Alerting

How do I get my alert script to run as admin with the proper privileges?

robertlight
Path Finder

The sessionKey that I'm getting as part of the stdin to my alert script does not seem to have the necessary privileges to run splunk.entity.getEntity('admin/alert_actions','email'.....)

How do I get my script to run with the proper privileges??

0 Karma
1 Solution

robertlight
Path Finder

The problem I was having had to do with not processing the sessionKey properly off the data received from stdin

The proper way of getting the sessionKey (for versions > 6.1) is the following:

 sessionKey = urllib.unquote(sys.stdin.readline().strip()[ len("sessionKey="):]).decode('utf8')

Otherwise your sessionKey will simply not authenticate to anything proper.

(worse yet, it will sometimes work correctly if no unquoting needs to happen and no non-UTF8 characters are in the session key.)

View solution in original post

robertlight
Path Finder

The problem I was having had to do with not processing the sessionKey properly off the data received from stdin

The proper way of getting the sessionKey (for versions > 6.1) is the following:

 sessionKey = urllib.unquote(sys.stdin.readline().strip()[ len("sessionKey="):]).decode('utf8')

Otherwise your sessionKey will simply not authenticate to anything proper.

(worse yet, it will sometimes work correctly if no unquoting needs to happen and no non-UTF8 characters are in the session key.)

View solution in original post

starcher
SplunkTrust
SplunkTrust

Glad it helped.

0 Karma

robertlight
Path Finder

Can someone tell me what capability a user needs to have in order to execute:

splunk.entity.getEntity

without getting an "client not authorized/401" exception??

0 Karma

somesoni2
Revered Legend

Who is the owner of the saved search that kicks off the alert script?

0 Karma

robertlight
Path Finder

The saved search is owned by "admin"

0 Karma

robertlight
Path Finder

Note that when I get the sessionKey within the script via:

sessionKey = client.login("admin","my-admin-pw")

the script runs just fine.

This is what keyed me to the idea that the sessionKey I'm getting from stdin does not have admin's credentials.

Is there a way to figure out what credentials a sessionKey is endowed with?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!