We are excited to announce the general availability of SaltStack Enterprise Splunk Add-On for Splunk Enterprise. The add-on is available on Splunkbase, and requires SaltStack Enterprise (SSE) 6.3 which will be available later this week.

For many organizations, Splunk is the de-facto standard IT monitoring solution.  It’s therefore not surprising that many SaltStack customers also use Splunk to gain single-pane-of-glass visibility into the infrastructure, including their SaltStack infrastructure.  

In our previous enterprise release SSE 6.2 we added the ability to forward event data from SaltStack Enterprise to Splunk. In the upcoming release of Enterprise 6.3, we are going a step further by announcing a technical alliance partnership with Splunk, and releasing a new Splunk add-on! 

How Does the Splunk Add-On Work?

Setting up Splunk add-on for SaltStack Enterprise is easy. Search for the SaltStack Add-On in your Splunk Enterprise instance and click Install

Once installed, configure the add-on to pull in data from SaltStack Enterprise. SaltStack Enterprise 6.3 ships with a new Prometheus compatible metrics endpoint which reports over 25+ unique SaltStack metrics that can be directly imported into Splunk.

Now restart Splunk, and the SaltStack Enterprise add-on is ready for use!

What Does the Splunk Add-On Do?

Here’s a quick video demonstration of how the integration works


Reporting and Analytics

The SaltStack Enterprise 6.3 Splunk add-on is designed to do two things. First, it provides insight into the health of the SaltStack Infrastructure. This is something our customers ask for regularly. 

As software vendors, we all want to get the shiny bits of the latest and greatest software in the hands of our customers. However, if you talk to ITOps teams one quickly realizes the real challenge for any new piece of software lies in the Day 2 operation. This is where the proverbial rubber hits the road.  Operationalizing the software, maintaining it, monitoring it for outages becomes extremely important. If suddenly things stop working for example scheduled jobs start failing or assets go offline, IT teams need to be alerted quickly so that they can react and prevent a broader outage. 

The new add-on pulls all the relevant metrics exposed by SaltStack Enterprise into Splunk at a predetermined interval (usually every 30 secs). Once the data is in, a Splunk user can create alerts, configure them to show up on the dashboard if certain thresholds limits are met. 

Response Automation with SaltStack Alert Action

Monitoring for outages or identifying abnormal activity within the infrastructure is great, but once those events have been identified it’s equally important to take decisive actions to resolve those issues.  

Second, the new add-on also adds the ability to take automated actions based on specific Splunk events. Users can now save an alert in Splunk, and leverage the “Add Action” capability in Splunk to trigger an action against SSE. 

For example, let’s assume one of the systems is making suspicious outbound requests, and you want to quarantine or shut it down. You can quickly accomplish that by configuring a SaltStack Alert Action in Splunk

Thanks to this new add-on, Splunk users have access to all the power of SaltStack under their fingertips. 

Automate IT

Once the alert action is configured to trigger on a certain event anytime that event occurs again in the future, Splunk Enterprise and SaltStack Enterprise will automatically kick into action to resolve the issue. Completely hands-free. The possibilities of what ITOps teams can do with this functionality are endless. 

In recent years a new category of products related to Security Automation, Orchestration and Response (SOAR) are taking hold, and this functionality allows SaltStack to play a role in that nascent category. Expect us to innovate us in this space in the future, and bring more intuitive playbook capabilities directly into SaltStack Enterprise which can be leveraged from Splunk.

Sign up here for product updates from SaltStack. 

We are incredibly excited to have this functionality in the hands of our customers, and can’t wait to hear back from you.