March 8, 2019

Puppet and Splunk: Integrations to Improve Reporting Speed, Scale + Remediation

Ecosystems & Integrations
How to & Use Cases

Puppet and Splunk are two of the most powerful, important tools you can use to monitor and configure your systems and infrastructure. In this blog, we'll explain how Splunk and Puppet work together to give you a heads up about issues in your infrastructure and the tools you need to resolve them automatically.

Table of Contents

What is Puppet in Splunk?

Splunk is software that lets you monitor and analyze machine data to give you an idea of what's going on with your systems, and Puppet integrates with Splunk to take action on the information Splunk feeds you. Once Splunk has detected an issue, Bolt can gather even more contextual data you can use to tell Puppet to resolve that issue automatically.

Puppet and Splunk have long been complementary technologies in our users’ environments: you can use Puppet to deploy and manage Splunk, and Splunk can provide insights into your Puppet Infrastructure.

Puppet and Splunk: Better Insights for Faster Fixes

Puppet and Splunk work together to tell you what's happening with your infrastructure and give you the information you need to start fixing issues automatically. Together, they're an efficient way to manage your infrastructure, especially at scale with many applications to manage and administrate.

There are a few key ways Puppet and Splunk integrate to give you actionable information and automatic remediation capabilities:

The splunk_hec Module for Puppet

The first integration is the splunk_hecPuppet module which enables you to send Puppet agent run reports to Splunk and also submit data via Bolt Tasks in a Plan. That means that in Splunk, you can report on, set up alerts for, and aggregate all of the data generated from Puppet reports and Bolt Tasks, and the powerful Bolt Apply features.

The Puppet Report Viewer for Splunk

Now that you're sending this data into Splunk, what are you going to do with it? That's where the Puppet Report Viewer Add-on for Splunk steps in. It provides an overview of reports present in Splunk via a dashboard view. Regardless of what type of Puppet user you are (open source Puppet, Puppet Enterprise, or just getting started with Bolt), we've got you covered. Additionally, the dashboards are customizable, exportable and reusable, giving you added flexibility and insight into your data.

The Puppet Report Viewer also makes it easier to remediate quickly by enabling you to run Bolt Tasks. Puppet Bolt can help remediate without logging into servers. That means you can delegate to save time on manual processes and ticket passing, letting your team ideal with bigger problems instead of repetitive everyday tasks.

Related: Check out our podcast on Bolt: Uniting Models and Tasks

Examples of Puppet and Splunk In Action

In order to keep the report processing lightweight and scalable to hundreds of thousands of nodes, the splunk_hec report processor submits a summary of the Puppet report. The goal is to make a predictable amount of data submitted to Splunk regardless of how much your infrastructure is puppetized.

However, there are times when you may want more details. Examples include the possibility of a failed Puppet run, or for a Puppet Enterprise customer in a regulated environment, or a corrective change indicating a remediation event just occurred.

Here's a summary overview in Splunk:

Summary overview screenshot of a Puppet report in Splunk

And here's a Bolt overview in Splunk:

Screenshot of a Puppet Bolt summary report in Splunk

Sometimes you need more information. Here's where our new integrations come in handy.

Even More Context for Better Decision-Making

Included in the Puppet Report Viewer Add-on is the Detailed Puppet Report Generator actionable alert, which when given a Puppet summary report will be able to build a complete report history, including:

  • inventory information
  • log data, and
  • resource events associated with the original summary report

This feature is available for Puppet Enterprise users. Once the alert is configured, the detailed tab of the Puppet Report Viewer Add-on in Splunk will start populating with data gathered from those detailed reports. Here are examples of dashboards you can build around the data Puppet is submitting to Splunk:

Here's an example of a detailed Puppet Report Viewer overview from the Splunk dashboard:

Screenshot of a detailed overview of the Puppet Report Viewer from the Splunk dashboard

Here's an example of a detailed event in the Puppet Report Viewer Add-on in Splunk:

A screenshot of a detailed event report in the Puppet Report Viewer Add-on in Splunk



Learn More