Building for the Splunk Platform

Is there a way to get anonymous access to Splunk's kvstore from a Python script?

New Member

I am trying to implement pretty “unusual” App for Splunk.
By unusual, I mean that I see no standard/handy way of doing this.

Splunk Enterprise customer has a has a server farm running a software. The customer runs deploy to update code on these servers. During deploy, some abnormal behaviour may be observed across servers (i.e response times may be longer).
Also, sometimes some hardware shows its flaws affecting performance metrics of servers.

In short, the app uses predict (and Holt Winters) on servers performance metrics in an enhanced way.
The idea is to allow a user to save times of deploys or unhealthy hosts + time when particular server was not ok via web app (using kvstore) to then exclude events falling into this range from input of the predict command to then be able to efficiently detect outliers.
Also, exclusion works for future events preventing triggered alerts from bothering in time of scheduled deploy (again time is set through kvstore in the same way).

The obstacle is that I need to provide user credentials to the app, to allow the python stream filterer to use values in kvstore that is pretty inconvenient/insecure.
Is there a way to get anonymous read access to kvstore?

Or maybe there is a better way of doing described above (not using Python script to filter events by time ranges+hosts set in kvstore)

0 Karma

New Member

Answering my own question:

as command runs it receives AUTH header if enabled in commands.conf

enableheader = true 
passauth = true

header has the following form

"authString": "<auth><userId>admin</userId><username>admin</username>
<authToken>Sb...wC</authToken></auth>\n' chunked 1.0,494,0",
    "finished": true

You can use this token to go to KVStore

service = client.connect(token=token, owner='nobody', app='YourAppName') 
for row in self.service.kvstore['collection_name'].data.query(): 
    do job
0 Karma

New Member

Hi @cloun ,
Thanks, for the answer. How do you get the header in the first place? Did you use a lower level lib (httplib, or binding) ?

0 Karma

Splunk Employee
Splunk Employee

Quick answer: No. The KVstore is tied to Splunkd, which requires authentication in order to provide read and write access.

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...