Forge logo
❮ Return to Configuration Management

Deploy Splunk Enterprise with connected infrastructure in minutes

by Puppet
Posted: November 20, 2019

Splunk Enterprise is one of the most powerful data platforms available but, like any good enterprise software, it can be complex to deploy and manage. Enter automation in the form of a Bolt Project for use with Bolt and Puppet Enterprise.

This guide will walk you through how to stand up a new Splunk deployment in minutes, but you can use the provided code to do so much more including connecting forwarders to your pre-existing Splunk deployment or integrate Splunk Enterprise with Puppet Enterprise.

1. Browse to splunk_qd in your terminal

In your CLI of choice, browse to the splunk_qd repository you’ve downloaded or cloned from GitHub.

2. Validate that Bolt is installed

Run bolt --version to validate that Bolt is installed successfully. This guide validated on version 1.37.0, but any recent version of Bolt should work with this guide.

3. Install Forge content

Run bolt puppetfile install and Bolt will install all the Forge content necessary to complete this guide into Boltdir/modules, referencing the Puppetfile in the Boltdir.

4. Start with an example Bolt inventory file

Next, we’ll tell Bolt which machines to work with using any number of inventory targets. If you already have infrastructure suitable for deploying Splunk, copy Boltdir/examples/inventory.yaml to Boltdir/inventory.yaml and continue to the next step.

Alternatively, if you’re a Terraform user, you’ll find an example .tf Plan and integrated Bolt inventory.yaml in Boltdir/examples/terraform. Copy Boltdir/examples/terraform/inventory.yaml to Boltdir/inventory.yaml and continue to the next step.

5. Open Boltdir/inventory.yaml in your editor of choice.

Bolt includes a variety of plugins for managing secrets like your authentication information as an alternative to specifying strings within inventory.yaml or providing them manually on the CLI. From prompts to Vault, explore secret plugins when you’re ready to separate inventory targets from their credentials.

Fill in authentication details relevant your infrastructure:

  1. Modify config.ssh.user to the correct login user for your hosts.
  2. Modify config.winrm.user to the correct login user for your hosts.
  3. Modify config.winrm.password to the correct login password for your hosts.
  4. Set the value of groups.name['search'].targets to the fully qualified domain name or IP address of the node you want to install Splunk Enterprise on.
  5. Find the nested targets parameter under groups.name[‘forwarder’].groups.name[‘linux_forwarders’] and modify the array of nodes so it contains the fully qualified domain name or IP addresses for the Linux nodes you wish to manage the Splunk Universal Forwarder on.
  6. Find the nested targets parameter under groups.name[‘forwarder’].groups.name[‘windows_forwarders’] and modify the array of nodes so it contains the fully qualified domain name or IP addresses for the Windows nodes you wish to manage the Splunk Universal Forwarder on.
  7. After you’ve made your configuration changes, write and close inventory.yaml.

6. Deploy Splunk Enterprise

Now you should be ready to run the following command:

bolt plan run splunk_qd mode=testdrive

After a couple of minutes, Bolt should have successfully deployed Splunk Enterprise, configured apps and add-ons, and connected other infrastructure to Splunk by deploying forwarders. Visit the FQDN of the machine you associated with the search group in step 9 on port 8000 to login with the stock default admin/changeme login.

7. Iterate to your heart’s delight

Well done! You’ve successfully automated the deployment of Splunk Enterprise in minutes. The Bolt Plan underpinning this guide supports SSL configurations with LetsEncrypt, password management, and other options for enterprise deployments. Have a look at the Plan documentation and play around with specifying different options using bolt plan run splunk_qd param=value.