topic Why is access to Splunk API via Python generating an "Unauthorized" error? in Splunk Dev

Why is access to Splunk API via Python generating an "Unauthorized" error?

Robbie1194 — Mon, 05 Feb 2018 13:40:32 GMT

Using some of the python code provided by Splunk:

Step 3: Get the search status

httplib2.Http(disable_ssl_certificate_validation=True).add_credentials(username, password)
servicessearchstatusstr = '/services/search/jobs/%s/' % sid
isnotdone = True
while isnotdone:
    searchstatus = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + servicessearchstatusstr, 'GET')[1]
    print searchstatus
    isdonestatus = re.compile('isDone">(0|1)')
    isdonestatus = isdonestatus.search(searchstatus).groups()[0]
    if (isdonestatus == '1'):
        isnotdone = False
print "====>search status:  %s  <====" % isdonestatus

Error message produced:

====>search result:  [{"messages":[{"type":"ERROR","text":"Unauthorized"}]}]  <====

I have read many questions about people having the same issue and have tried all of the solutions but the error still persists. I've tried changing the password to something that's only alphanumeric (no special characters) so nothing needs to be escaped. I've changed the password from default, I've made a new account with admin access for api calls and I've even tried printing out the password and username in the script at multiple points so that I can see that it doesn't change values etc.

Any POST requests I make (running the search for example) will work fine, it's as soon as it comes to retrieving the information (GET requests) that there is a problem! Can anyone please provide any additional solutions that may help with this issue?

Re: Why is access to Splunk API via Python generating an "Unauthorized" error?

micahkemp — Mon, 05 Feb 2018 13:57:01 GMT

Can you paste your full script? It seems you didn't include the section that prints the search result.

I wonder if your call to get the search results is lacking the authentication component, either using the same httplib2 object that you added credentials to, or by passing the session ID from a previous request.

Re: Why is access to Splunk API via Python generating an "Unauthorized" error?

Robbie1194 — Mon, 05 Feb 2018 14:02:13 GMT

I've posted the full script in the answers.

Re: Why is access to Splunk API via Python generating an "Unauthorized" error?

micahkemp — Mon, 05 Feb 2018 15:08:10 GMT

On lines 32 and 41 you're issuing GET requests but did not include the authorization header like you did on line 23.

Re: Why is access to Splunk API via Python generating an "Unauthorized" error?

Robbie1194 — Mon, 05 Feb 2018 15:08:11 GMT

    import urllib
    import httplib2
    import time
    import re
    from time import localtime,strftime
    from xml.dom import minidom
    import json

    baseurl = 'splunkserver:8089'
    username = 'user'
    password = 'password'

   # Step 1: Get a session key
    servercontent = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/auth/login', 'POST',
    headers={}, body=urllib.urlencode({'username':username, 'password':password}))[1]
    sessionkey = minidom.parseString(servercontent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue
    print "====>sessionkey:  %s  <====" % sessionkey

   # Step 2: Create a search job
    searchquery = 'search index=notable | top limit=5 _time unique_id'

    searchjob = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/search/jobs','POST',
    headers={'Authorization': 'Splunk %s' % sessionkey},body=urllib.urlencode({'search': searchquery}))[1]
    sid = minidom.parseString(searchjob).getElementsByTagName('sid')[0].childNodes[0].nodeValue
    print "====>sid:  %s  <====" % sid

    #Step 3: Get the search status
    httplib2.Http(disable_ssl_certificate_validation=True).add_credentials(username, password)
    servicessearchstatusstr = '/services/search/jobs/%s/' % sid
    isnotdone = True
    while isnotdone:
        searchstatus = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + servicessearchstatusstr, 'GET')[1]
        isdonestatus = re.compile('isDone">(0|1)')
        isdonestatus = isdonestatus.search(searchstatus).groups()[0]
        if (isdonestatus == '1'):
            isnotdone = False
    print "====>search status:  %s  <====" % isdonestatus

   # Step 4: Get the search results
    services_search_results_str = '/services/search/jobs/%s/results?output_mode=json&count=0' % sid
    searchresults = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + services_search_results_str, 'GET')[1]
    print "====>search result:  [%s]  <====" % searchresults

Re: Why is access to Splunk API via Python generating an "Unauthorized" error?

micahkemp — Mon, 05 Feb 2018 15:08:12 GMT

Can you format the code using the code button (the 101010 icon) so that it's easier to read?

Re: Why is access to Splunk API via Python generating an "Unauthorized" error?

Robbie1194 — Mon, 05 Feb 2018 15:08:13 GMT

Okay, done 🙂

Re: Why is access to Splunk API via Python generating an "Unauthorized" error?

Robbie1194 — Mon, 05 Feb 2018 15:24:05 GMT

Yeah i see what you mean!

I'm new to Python so it might take me a while to work out how but I'll attempt to add the authorisation headers in the same way the POST commands did.

Re: Why is access to Splunk API via Python generating an "Unauthorized" error?

Robbie1194 — Mon, 05 Feb 2018 15:25:30 GMT

Although I did think the script looked okay at first because I was of the understanding that you don't typically use headers in get requests.