Rest api error on get _raw events

sonicZ — Mon, 20 Sep 2021 02:02:45 GMT

Hello,

I am experimenting with the REST api and pulling events with a script, It seems like authentication and search is pulling the correct events from the /results endpoint but i see an error on _raw events

Error in events:

'_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data '
'collection. Error: Password prompt encountered. '
'Aborting.',

#!/usr/local/bin/python3 # import time # need for sleep from xml.dom import minidom import time import json, pprint import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) base_url = 'https://127.0.0.1:8089' username = 'admin' password = 'changeme' search_query = "search=search index=main earliest=-4y" r = requests.get(base_url+"/servicesNS/admin/search/auth/login", data={'username':username,'password':password}, verify=False) session_key = minidom.parseString(r.text).getElementsByTagName('sessionKey')[0].firstChild.nodeValue print ("Session Key:", session_key) r = requests.post(base_url + '/services/search/jobs/', data=search_query, headers = { 'Authorization': ('Splunk %s' %session_key)}, verify = False) sid = minidom.parseString(r.text).getElementsByTagName('sid')[0].firstChild.nodeValue print ("Search ID", sid) done = False while not done: r = requests.get(base_url + '/services/search/jobs/' + sid, headers = { 'Authorization': ('Splunk %s' %session_key)}, verify = False) response = minidom.parseString(r.text) for node in response.getElementsByTagName("s:key"): if node.hasAttribute("name") and node.getAttribute("name") == "dispatchState": dispatchState = node.firstChild.nodeValue print ("Search Status: ", dispatchState) if dispatchState == "DONE": done = True else: time.sleep(1) r = requests.get(base_url + '/services/search/jobs/' + sid + '/results/', headers = { 'Authorization': ('Splunk %s' %session_key)}, data={'output_mode': 'json'}, verify = False) pprint.pprint(json.loads(r.text))

Events returned, here is one entry sample, all events i am searching seem to get returned but not sure what's causing the _raw event error.

{'_bkt': 'main~18~95A72A43-AF2F-49CF-B85A-B0788E1AA28A', '_cd': '18:455', '_indextime': '1632029978', '_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data ' 'collection. Error: Password prompt encountered. ' 'Aborting.', '_serial': '38', '_si': ['DC-C02SD43JG8WP', 'main'], '_sourcetype': 'ossec_agent_control', '_time': '2021-09-18T23:39:38.000-06:00', 'host': 'DC-C02SD43JG8WP', 'index': 'main', 'linecount': '1', 'source': 'ossec_agent_control', 'sourcetype': 'ossec_agent_control', 'splunk_server': 'DC-C02SD43JG8WP'},

Re: Rest api error on get _raw events

PickleRick — Mon, 20 Sep 2021 05:16:31 GMT

But what's the problem? It seems you're getting your events. It's not a splunk error, it's an error being the contents of an event (in this case - coming from ossec). Or am I missing something?

Re: Rest api error on get _raw events

sonicZ — Mon, 20 Sep 2021 13:23:49 GMT

your right PickleRick, i indexed in a bunch of other data as well.

should have paid attention to my actual event test data, assumed the error was something from the api script run, woops! just not familiar with the actual output yet.

topic Re: Rest api error on get _raw events in Splunk Dev

Rest api error on get _raw events

Re: Rest api error on get _raw events

Re: Rest api error on get _raw events