All Apps and Add-ons

Splunk Powershell Module - Why was connection closed unexpectedly?

kypife
Explorer

Hi all. I am trying to use the Splunk Powershell module to be able to query our server after agent installations to verify that they are reporting correctly instead of logging into the web portal to check.

When I try:

connect-splunk -ComputerName $splunkServer -Protocol http -Port $port -Credential $cred -Verbose

I get the following error:

Invoke-HTTPPost : Exception calling "GetRequestStream" with "0" argument(s): "The underlying connection was closed: The connection 
was closed unexpectedly."

I have tried using the default port, both http and https protocols as well, but nothing works. Also, this will fail immediately without a delay (where-as changing the protocol will cause a timeout error message). To me, it appears that this path does not exist.

SplunkServer:5617/services/auth/login

If I enter the url into the browser, I get a "Page Cannot Be Displayed" error. If I go straight to SplunkServer though, the url is this:

SplunkServer/en-US/account/login?return_to=%2Fen-US%2F

Do I need to tweak some settings in the module? Or might this not be compatible with the version of Splunk I have?

kypife
Explorer

I couldn't post the answer to this because my account is new. But it was 2 fold:

The management port uses https even when the web portal is set to only use http which threw me off. So the first step was specifying the protocol as https instead of http

The second issue was the self-signed cert which can be fixed by running the command "disable-certificatevalidation" which is apart of the Splunk module.

Hope that helps for anyone else who might have been in the same situation

halr9000
Motivator

What version of Splunk? If using the admin user account, have you changed the password from the default? If not, try changing the password, as I think I recall a policy that restricts certain REST endpoints when the default password is present.

Are you using the default self-signed SSL cert, or have you installed your own "real" one? PowerShell doesn't like self-signed certs, this could be related to your problem, although I would expect the error message to say so, e.g.:

Invoke-HTTPPost : Exception calling "GetRequestStream" with "0" argument(s): "The underlying connection was closed:
Could not establish trust relationship for the SSL/TLS secure channel."

Also try looking at the exception details. Here's an example of mine, but I'm not able to repro your issue.

PS C:\Users\Hal> $error[0] | Format-List * -Force

writeErrorStream      : True
PSMessageDetails      :
Exception             : Microsoft.PowerShell.Commands.WriteErrorException: Exception calling "GetRequestStream" with
                        "0" argument(s): "The underlying connection was closed: Could not establish trust relationship
                        for the SSL/TLS secure channel."
TargetObject          :
CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-HTTPPost
ErrorDetails          :
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at Invoke-HTTPPost,
                        C:\Users\Hal\SkyDrive\PowerShell\Modules\Splunk\Splunk-Core\Splunk-Core.psm1: line 280
                        at Invoke-SplunkAPIRequest,
                        C:\Users\Hal\SkyDrive\PowerShell\Modules\Splunk\Splunk-Core\Splunk-Core.psm1: line 599
                        at Get-SplunkAuthToken, C:\Users\Hal\SkyDrive\PowerShell\Modules\Splunk\Splunk-Authentication\S
                        plunk-Authentication.psm1: line 334
                        at Connect-Splunk, C:\Users\Hal\SkyDrive\PowerShell\Modules\Splunk\Splunk-Authentication\Splunk
                        -Authentication.psm1: line 127
                        at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {0, 1}
0 Karma

kypife
Explorer

No it doesn't use the default ports. The splunk agents report on port 5617. When I try port 8000 or 8089 it times out.

0 Karma

halr9000
Motivator

Does your Splunk install use the default ports, or not? Where does 5617 come from? Default is 8000 for humans, and 8089 for REST API. Modify your question to add this detail please.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...