splunk-pickaxe 2.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8bf76e38f6793776895f41afc8c1e345c1e0e3fe
+  data.tar.gz: b85f42c837a2d3deb8dee1c2db57406675389409
+SHA512:
+  metadata.gz: a309da7903abab3668482669ac16e332670fabc9aaa62a0ba5da0e529f51918c4eda4e2aaab5399063728178513dd38a835170969b7bf2380237d4711dd69684
+  data.tar.gz: e29feda288ce0bfc6a77b60b51cd779f09fcb9d217a3119be8a2790488c1219037a28398186eb560b1a739a406f7eb81a423740b99a0800ddd210011b1eb5f3d

data/Gemfile

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gemspec
+
+group :test do
+  gem 'bundler', '~> 1.14'
+  gem 'rake', '~> 12.0'
+  gem 'rspec', '~> 3.5'
+end

data/README.md

@@ -0,0 +1,220 @@
+Splunk-Pickaxe
+==============
+
+A tool for syncing your repo of Splunk objects with a Splunk instance(s).
+
+This provides a development workflow for Splunk components (i.e. dashboards,
+alerts, reports, etc) and an easy way to apply them consistently.
+
+Getting Started
+---------------
+
+Install the gem,
+
+    gem install splunk-pickaxe
+
+Create your repo,
+
+    mkdir my-splunk-repo
+    cd my-splunk-repo
+    pickaxe init
+
+Update the `.pickaxe.yml` file with your app name from Splunk. This should
+be the name from the URL when you visit your Splunk app. (i.e. if your url is
+`https://my-splunk.com/en-US/app/my_splunk_app/search` my app is `my_splunk_app`).
+
+You also need to add your Splunk environment(s). So your `.pickaxe.yml` should
+look like this,
+
+```yaml
+namespace:
+  # The application in which to create the Splunk knowledge objects
+  app: MY_SPLUNK_APP
+
+environments:
+  ENVIRONMENT_NAME: SPLUNK_API_URL (i.e. https://search-head.my-splunk.com:8089)
+```
+
+Add some Splunk objects. See [example repo](example-repo) or below for format.
+
+Sync your repo with Splunk,
+
+    pickaxe sync ENVIRONMENT_NAME
+
+Where `ENVIRONMENT_NAME` is the name of one of the environments configured in
+your `.pickaxe.yml`. These map to different Splunk instances.
+
+By default this command assumes the user running the command has a Splunk account
+and access to make these changes in the configured Splunk application. Your
+password will be requested when run. Alternatively you can make use of the
+options `--user` and `--password`.
+
+Splunk Objects
+--------------
+
+Currently the following objects are supported,
+
+ * [alerts](http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches)
+ * [dashboards](http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#data.2Fui.2Fviews.2F.7Bname.7D)
+ * [eventtypes](http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#saved.2Feventtypes)
+ * [reports](http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches)
+ * [tags](http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#search.2Ftags.2F.7Btag_name.7D)
+ * [field_extractions](http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#data.2Fprops.2Fextractions)
+
+### Alerts
+
+To add a new alert to the repo simply create a new `ALERT.yml` file under `alerts`.
+This YAML file should contain the following at minimum,
+
+```yaml
+name: ALERT NAME
+config:
+  # Search query of events used to trigger alert
+  search: >
+    MY SEARCH
+```
+
+It will be populated with the alert defaults which includes,
+
+ * Running hourly
+ * Emailing everyone listed in your `.pickaxe.yml`
+ * Alerting if the search results in any events
+
+You can override these defaults or any other property by specifying the property
+under the `config` section. [This doc](http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D)
+contains all the properties for an alert.
+
+#### Common Overrides
+
+ * To tweak the schedule set `cron_schedule` in the `config` section. By default its setup to run every hour. This should be a cron value (i.e. `0 10 * * 1` or run every Monday at 10am)
+ * To tweak the length of the search or how far back the set `dispatch.earliest_time` in the `config` section. By default this is setup to search over the last hour. You could change this to `-7d@h` to search the last 7 days
+
+### Dashboards
+
+To add a new dashboard create a new `DASHBOARD.xml` file under `dashboards`.
+The name of the file should be the name of the dashboard. If the file is
+`my_dashboard.xml`, this means the name is `my_dashboard`.
+
+The file should contain the XML source of your dashboard. You can get this
+by selecting your dashboard in Splunk, then Edit -> Edit Source. Copy the XML
+and paste it into the file.
+
+### Eventtypes
+
+To add a new eventtype create a new `eventtype.yml` file under `eventtypes`.
+The name of the file should be the name of the eventtype. If the file is
+`my_eventtype.yml`, this means the name is `my_eventtype`.
+
+```yaml
+name: EVENTTYPE NAME
+config:
+  disabled: <1|0> Set to 1 to disable
+  search: index=my_index more search things
+  priority: <1-10> 1 is highest priority and 10 is lowest
+  tags: <string> Enter a comma-separated list of tags
+  ...
+```
+
+### Reports
+
+To add a new report to the repo simply create a new `REPORT.yml` file under `reports`.
+This YAML file should contain the following at minimum,
+
+```yaml
+name: REPORT NAME
+config:
+  # Search query of events in the report
+  search: >
+    MY SEARCH
+```
+
+It will be populated with the alert defaults which includes,
+
+ * Running hourly
+ * Emailing everyone listed in your `.pickaxe.yml`
+
+You can override these defaults or any other property by specifying the property
+under the `config` section. [This doc](http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D)
+contains all the properties for an report.
+
+#### Common Overrides
+
+ * To tweak the schedule set `cron_schedule` in the `config` section. By default its setup to run every hour. This should be a cron value (i.e. `0 10 * * 1` or run every Monday at 10am)
+ * To tweak the length of the search or how far back the set `dispatch.earliest_time` in the `config` section. By default this is setup to search over the last hour. You could change this to `-7d@h` to search the last 7 days
+
+### Tags
+
+To add a new tag to the repo simply create a new `TAG.yml` file under `tags`.
+This YAML file should contain the following at minimum,
+
+```yaml
+name: TAG
+fields:
+  - source::/some/file
+  - sourcetype::my_type
+  ...
+```
+
+The important config here is the `fields` key which contains the array of fields
+you want in your tag. The value should be of the form `FIELD::VALUE` where `FIELD`
+can be things like `source`, `sourcetype`, `eventtype` or any other Splunk field.
+
+### Field Extractions
+
+To add a new field extraction to the repo simply create a new `field_extraction.yml`
+file under `field_extractions`. This YAML file should contain the following,
+
+```yaml
+name: my field extraction
+config:
+  # The props.conf stanza to which this field extraction applies, e.g. the
+  # sourcetype or source that triggers this field extraction
+  stanza: See Comment Above
+  # If using EXTRACT type this is the regular expression
+  # If using REPORT type specify a comma- or space-delimited list of transforms.conf
+  # stanza names that define the field transformations to apply.
+  value: See Comment Above
+  # Use EXTRACT for inline regular expressions. Use REPORT for a transforms.conf stanza
+  type: EXTRACT (or) REPORT
+```
+
+### Generic Configuration
+
+Most Splunk objects offer the following additional configuration,
+
+ * `envs`: The list of environments the object should be deployed to
+
+```yaml
+name: MY_OBJECT_NAME
+envs:
+  # Only deploy to dev environment
+  - dev
+```
+
+By default if `envs` is not provided the object will be imported to all
+environments.
+
+Config
+------
+
+The `.pickaxe.yml` file contains the config for your Splunk resources. You can add,
+
+* `environments` : A hash of environment names (key) to Splunk url
+* `namespace`:
+    * `app`: The name of your Splunk application to deploy objects to
+    * `sharing`: The sharing settings for the Splunk resources (default=`app`)
+* `emails`: An array of emails used for all reports and alerts (default=`[]`)
+
+Contributing
+------------
+
+See [CONTRIBUTING.md](CONTRIBUTING.md)
+
+LICENSE
+-------
+
+Copyright 2015 Cerner Innovation, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+
+[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0) Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

data/Rakefile

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:test) do |t|
+  t.rspec_opts = '--format documentation'
+end

data/bin/pickaxe

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'splunk/pickaxe/cli'
+
+Splunk::Pickaxe::CLI.start ARGV

data/lib/splunk/pickaxe.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'splunk-sdk-ruby'
+require 'uri'
+require 'splunk/pickaxe/config'
+require 'splunk/pickaxe/client'
+
+module Splunk
+  module Pickaxe
+    def self.configure(environment, username, password, execution_path = Dir.getwd)
+      config = Config.load execution_path
+
+      raise "Unknown environment [#{environment}]. Expected #{config.environments.keys}" unless config.environments.key?(environment)
+
+      uri = URI(config.environments[environment])
+
+      puts "Connecting to splunk [#{uri}]"
+      service = Splunk.connect(
+        scheme: uri.scheme.to_sym,
+        host: uri.host,
+        port: uri.port,
+        username: username,
+        password: password,
+        namespace: config.namespace
+      )
+
+      Client.new service, environment.downcase, config
+    end
+  end
+end

data/lib/splunk/pickaxe/cli.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'thor'
+require 'etc'
+require 'splunk/pickaxe'
+require 'highline'
+
+module Splunk
+  module Pickaxe
+    class CLI < Thor
+      desc 'init', 'initializes your splunk repo'
+      def init
+        puts 'Creating Splunk Object directories...'
+        [
+          Alerts::DIR,
+          Dashboards::DIR,
+          EventTypes::DIR,
+          Reports::DIR,
+          Tags::DIR,
+          FieldExtractions::DIR
+        ].each do |dir|
+          Dir.mkdir dir unless Dir.exist? dir
+        end
+
+        puts 'Writing Gemfile ...'
+        File.open('Gemfile', 'w') do |f|
+          f.puts 'source "https://rubygems.org"'
+          f.puts
+          f.puts 'gem "splunk-pickaxe"'
+        end
+
+        puts 'Writing .pickaxe.yml ...'
+        File.open('.pickaxe.yml', 'w') do |f|
+          f.puts 'namespace:'
+          f.puts '  app: TODO'
+          f.puts 'environments:'
+          f.puts '  MY_ENV: SPLUNK_API_URL'
+          f.puts 'emails:'
+          f.puts '  - my.email@domain.com'
+        end
+      end
+
+      desc 'sync ENVIRONMENT', 'sync your splunk repo to the given environment'
+      option :user, type: :string, desc: 'The user to login to splunk with. If this is not provide it will use the current user'
+      option :password, type: :string, desc: 'The password to login to splunk with. If this is not provided it will ask for a password'
+      option :repo_path, type: :string, desc: 'The path to the repo. If this is not specified it is assumed you are executing from within the repo'
+      def sync(environment)
+        cli = HighLine.new
+
+        user = options[:user] || Etc.getlogin
+        password = options[:password] || cli.ask('Password: ') { |o| o.echo = '*' }
+        execution_path = options[:repo_path] || Dir.getwd
+
+        pickaxe = Pickaxe.configure environment, user, password, execution_path
+        pickaxe.sync_all
+      end
+    end
+  end
+end

data/lib/splunk/pickaxe/client.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'splunk/pickaxe/objects/alerts'
+require 'splunk/pickaxe/objects/dashboards'
+require 'splunk/pickaxe/objects/eventtypes'
+require 'splunk/pickaxe/objects/reports'
+require 'splunk/pickaxe/objects/tags'
+require 'splunk/pickaxe/objects/field_extractions'
+
+module Splunk
+  module Pickaxe
+    class Client
+      attr_reader :service, :alerts, :dashboards, :eventypes, :reports, :tags, :field_extractions
+
+      def initialize(service, environment, config)
+        @service = service
+
+        @alerts = Alerts.new service, environment, config
+        @dashboards = Dashboards.new service, environment, config
+        @eventtypes = EventTypes.new service, environment, config
+        @reports = Reports.new service, environment, config
+        @tags = Tags.new service, environment, config
+        @field_extractions = FieldExtractions.new service, environment, config
+      end
+
+      def sync_all
+        @alerts.sync
+        @dashboards.sync
+        @eventtypes.sync
+        @reports.sync
+        @tags.sync
+        @field_extractions.sync
+      end
+    end
+  end
+end

data/lib/splunk/pickaxe/config.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+module Splunk
+  module Pickaxe
+    class Config
+      CONFIG_FILE ||= '.pickaxe.yml'
+
+      DEFAULTS ||= {
+        'namespace' => {
+          'sharing' => 'app'
+        },
+        'environments' => {
+        },
+        'emails' => []
+      }.freeze
+
+      def self.load(execution_path)
+        config_path = File.join(execution_path, CONFIG_FILE)
+        raise "Unable to load config file [#{config_path}]" unless File.exist? config_path
+
+        # Merges DEFAULTS with yaml config
+        Config.new deep_merge(DEFAULTS, YAML.load_file(config_path)), execution_path
+      end
+
+      attr_reader :config, :namespace, :environments, :execution_path
+
+      def initialize(config, execution_path)
+        unless config['namespace'].key? 'app'
+          raise "Config must have a 'namespace / app' config"
+        end
+
+        raise "Must have at least one environment" unless config['environments'].size > 0
+
+        @config = config
+        @execution_path = execution_path
+
+        @environments = config['environments']
+
+        # Convert namespace config hash to hash with symbols for keys
+        namespace_config = config['namespace'].each_with_object({}) { |(k, v), memo| memo[k.to_sym] = v; }
+        @namespace = Splunk.namespace(namespace_config)
+      end
+
+      private
+
+      # Simple deep merge of two hashes
+      def self.deep_merge hash1, hash2
+        copy = Hash[hash1]
+
+        hash2.each do |key, value|
+          if value.kind_of?(Hash) && hash1[key].kind_of?(Hash)
+            copy[key] = deep_merge(hash1[key], value)
+          else
+            copy[key] = value
+          end
+        end
+
+        copy
+      end
+
+    end
+  end
+end

data/lib/splunk/pickaxe/objects.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+require 'splunk-sdk-ruby'
+require 'yaml'
+
+# Base class for syncing splunk objects (dashboards, alerts, etc...)
+module Splunk
+  module Pickaxe
+    class Objects
+      attr_reader :service, :environment, :pickaxe_config
+
+      def initialize(service, environment, pickaxe_config)
+        @service = service
+        @environment = environment
+        @pickaxe_config = pickaxe_config
+      end
+
+      def sync
+        puts "Syncing all #{entity_dir.capitalize}"
+
+        dir = File.join(pickaxe_config.execution_path, entity_dir)
+
+        unless Dir.exist? dir
+          puts "The directory #{dir} does not exist. Not syncing #{entity_dir.capitalize}"
+          return
+        end
+
+        Dir.entries(dir).each do |entity_file|
+          entity_path = File.join(dir, entity_file)
+
+          next unless File.file?(entity_path) && entity_file_extensions.any? { |ext| entity_path.end_with?(ext) }
+
+          entity = config(entity_path)
+          entity_name = name(entity)
+
+          puts "- #{entity_name}"
+
+          # Check if we should skip this entity
+          if skip? entity
+            puts '  Skipping'
+            next
+          end
+
+          splunk_entity = find entity
+
+          if splunk_entity.nil?
+            # Entity does not exist create it
+            puts '  Creating ...'
+            create entity
+            puts '  Created!'
+          else
+            # Entity exists check if it needs an update
+            if needs_update? splunk_entity, entity
+              puts '  Updating ...'
+              update splunk_entity, entity
+              puts '  Updated!'
+            else
+              puts '  Up to date!'
+            end
+          end
+        end
+      end
+
+      def config(file_path)
+        YAML.load_file file_path
+      end
+
+      def create(entity)
+        entity_collection = Splunk::Collection.new service, splunk_resource
+        entity_collection.create(name(entity), splunk_config(entity))
+      end
+
+      def update(splunk_entity, entity)
+        splunk_entity.update(splunk_config(entity))
+      end
+
+      def find(entity)
+        # Either return the entity or nil if it doesn't exist
+
+        Splunk::Entity.new service, service.namespace, splunk_resource, name(entity)
+      rescue Splunk::SplunkHTTPError => e
+        if e.code == 404
+          nil
+        else
+          raise e
+        end
+      end
+
+      def needs_update?(splunk_entity, entity)
+        splunk_config(entity).each do |k, v|
+          return true if splunk_entity[k] != v
+        end
+
+        false
+      end
+
+      def skip?(entity)
+        return false unless entity.key?('envs')
+        !entity['envs'].include?(environment)
+      end
+
+      def name(entity)
+        entity['name']
+      end
+
+      def splunk_config(entity)
+        entity['config']
+      end
+
+      def entity_file_extensions
+        ['.yml', '.yaml']
+      end
+
+      def splunk_resource
+        # Must be implemented by child class
+        nil
+      end
+
+      def entity_dir
+        # Must be implemented by child class
+        nil
+      end
+    end
+  end
+end

data/lib/splunk/pickaxe/objects/alerts.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'splunk/pickaxe/objects'
+
+module Splunk
+  module Pickaxe
+    class Alerts < Objects
+      DIR ||= 'alerts'
+
+      def splunk_resource
+        %w[saved searches]
+      end
+
+      def entity_dir
+        DIR
+      end
+
+      def name(entity)
+        # The alert name contains the environment name
+        "#{entity['name']} [#{environment.capitalize}]"
+      end
+
+      def splunk_config(entity_yaml)
+        # Include default values
+        config = alert_defaults
+
+        # Override defaults with any config provided in yaml
+        config.merge! entity_yaml['config']
+
+        config
+      end
+
+      def alert_defaults
+        {
+          # Who to email
+          'action.email.to' => pickaxe_config.config['emails'].join(','),
+
+          # How often to run alert (every hour)
+          'cron_schedule' => '0 * * * *',
+          'is_scheduled' => '1',
+
+          # Email subject
+          'action.email.subject' => 'Splunk Alert: $name$',
+          'action.email.subject.alert' => 'Splunk Alert: $name$',
+
+          # Email result formatting (inline results, table format, include alert link)
+          'action.email.format' => 'table',
+          'action.email.inline' => '1',
+          'action.email.include.view_link' => '1',
+
+          # Is an email alert
+          'actions' => 'email',
+          'action.email.sendresults' => '1',
+
+          # Alert severity (High)
+          'alert.severity' => '4',
+
+          # When to trigger alert
+          'alert_type' => 'number of events',
+          'alert_comparator' => 'greater than',
+          'alert_threshold' => '0',
+
+          # The time bounds for alert search
+          'dispatch.earliest_time' => '-1h',
+          'dispatch.latest_time' => 'now',
+
+          # Track alerts
+          'alert.track' => '1',
+
+          # Don't supress any alerts
+          'alert.suppress' => '0'
+        }
+      end
+    end
+  end
+end

data/lib/splunk/pickaxe/objects/dashboards.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'splunk/pickaxe/objects'
+
+module Splunk
+  module Pickaxe
+    class Dashboards < Objects
+      DIR ||= 'dashboards'
+
+      def splunk_resource
+        %w[data ui views]
+      end
+
+      def entity_dir
+        DIR
+      end
+
+      def config(file_path)
+        # Dashboards don't have many properties just name and source XML
+        {
+          'name' => File.basename(file_path, '.xml'),
+          'config' => {
+            'eai:data' => IO.read(file_path)
+          }
+        }
+      end
+
+      def entity_file_extensions
+        ['.xml']
+      end
+    end
+  end
+end

data/lib/splunk/pickaxe/objects/eventtypes.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'splunk/pickaxe/objects'
+
+module Splunk
+  module Pickaxe
+    class EventTypes < Objects
+      DIR ||= 'eventtypes'
+
+      def splunk_resource
+        %w[saved eventtypes]
+      end
+
+      def entity_dir
+        DIR
+      end
+    end
+  end
+end

data/lib/splunk/pickaxe/objects/field_extractions.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'splunk/pickaxe/objects'
+
+module Splunk
+  module Pickaxe
+    class FieldExtractions < Objects
+      DIR ||= 'field_extractions'
+
+      def splunk_resource
+        %w[data props extractions]
+      end
+
+      def entity_dir
+        DIR
+      end
+
+      def find(entity)
+        # Splunk does some fun things by re-naming our field extraction to include
+        # the stanza and type in the name when its created so do that here by
+        # cloning the entity and editing its name before passing it to find
+        find_entity = Hash.new(entity)
+        find_entity['name'] = "#{entity['config']['stanza']} : #{entity['config']['type']}-#{entity['name']}"
+        super(find_entity)
+      end
+
+      def update(splunk_entity, entity)
+        # When updating splunk only wants the value field
+        splunk_entity.update('value' => splunk_config(entity)['value'])
+      end
+
+      def needs_update?(splunk_entity, entity)
+        # When updating splunk only cares about this field
+        splunk_entity['value'] != splunk_config(entity)['value']
+      end
+    end
+  end
+end

data/lib/splunk/pickaxe/objects/reports.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'splunk/pickaxe/objects'
+
+module Splunk
+  module Pickaxe
+    class Reports < Objects
+      DIR ||= 'reports'
+
+      def splunk_resource
+        %w[saved searches]
+      end
+
+      def entity_dir
+        DIR
+      end
+
+      def name(entity)
+        # The report name contains the environment name
+        "#{entity['name']} [#{environment.capitalize}]"
+      end
+
+      def splunk_config(entity_yaml)
+        # Include default values
+        config = report_defaults
+
+        # Override defaults with any config provided in yaml
+        config.merge! entity_yaml['config']
+
+        config
+      end
+
+      def report_defaults
+        {
+          # Who to email
+          'action.email.to' => pickaxe_config.config['emails'].join(','),
+
+          # How often to run alert (every hour)
+          'cron_schedule' => '0 * * * *',
+          'is_scheduled' => '1',
+
+          # Email subject
+          'action.email.subject' => 'Splunk Report: $name$',
+          'action.email.subject.alert' => 'Splunk Report: $name$',
+
+          # Email result formatting (inline results, table format, include alert link)
+          'action.email.format' => 'table',
+          'action.email.inline' => '1',
+          'action.email.include.view_link' => '1',
+
+          # Send an email
+          'actions' => 'email',
+          'action.email.sendresults' => '1',
+
+          # This is a report so always send it
+          'alert_type' => 'always',
+
+          # The time bounds for alert search (1 hour)
+          'dispatch.earliest_time' => '-1h',
+          'dispatch.latest_time' => 'now'
+        }
+      end
+    end
+  end
+end

data/lib/splunk/pickaxe/objects/tags.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'splunk/pickaxe/objects'
+
+module Splunk
+  module Pickaxe
+    class Tags < Objects
+      DIR ||= 'tags'
+
+      def splunk_resource
+        %w[search tags]
+      end
+
+      def entity_dir
+        DIR
+      end
+
+      # Tags do not follow the typical conventions that other splunk resources do
+      # so we have to change the find/create/update methods
+      def find(entity)
+        # Either return the entity or nil if it doesn't exist
+
+        response = service.request(method: :GET, resource: splunk_resource + [name(entity)])
+        # Parse out fields
+        atom_feed = Splunk::AtomFeed.new(response.body)
+        atom_feed.entries.map { |e| e['title'] }
+      rescue Splunk::SplunkHTTPError => e
+        if e.code == 404
+          nil
+        else
+          raise e
+        end
+      end
+
+      def create(entity)
+        # Create and update are the same thing. Pass in no known fields
+        update [], entity
+      end
+
+      def update(splunk_entity, entity)
+        # what we want - whats there = what we need to create/update
+        (splunk_config(entity) - splunk_entity).each do |field|
+          response = service.request(method: :POST, resource: splunk_resource + [name(entity)], body: { add: field })
+          raise "Failed to add field to tag [#{response.code}] - [#{response.body}]" unless response.is_a? Net::HTTPSuccess
+        end
+
+        # whats there - what we want = what we need to remove
+        (splunk_entity - splunk_config(entity)).each do |field|
+          response = service.request(method: :POST, resource: splunk_resource + [name(entity)], body: { delete: field })
+          raise "Failed to delete field from tag [#{response.code}] - [#{response.body}]" unless response.is_a? Net::HTTPSuccess
+        end
+      end
+
+      def splunk_config(entity)
+        entity['fields']
+      end
+
+      def needs_update?(splunk_entity, entity)
+        # Compares the fields in our config vs whats in splunk
+        splunk_config(entity).uniq.sort != splunk_entity.uniq.sort
+      end
+    end
+  end
+end

data/lib/splunk/pickaxe/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Splunk
+  module Pickaxe
+    VERSION = '2.0.0'
+  end
+end

data/project.yml

@@ -0,0 +1,34 @@
+name: splunk-pickaxe
+group_id: com.cerner.bigdata
+artifact_id: splunk-pickaxe
+github:
+  project_url: http://github.cerner.com/bigdata/splunk-pickaxe
+
+doc: rdoc
+test: rake
+
+philter:
+  linters:
+    - ruby
+  ruby:
+    exclusions:
+      - target/**/*
+      - vendor/**/*
+      - spec/**/*
+
+jira:
+  url: https://jira.cerner.com
+  component: 25899
+
+snapshot_repository:
+  id: cerner-rubygems-snapshot
+  url: http://repo.snapshot.cerner.corp/rubygems/
+snapshot_site_repository:
+  id: bigdata-snapshot-site
+  url: http://repo.bigdata.cerner.corp/nexus/content/repositories/bigdata-snapshot-site/
+repository:
+  id: cerner-rubygems-internal
+  url: http://repo.release.cerner.corp/internal/rubygems/
+site_repository:
+  id: cerner-main-internal-site
+  url: http://repo.release.cerner.corp/internal/site/

metadata

@@ -0,0 +1,132 @@
+--- !ruby/object:Gem::Specification
+name: splunk-pickaxe
+version: !ruby/object:Gem::Version
+  version: 2.0.0
+platform: ruby
+authors:
+- Bryan Baugher
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-07-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: splunk-sdk-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: 'A tool for syncing your repo of splunk objects with a splunk instance '
+email:
+- bryan.baugher@Cerner.com
+executables:
+- pickaxe
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- README.md
+- Rakefile
+- bin/pickaxe
+- lib/splunk/pickaxe.rb
+- lib/splunk/pickaxe/cli.rb
+- lib/splunk/pickaxe/client.rb
+- lib/splunk/pickaxe/config.rb
+- lib/splunk/pickaxe/objects.rb
+- lib/splunk/pickaxe/objects/alerts.rb
+- lib/splunk/pickaxe/objects/dashboards.rb
+- lib/splunk/pickaxe/objects/eventtypes.rb
+- lib/splunk/pickaxe/objects/field_extractions.rb
+- lib/splunk/pickaxe/objects/reports.rb
+- lib/splunk/pickaxe/objects/tags.rb
+- lib/splunk/pickaxe/version.rb
+- project.yml
+homepage: http://github.com/Cerner/splunk-pickaxe
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: A tool for syncing your repo of splunk objects with a splunk instance
+test_files: []