Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What happens if I call splunk from a scripted input

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2022 04:54 AM

I'm wondering what would happen if I ran "splunk btool whatever" from a script that's running as scrpited input. Theoretically - it should be run with whatever user the splunkd.exe is running with so the question is if it will have all the necessary rights and will run unattended properly or will it stop and ask for credentials?

The case in question is mostly about windows and spawning a subprocess from a powershell script but a general answer including unix is also welcome 🙂

Labels (1)
Labels
0 Karma
Reply

schose
Builder
‎05-24-2022 05:28 AM

Hi,

not sure if i get you correctly - you want to talk to splunkd using a scripted input without having credentials?generally "splunk btool whatever" would be a bad example, as this does not need splunkd to be running. 

<input>
  <server_host>art-macbook.local</server_host>
  <server_uri>https://127.0.0.1:8089</server_uri>
  <session_key>YmGDj6BtVw^dAb1UzmBjg8MwOegMXHeNtF17THnAoR0Ot2HXQ7BXZ9mPI^hNkdFN^yyTYvrPxjf0WThDmW9sahRomNrj^t^KYG8V30hE9gaPh2gVV7H0LnY</session_key>
  <checkpoint_dir>/Users/andreas/splunk/var/lib/splunk/modinputs/buba</checkpoint_dir>
  <configuration>
    <stanza name="buba://single" app="buba-backend">
      <param name="configfile">buba.conf</param>
      <param name="disabled">0</param>
      <param name="env">singlerestore</param>
      <param name="host">$decideOnStartup</param>
      <param name="index">default</param>
      <param name="interval">80000</param>
    </stanza>
  </configuration>
</input>

 

you should avoid scripted input, as they are deprecated. when you install a modular input instead your script is started and hand over a xml payload and you will find a session_key there. You can use this sessionkey to talk to splunkd.

 

regards,

Andreas

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2022 05:45 AM

Yes, I know all of that 🙂

1) I don't want to call splunkd. I explicitly want to do "splunk btool" to check the configuration.

2) Modular inputs need whole splunk installation (indexer or HF) due to python dependency. I want something that can be run on UF.

BTW, scripted inputs are supposed to be deprecated but the TA_windows inputs are scripted inputs. 🙂

0 Karma
Reply

schose
Builder
‎05-24-2022 06:15 AM

Hi,

so if it's really only splunk btool you can run splunk btool using a scripted input. This will run the command as the splunk user. you can capture the output.. no problem. done this before.

regards. 

Andreas

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...