The sessionKey that I'm getting as part of the stdin to my alert script does not seem to have the necessary privileges to run splunk.entity.getEntity('admin/alert_actions','email'.....)
How do I get my script to run with the proper privileges??
The problem I was having had to do with not processing the sessionKey properly off the data received from stdin
The proper way of getting the sessionKey (for versions > 6.1) is the following:
sessionKey = urllib.unquote(sys.stdin.readline().strip()[ len("sessionKey="):]).decode('utf8')
Otherwise your sessionKey will simply not authenticate to anything proper.
(worse yet, it will sometimes work correctly if no unquoting needs to happen and no non-UTF8 characters are in the session key.)
The problem I was having had to do with not processing the sessionKey properly off the data received from stdin
The proper way of getting the sessionKey (for versions > 6.1) is the following:
sessionKey = urllib.unquote(sys.stdin.readline().strip()[ len("sessionKey="):]).decode('utf8')
Otherwise your sessionKey will simply not authenticate to anything proper.
(worse yet, it will sometimes work correctly if no unquoting needs to happen and no non-UTF8 characters are in the session key.)
Glad it helped.
Can someone tell me what capability a user needs to have in order to execute:
splunk.entity.getEntity
without getting an "client not authorized/401" exception??
Who is the owner of the saved search that kicks off the alert script?
The saved search is owned by "admin"
Note that when I get the sessionKey within the script via:
sessionKey = client.login("admin","my-admin-pw")
the script runs just fine.
This is what keyed me to the idea that the sessionKey I'm getting from stdin does not have admin's credentials.
Is there a way to figure out what credentials a sessionKey is endowed with?