"No session key received. Exiting" with Splunk app...

Venality · ‎07-15-2025

I'm having an issue trying to setup an Audit Input with the server I created connecting my Splunk SOAR and Enterprise. The server is setup correctly with the authentication key and when I test the connection its good, but for some reason when I set the interval to 60 I'll just get No session key received errors coming from the phantom_retry.py script. Not sure where I'm suppose to update a key or if I'm suppose to edit a certain script when I made the server or what but I could use some assistance. Thanks!

livehybrid · ‎07-16-2025

hi @Venality

The code that is kicking out this error is:

session_key = sys.stdin.read()
        if not session_key:
            print("No session key received. Exiting")
            sys.exit(1)

This suggests that the passAuth param is not set, or is set to a user that does not exist in your inputs.conf. The default for this is:

## inputs.conf ##
[script://$SPLUNK_HOME/etc/apps/phantom/bin/scripts/phantom_retry.py]
passAuth = admin

When you setup Splunk, did you seed it with/create a different username for your admin user? Or have you changed this value?

In short, it looks like you need to update the passAuth to be a valid admin user (or the inbuilt "splunk-system-user") on your system. You need to make this change in the local directory, not default, as it could get overwritten.

## $SPLUNK_HOME/etc/apps/phantom/local/inputs.conf ##
[script://$SPLUNK_HOME/etc/apps/phantom/bin/scripts/phantom_retry.py]
passAuth = AdminUsernameHere

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Venality · ‎07-16-2025

Thank you and livehybrid for the assistance.

I went ahead and made a local folder and copy pasted the inputs.conf file and replaced the passAuth variable with passAuth = sc_admin as I believe that's the admin user. I also added all the available roles I could just for testing purposes.

Unfortunately I haven't received any events so I'm wondering if I did something wrong and if there's a debug/log somewhere if there were something wrong. The audit is set for every 60 seconds so I should be getting something every minute but it just stopped entirely. I did restart the service, refreshed, and toggled the audit input on and off. Screenshots attached.

PrewinThomas · ‎07-15-2025

@Venality

For troubleshooting, you can start with below.

Can you check your inputs.conf for the script and see if passAuth is configured with correct user or not, if not explicitly configure it and try

Eg:
[script://$SPLUNK_HOME/etc/apps/SA-Phantom/bin/phantom_retry.py]
interval = 60
passAuth = splunk-system-user

#https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf

Ensure the user have enough capablities(Eg- admin_all_objects,list_storage_passwords)

Also check $SPLUNK_HOME/var/log/splunk/python.log for any relevant error messages

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

"No session key received. Exiting" with Splunk app for SOAR

configuration

troubleshooting

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI

Join the Conversation