Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to get anonymous access to Splunk's kvstore from a Python script?

cloun
New Member
‎12-10-2016 09:56 AM

I am trying to implement pretty “unusual” App for Splunk.
By unusual, I mean that I see no standard/handy way of doing this.

Splunk Enterprise customer has a has a server farm running a software. The customer runs deploy to update code on these servers. During deploy, some abnormal behaviour may be observed across servers (i.e response times may be longer).
Also, sometimes some hardware shows its flaws affecting performance metrics of servers.

In short, the app uses predict (and Holt Winters) on servers performance metrics in an enhanced way.
The idea is to allow a user to save times of deploys or unhealthy hosts + time when particular server was not ok via web app (using kvstore) to then exclude events falling into this range from input of the predict command to then be able to efficiently detect outliers.
Also, exclusion works for future events preventing triggered alerts from bothering in time of scheduled deploy (again time is set through kvstore in the same way).

The obstacle is that I need to provide user credentials to the app, to allow the python stream filterer to use values in kvstore that is pretty inconvenient/insecure.
Is there a way to get anonymous read access to kvstore?

Or maybe there is a better way of doing described above (not using Python script to filter events by time ranges+hosts set in kvstore)

0 Karma
Reply

cloun
New Member
‎02-05-2017 11:19 AM

Answering my own question:

as command runs it receives AUTH header if enabled in commands.conf

enableheader = true 
passauth = true

header has the following form

{
"authString": "<auth><userId>admin</userId><username>admin</username>
<authToken>Sb...wC</authToken></auth>\n' chunked 1.0,494,0",
    "finished": true
}

You can use this token to go to KVStore

service = client.connect(token=token, owner='nobody', app='YourAppName') 
for row in self.service.kvstore['collection_name'].data.query(): 
    do job
0 Karma
Reply

samithamp
New Member
‎04-01-2019 08:48 PM

Hi @cloun ,
Thanks, for the answer. How do you get the header in the first place? Did you use a lower level lib (httplib, or binding) ?

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎12-13-2016 04:06 PM

Quick answer: No. The KVstore is tied to Splunkd, which requires authentication in order to provide read and write access.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...