topic Re: How to get session key in a search script (| script ) similar to the way a scripted input can? in Splunk Search

How to get session key in a search script (| script ) similar to the way a scripted input can?

avilandau — Wed, 27 Jul 2016 15:08:34 GMT

I'm storing a few credentials in Splunk keystore using setup.xml endpoint="storage/passwords". I have no problem extracting the credential in my scripted input since the session-key is sent to its stdin. However, that is not the case to search script (I think also referred custom script). My script doesn't actually perform a Splunk search like other activities related to my Splunk App, but I need the extract the password using the session key. I tested it to see what I get in stdin to experiment and I do in fact get few lines as follows, but I don't see how to get the session_key from these:

splunkVersion:6.4.1
allowStream:1
keywords:%22%22
search:%7C%20script%20search_script%20%22PARAM-1%22%20PARAM-2
sid:admin__admin_VEVTVF9BVVRI__search1_1469631525.79
realtime:0
preview:0
truncated:0

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

jkat54 — Wed, 27 Jul 2016 15:40:41 GMT

Instead of using | script... is writing a custom SPL command in python an option?

If so, it's a bit easier you can use something akin to "sessionKey=self.getSessionKey()"

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

avilandau — Wed, 27 Jul 2016 15:50:13 GMT

Yes, custom SPL command in python is surely an option. Will I need the Python SDK for that? Can you refer me to some exmaple or link for that?

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

jkat54 — Wed, 27 Jul 2016 16:18:59 GMT

I write my own python SPL without use of the SDK. Hold on for a moment and I'll share an example.

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

jkat54 — Wed, 27 Jul 2016 17:20:24 GMT

first you create /apps/appName/default/commands.conf:

[myCommandName]
filename = myCommandName.py
passauth = true

"passauth = true" is what sends the auth details through from SPL to your python command.

Then you create python script in /apps/appName/bin/myCommandName.py:

import splunk.Intersplunk 
import splunk.mining.dcutils as dcu

logger = dcu.getLogger()

#results = previous data in the search pipe
#settings = splunk 'header'
results,dummy,settings = splunk.Intersplunk.getOrganizedResults()
sessionKey = settings.get("sessionKey")

#Below would log sessionKey to python.log, not the best idea, here for example
logger.info(sessionKey) 

# Below logs 1st result's _raw field to python.log, just an example of how to parse results from intersplunk.getOrganizedResutls
logger.info(results()[0]["_raw"]) 

#Below sample function iterates over each row of results and adds your user's sessionKey as field onto each row of the results
def addSessionKey(results,settings):
 for result in results:
  result["sessionKey"] = settings.get("sessionKey")
 return results

#Below is how you return your potentially modified search results & settingsback to splunk search pipeline
splunk.Intersplunk.outputResults(addSessionKey(results,settings))

#example REST post using sessionKey
 headers = {'Authorization':''}
 headers['Authorization'] = 'Splunk ' + settings.get("sessionKey")  
 data = {'name':'restart_link','value':'Splunk must be restarted for changes to take effect.  [[/manager/search/control| Click here to restart from the Manager.]]','severity':'warn'}
 r = requests.post("https://localhost:8089/services/messages/new", headers=headers, data=data, verify=False)
 logger.info(r.status_code)

Then you restart and execute the command. ... | myCommandName | table sessionKey

If it exits non-zero, look in the job log
If it completes but doesnt give you proper results check index=_internal source=*python*

There are other things in "settings" you may wish to explore. authString is used for manipulated splunk via CLI for example
user can be found in "results", etc... good to send both settings and results to log and see what you have there.

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

dellytaniasetia — Tue, 25 Oct 2016 06:46:03 GMT

Hi,
I used the same approach but I received this error

command="remedyincidentcreate", Failed to get conf=remedy, stanza=remedy_account, status=401, reason=Unauthorized, detail=   call not properly authenticated

I have set the passauth = true and insert the following in my script

import sys
import splunk.Intersplunk as si
def main():
 results,dummyresults,settings = si.getOrganizedResults()
 handler = RemedyIncidentCreateManual()
 handler.handle()

Any help is appreciated.

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

jkat54 — Tue, 25 Oct 2016 08:02:48 GMT

Then you're trying to pass the Splunk authentication token to remedy? That's not going to work at all. You'll have a different auth token / user & pass for remedy. The auth token here is for Splunk only.

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

TonyLeeVT — Fri, 07 Apr 2017 11:33:56 GMT

Make sure if you copy and paste from the commands.conf file example above, you remove the comment:

 passauth = true  #<- the keys to the castle

It should just be:

 passauth = true

Splunk conf files don't always like comments at the end of a line

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

fabiofox — Fri, 14 Sep 2018 16:11:26 GMT

thanks god! it's two days that i'm struggling about this. thanks jkat54! I owe you one (or a thousand)

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

jkat54 — Fri, 14 Sep 2018 16:49:09 GMT

I've updated the answer to address this. Thank you for the feedback.

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

supersleepwalke — Tue, 16 Apr 2019 00:35:41 GMT

The accepted answer is now out-of-date. With the new version 2 of the protocol, use of Intersplunk is deprecated:

(as of Splunk 6.4.0):https://docs.splunk.com/Documentation/Splunk/6.4.0/Search/Aboutcustomsearchcommands

(as of today) https://docs.splunk.com/Documentation/Splunk/7.2.5/Search/Aboutcustomsearchcommands

here is an example that works for me to use the session key to perform a search within a custom command without actually retreiving it myself and adding it as a header:

class CustomCommand(StreamingCommand):
    def stream(self, records):
                mysearch="search index=_internal"
                kwargs_create = {'earliest_time':'2019-04-01T12:00:00','latest_time':'2019-04-01:01:00'}
                job = self.service.jobs.create(mysearch,**kwargs_create)

dispatch(IpToUserCommand, sys.argv, sys.stdin, sys.stdout, __name__)

Of course, add in all the appropriate error handling.

self.service returns a splunklib.client.Service object (https://docs.splunk.com/DocumentationStatic/PythonSDK/1.6.5/searchcommands.html#splunklib.searchcommands.StreamingCommand.service), which already has an authentication token attached. The guidance in @jkat54 post about needing passauth = true in commands.conf still applies

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

supersleepwalke — Tue, 16 Apr 2019 00:42:25 GMT

I downvoted this post because answer is out of date. it appears that this guidance applies for version 1 of the custom search command protocol, which was deprecated just a couple months before this answer was published.

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

jkat54 — Tue, 16 Apr 2019 10:53:33 GMT

Deprecated and EOL are two different things. There’s nothing wrong with this method. It still works.

Downvotes should be reserved for answers that would cause harm or answers that are vulgar/rude, etc.

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

jkat54 — Tue, 16 Apr 2019 10:54:39 GMT

@supersleepwalker

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

supersleepwalke — Tue, 16 Apr 2019 15:12:52 GMT

yeah, I was unsure on downvoting. I guess I interpreted an out-of-date answer to be "harmful" because I was trying to use the latest recommended technology, and this answer led me down the wrong path and caused me to waste time. I considered that harmful. I can see how other people would disagree.

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

jkat54 — Tue, 16 Apr 2019 21:54:59 GMT

I still use intersplunk in 7.2... so I don’t believe it causes harm, but in general we don’t go downvoting accepted answers from 2016 due to newness conflicts.

Re: How to get session key in a search script (| script ) similar to the way a scripted input can?

andrewtrobec — Thu, 19 Mar 2020 19:11:09 GMT

incredibly helpful, thank you!