All Apps and Add-ons

Cannot POST to Custom Index

BainM
Communicator

Hello Jeffrey-

FYI: I am using a distributed environment (sandbox).
I have created a new index for all cliauto responses called: cliautoIdx (note the capital "I" in the index name).
I created a custom cliauto.conf file in {$SPLUNK_HOME}/etc/shcluster/apps/cliauto/local/ (see bottom for file contents).
I then push the SHC bundle with success and confirm the file made it to the SHC members.
However, when I try to run the first command in the dropdown, Check ssh Port Open, it throws an error in cliauto.log:

2020-01-03 10:07:20,766 Creating cliauto_index...
2020-01-03 10:07:20,766 GET request to https://localhost:8089/services/data/indexes/cliautoIdx (body: {})
2020-01-03 10:07:20,774 Error, Creating cliauto_index, err = UrlEncoded('cliautoIdx')
2020-01-03 10:07:20,774 Error, process_iterations, icount = 1: err = error in cliauto_index constructor function

Contents of the /local/cliauto.conf file:

[main]
# Splunk index to store results
index=cliautoIdx

Is this me, or did I find a bug?

0 Karma
1 Solution

jeffrey_berry
Path Finder

@BainM Based on the info provided, the error(s) appears to occur on the following line of code in the cliauto_index.py file which retrieves the index object using the index name in the objcfg.index string variable using the Splunk Python SDK. I would guess the CLI Auto for Splunk app (or the user using the app) does not have proper permissions to the cliautoIdx index.

        # Retrieve the index for the data
        self.myindex = self.service.indexes[objcfg.index]

You might try searching the cliautoIdx index from the Search dashboard in the CLI Auto for Splunk app using the same user (i.e. to mimic the same app and user context that generated the error(s)) to verify read permissions to the cliautoIdx index. The app (and user) will need write permissions to the cliautoIdx index also to submit and execute a job successfully in the app.

View solution in original post

0 Karma

BainM
Communicator

Hi @jeffrey_berry ,
I changed the case to all lowercase and it still fails.
I am running this as local admin on my SHC.

Same error:
2020-01-06 08:05:53,717 Creating cliauto_index...
2020-01-06 08:05:53,717 GET request to https://localhost:8089/services/data/indexes/cliautoidx (body: {})
2020-01-06 08:05:53,754 Error, Creating cliauto_index, err = UrlEncoded('cliautoidx')

I made sure that the indexes are owned by splunk.
Now that I look at the GET request, shouldn't this app be installed on the indexers instead of the searchheads?

Just wondering on that one.
-Mike

0 Karma

BainM
Communicator

Yep. You are correct. It's Perms. The plain Splunk user cannot access the indexes endpoint in REST, no matter where one tries it (did not know this!).

Soooo, for the default "Check ssh Port Open" - How does one add in the credentials? I do not see that in the Splunkweb pages in Cliauto. Do I have to add it into a section in one of the .conf files?

Thanks,
Mike

0 Karma

jeffrey_berry
Path Finder

@BainM

Mike,
I am glad that you were able to resolve the issue(s) with your custom index. No credentials for the network node(s) in your Node List are required for the "Check ssh Port Open" Command Type. The "Check ssh Port Open" Command Type uses the Python socket library to check if the ssh port is open which does not require logging into the ssh server of the network node(s).

Regards,
Jeff

0 Karma

jeffrey_berry
Path Finder

@BainM Based on the info provided, the error(s) appears to occur on the following line of code in the cliauto_index.py file which retrieves the index object using the index name in the objcfg.index string variable using the Splunk Python SDK. I would guess the CLI Auto for Splunk app (or the user using the app) does not have proper permissions to the cliautoIdx index.

        # Retrieve the index for the data
        self.myindex = self.service.indexes[objcfg.index]

You might try searching the cliautoIdx index from the Search dashboard in the CLI Auto for Splunk app using the same user (i.e. to mimic the same app and user context that generated the error(s)) to verify read permissions to the cliautoIdx index. The app (and user) will need write permissions to the cliautoIdx index also to submit and execute a job successfully in the app.

0 Karma

jeffrey_berry
Path Finder

@BainM I just created an index named cliautoIdx using the Splunk Web GUI. Splunk changed the uppercase "I" to a lowercase "i"; so the uppercase "I" could be causing the error(s).

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...