provides you a list of connections available via configuration.

• docker helps you to manage the local splunk container instance.

• apps abstracts the handling of local application folders at a given --path and helps with validation, packaging, vetting, etc.

• samples are based on the configured queries for a --conn or --src and can download results and store them automatically at a --path to use for SA-Eventgen.

• manager acts as a direct ConnectionAdapter interface for the specified --conn parameter.

• sync will handle managers for --src and --dest connections, enabling you to compare, move and update between those instances.

• Splunk Python SDK
• Python Docker SDK (low-level API)
• Python Rich Outputs
• InquirerPy User Inputs
• Python Fire CLI
• DeepDiff
• Cerberus Schema Validation
• Splunk AppInspect
• Splunk Packaging Toolkit
• Splunk Eventgen

or send us some crypto: