Two pipelines move data from the homelab edge to Splunk. The architecture is intentional: HAProxy load-balances toward Cribl Edge, which routes, transforms, and reduces volume before forwarding to Splunk over HEC. The goal: 30–50% ingest reduction without losing security signal.Documentation Index
Fetch the complete documentation index at: https://jacobpevans-docs-automation-surface.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Log pipeline
UniFi network gear and application logs land in Splunk via Cribl Edge. HAProxy fronts the Cribl Edge cluster for high availability. Coral dashed edges carry the data; the solid green edge is the physical syslog hop. Cribl Edge drops verbose fields, routes byevent_type, enriches and masks — the indexer takes a smaller, cleaner payload.
NetFlow pipeline
NetFlow v9 / IPFIX from network devices follows the same shape on a different port. UDP is loss-tolerant by design, so HAProxy distributes rather than fails over. Cribl pipelines de-duplicate, parse flow records, and aggregate by tuple before forwarding.What lives where
| Layer | Provisioned by | Configured by | Source repo |
|---|---|---|---|
| Proxmox host / VMs / LXCs | terraform-proxmox | ansible-proxmox | both |
| HAProxy | (Ansible role) | ansible-proxmox-apps | apps repo |
| Cribl Edge | (Ansible role) | ansible-proxmox-apps | apps repo |
| Splunk Enterprise | (manual / Ansible) | ansible-splunk | splunk repo |
| Cribl pipelines | (manual / Cribl pack) | cc-edge-* packs | pack repos |
| Splunk knowledge objects | n/a | Splunk TA (AI observability) | TA repo |