Hello Jeffrey-
FYI: I am using a distributed environment (sandbox).
I have created a new index for all cliauto responses called: cliautoIdx (note the capital "I" in the index name).
I created a custom cliauto.conf file in {$SPLUNK_HOME}/etc/shcluster/apps/cliauto/local/ (see bottom for file contents).
I then push the SHC bundle with success and confirm the file made it to the SHC members.
However, when I try to run the first command in the dropdown, Check ssh Port Open, it throws an error in cliauto.log:
2020-01-03 10:07:20,766 Creating cliauto_index...
2020-01-03 10:07:20,766 GET request to https://localhost:8089/services/data/indexes/cliautoIdx (body: {})
2020-01-03 10:07:20,774 Error, Creating cliauto_index, err = UrlEncoded('cliautoIdx')
2020-01-03 10:07:20,774 Error, process_iterations, icount = 1: err = error in cliauto_index constructor function
Contents of the /local/cliauto.conf file:
[main]
# Splunk index to store results
index=cliautoIdx
Is this me, or did I find a bug?
@BainM Based on the info provided, the error(s) appears to occur on the following line of code in the cliauto_index.py file which retrieves the index object using the index name in the objcfg.index string variable using the Splunk Python SDK. I would guess the CLI Auto for Splunk app (or the user using the app) does not have proper permissions to the cliautoIdx index.
# Retrieve the index for the data
self.myindex = self.service.indexes[objcfg.index]
You might try searching the cliautoIdx index from the Search dashboard in the CLI Auto for Splunk app using the same user (i.e. to mimic the same app and user context that generated the error(s)) to verify read permissions to the cliautoIdx index. The app (and user) will need write permissions to the cliautoIdx index also to submit and execute a job successfully in the app.
Hi @jeffrey_berry ,
I changed the case to all lowercase and it still fails.
I am running this as local admin on my SHC.
Same error:
2020-01-06 08:05:53,717 Creating cliauto_index...
2020-01-06 08:05:53,717 GET request to https://localhost:8089/services/data/indexes/cliautoidx (body: {})
2020-01-06 08:05:53,754 Error, Creating cliauto_index, err = UrlEncoded('cliautoidx')
I made sure that the indexes are owned by splunk.
Now that I look at the GET request, shouldn't this app be installed on the indexers instead of the searchheads?
Just wondering on that one.
-Mike
Yep. You are correct. It's Perms. The plain Splunk user cannot access the indexes endpoint in REST, no matter where one tries it (did not know this!).
Soooo, for the default "Check ssh Port Open" - How does one add in the credentials? I do not see that in the Splunkweb pages in Cliauto. Do I have to add it into a section in one of the .conf files?
Thanks,
Mike
@BainM
Mike,
I am glad that you were able to resolve the issue(s) with your custom index. No credentials for the network node(s) in your Node List are required for the "Check ssh Port Open" Command Type. The "Check ssh Port Open" Command Type uses the Python socket library to check if the ssh port is open which does not require logging into the ssh server of the network node(s).
Regards,
Jeff
@BainM Based on the info provided, the error(s) appears to occur on the following line of code in the cliauto_index.py file which retrieves the index object using the index name in the objcfg.index string variable using the Splunk Python SDK. I would guess the CLI Auto for Splunk app (or the user using the app) does not have proper permissions to the cliautoIdx index.
# Retrieve the index for the data
self.myindex = self.service.indexes[objcfg.index]
You might try searching the cliautoIdx index from the Search dashboard in the CLI Auto for Splunk app using the same user (i.e. to mimic the same app and user context that generated the error(s)) to verify read permissions to the cliautoIdx index. The app (and user) will need write permissions to the cliautoIdx index also to submit and execute a job successfully in the app.
@BainM I just created an index named cliautoIdx using the Splunk Web GUI. Splunk changed the uppercase "I" to a lowercase "i"; so the uppercase "I" could be causing the error(s).