All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Powershell Module - Why was connection closed unexpectedly?

kypife
Explorer
‎07-28-2014 02:02 PM

Hi all. I am trying to use the Splunk Powershell module to be able to query our server after agent installations to verify that they are reporting correctly instead of logging into the web portal to check.

When I try:

connect-splunk -ComputerName $splunkServer -Protocol http -Port $port -Credential $cred -Verbose

I get the following error:

Invoke-HTTPPost : Exception calling "GetRequestStream" with "0" argument(s): "The underlying connection was closed: The connection 
was closed unexpectedly."

I have tried using the default port, both http and https protocols as well, but nothing works. Also, this will fail immediately without a delay (where-as changing the protocol will cause a timeout error message). To me, it appears that this path does not exist.

SplunkServer:5617/services/auth/login

If I enter the url into the browser, I get a "Page Cannot Be Displayed" error. If I go straight to SplunkServer though, the url is this:

SplunkServer/en-US/account/login?return_to=%2Fen-US%2F

Do I need to tweak some settings in the module? Or might this not be compatible with the version of Splunk I have?

Reply

kypife
Explorer
‎08-15-2014 02:26 PM

I couldn't post the answer to this because my account is new. But it was 2 fold:

The management port uses https even when the web portal is set to only use http which threw me off. So the first step was specifying the protocol as https instead of http

The second issue was the self-signed cert which can be fixed by running the command "disable-certificatevalidation" which is apart of the Splunk module.

Hope that helps for anyone else who might have been in the same situation

Reply

halr9000
Motivator
‎08-07-2014 07:18 AM

What version of Splunk? If using the admin user account, have you changed the password from the default? If not, try changing the password, as I think I recall a policy that restricts certain REST endpoints when the default password is present.

Are you using the default self-signed SSL cert, or have you installed your own "real" one? PowerShell doesn't like self-signed certs, this could be related to your problem, although I would expect the error message to say so, e.g.:

Invoke-HTTPPost : Exception calling "GetRequestStream" with "0" argument(s): "The underlying connection was closed:
Could not establish trust relationship for the SSL/TLS secure channel."

Also try looking at the exception details. Here's an example of mine, but I'm not able to repro your issue.

PS C:\Users\Hal> $error[0] | Format-List * -Force

writeErrorStream      : True
PSMessageDetails      :
Exception             : Microsoft.PowerShell.Commands.WriteErrorException: Exception calling "GetRequestStream" with
                        "0" argument(s): "The underlying connection was closed: Could not establish trust relationship
                        for the SSL/TLS secure channel."
TargetObject          :
CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-HTTPPost
ErrorDetails          :
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at Invoke-HTTPPost,
                        C:\Users\Hal\SkyDrive\PowerShell\Modules\Splunk\Splunk-Core\Splunk-Core.psm1: line 280
                        at Invoke-SplunkAPIRequest,
                        C:\Users\Hal\SkyDrive\PowerShell\Modules\Splunk\Splunk-Core\Splunk-Core.psm1: line 599
                        at Get-SplunkAuthToken, C:\Users\Hal\SkyDrive\PowerShell\Modules\Splunk\Splunk-Authentication\S
                        plunk-Authentication.psm1: line 334
                        at Connect-Splunk, C:\Users\Hal\SkyDrive\PowerShell\Modules\Splunk\Splunk-Authentication\Splunk
                        -Authentication.psm1: line 127
                        at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {0, 1}
0 Karma
Reply

kypife
Explorer
‎07-31-2014 08:06 AM

No it doesn't use the default ports. The splunk agents report on port 5617. When I try port 8000 or 8089 it times out.

0 Karma
Reply

halr9000
Motivator
‎07-30-2014 08:26 AM

Does your Splunk install use the default ports, or not? Where does 5617 come from? Default is 8000 for humans, and 8089 for REST API. Modify your question to add this detail please.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...