I'm wondering what would happen if I ran "splunk btool whatever" from a script that's running as scrpited input. Theoretically - it should be run with whatever user the splunkd.exe is running with so the question is if it will have all the necessary rights and will run unattended properly or will it stop and ask for credentials?
The case in question is mostly about windows and spawning a subprocess from a powershell script but a general answer including unix is also welcome 🙂
not sure if i get you correctly - you want to talk to splunkd using a scripted input without having credentials?generally "splunk btool whatever" would be a bad example, as this does not need splunkd to be running.
<input> <server_host>art-macbook.local</server_host> <server_uri>https://127.0.0.1:8089</server_uri> <session_key>YmGDj6BtVw^dAb1UzmBjg8MwOegMXHeNtF17THnAoR0Ot2HXQ7BXZ9mPI^hNkdFN^yyTYvrPxjf0WThDmW9sahRomNrj^t^KYG8V30hE9gaPh2gVV7H0LnY</session_key> <checkpoint_dir>/Users/andreas/splunk/var/lib/splunk/modinputs/buba</checkpoint_dir> <configuration> <stanza name="buba://single" app="buba-backend"> <param name="configfile">buba.conf</param> <param name="disabled">0</param> <param name="env">singlerestore</param> <param name="host">$decideOnStartup</param> <param name="index">default</param> <param name="interval">80000</param> </stanza> </configuration> </input>
you should avoid scripted input, as they are deprecated. when you install a modular input instead your script is started and hand over a xml payload and you will find a session_key there. You can use this sessionkey to talk to splunkd.
Yes, I know all of that 🙂
1) I don't want to call splunkd. I explicitly want to do "splunk btool" to check the configuration.
2) Modular inputs need whole splunk installation (indexer or HF) due to python dependency. I want something that can be run on UF.
BTW, scripted inputs are supposed to be deprecated but the TA_windows inputs are scripted inputs. 🙂
so if it's really only splunk btool you can run splunk btool using a scripted input. This will run the command as the splunk user. you can capture the output.. no problem. done this before.