Rundeck + Splunk: Adding New Ops Visibility Across the Enterprise

The Rundeck App for Splunk Overview Page

Much Operations work, especially troubleshooting and incident response, is about what you know and when you know it. Splunk is the industry leader in event and log aggregation products, and Splunk Enterprise is the de facto industry standard for Operations, DevOps, Security/SIEM and other teams to obtain insights and create dashboards from nearly any type of machine data. 

Rundeck Enterprise and Rundeck Community users are no different. They've seen the benefits of integrating Rundeck and Splunk to make operations run better. We heard them and got to work. Now you can access your Rundeck data from within the Splunk platform.

The Rundeck App for Splunk

We've launched the Rundeck App for Splunk, a free Splunkbase download, that makes it easy for Ops teams to deliver reports, track job activities, and add data to existing Splunk dashboards and reporting. The app includes example dashboards for detailed insights into a Rundeck Core instance and simplifies importing Rundeck server data into Splunk, including both Rundeck's log files and the results of API calls.

Rundeck administrators can leverage a Splunk dashboard and reporting tools to see key success and performance indicators for an instance of Rundeck Core. New or existing Splunk alerts immediately initiate a Rundeck job to repair the malfunction, recover from a failure, or produce an impact or troubleshooting report before it escalates.

Jobs Page

Get easy answers to questions we have all asked, like:

  • Which Rundeck jobs have the most interesting success rates?
  • Who uses Rundeck the most?
  • How has the performance of a critical job changed over time?
  • Which jobs have not been run in more than 30 days?

In addition, the Rundeck App for Splunk also allows Splunk power users to correlate against data they may already have from other sources. This can allow you to answer questions like:

  • What jobs were running near the start of incident #123?
  • Do we see a change in web server response time while the database cleanup job is running?
  • Which users‘ jobs are the most successful?

The Rundeck App for Splunk is free for all Rundeck Core (OSS) users. Please give it a try and send us your feedback! And stay tuned for a release of a Rundeck storage writer plugin for Splunk, which will allow the output of jobs to be sent to Splunk Enterprise or Splunk Cloud via their HTTP Event Collector.


Enterprise Features Arriving with the Rundeck Enterprise App for Splunk

Soon, we'll be releasing the Rundeck Pro App for Splunk, with custom-designed features to support large-scale Rundeck Pro users and their teams.

Available for all Rundeck Pro subscribers, the Rundeck Pro App for Splunk offers enterprise-level reporting tools for Rundeck users, nodes, and projects. Users can easily produce activity reports for auditors and management, track job activities by user or node, and add data from Rundeck to existing Splunk dashboards

Additional enterprise features include:

  • Support for multiple Rundeck instances
  • User dashboard
    • See active vs. inactive users
    • Summarize jobs run by selected users, including success/failure rates and impacted nodes
  • The Node/Resource dashboard
    • Summarize job execution data by node
    • Use node/resource data from Rundeck in your other Splunk dashboards
  • Ad-Hoc command dashboard
    • Separate out ad-hoc commands for easier security review
    • Identify hidden pain points where a new self-service job can have the most impact
  • Support from the Rundeck Enterprise team

If you are interested in the Rundeck Enterprise App for Splunk, please open a request with Rundeck Support to request access to the app as soon as it is published.


Coming Soon: the Rundeck Self-Service Operations Solution for Splunk

In addition to these great new offerings from Rundeck, we're excited to announce that we are hard at work on a set of solutions and plugins for Rundeck Enterprise which will make it easy to turn the usually-complex tasks of administrators and users of Splunk into self-service operations. Meet your business requirements, security requirements, and—let's face it—sanity requirements, while removing the need for others to open tickets and bother you!

  • Give users the ability to install and/or upgrade the Splunk Universal Forwarder pre-populated with the right deployment server and forwarding server configuration.
  • Allow users to press one button to create a temporary index related to an incident ticket or service ticket; and then, for example, create a job to archive/freeze these indexes once the ticket has been closed for 30 days. Submit additional, detailed application logs to this index from only those nodes included in the research or troubleshooting effort.
  • Give teams self-service access to creating a new index with strict storage and license limits, automatically enact ACLs to restrict access from other teams, and update the serverclass.conf to include the nodes with certain attributes. All this without a ticket being filed—save that for when they actually need your help!

We expect to make these available sometime in early Q4, and can't wait to see what our customers do with them!

Tell us how you use Rundeck with Splunk at