Developing for Splunk Enterprise

Adding data to an index fails in Django class

Explorer

When I try to add event data into my index from within my Splunk/Django app it fails.

It works in my external unit test.

I've followed the instructions here. They work fine in the unit test, but the submit() and send() methods fail to add the data when within the app. I'd rather not have to write all events to file to make my system work (upload() works).

To be clear, the submit() fails with an exception, and the send() fails quietly.

I captured the traceback of the exception, and it makes it's way through splunklib/client.py and splunklib/binding.py, eventually resulting in a HTTPError: HTTP 404 Not Found.

Looking through the logs, I can see that the splunkd_access.log contains a clue as to what it is trying to access:


127.0.0.1 - user [date] "POST /servicesNS/nobody/myapp/receivers/simple?sourcetype=mysourcetype&index=myindex&source=mysource HTTP/1.0" 404 127 - - - 1ms
127.0.0.1 - user [date] "POST /servicesNS/receivers/simple?sourcetype=mysourcetype&index=myindex&source=mysource HTTP/1.0" 200 641 - - - 2ms

Reading the doco, 'nobody' mean 'all'. So why doesn't this resource exist? Given Splunk is creating the URL within the Python bindings, why does it create a URL that doesn't exist?

On a possibly related note, I noticed that the username attribute of the service is empty when within the app, but is set when I login externally.

In terms of permissions, I gave my user the edit_tcp capability. (This stopped my unit test from failing.)

Should I not use the index.submit() method from within the app? Is it broken? Or is there something I'm missing?

Thanks.

Tags (2)
0 Karma
1 Solution

Explorer

I've now tried using service.post(), and it works 🙂

service.post('services/receivers/simple', index='myindex', sourcetype='mysourcetype', source='mysource', body=event_data)

It's just a shame, because the Index.submit() interface seems like the right way to do it.

View solution in original post

Explorer

I've now tried using service.post(), and it works 🙂

service.post('services/receivers/simple', index='myindex', sourcetype='mysourcetype', source='mysource', body=event_data)

It's just a shame, because the Index.submit() interface seems like the right way to do it.

View solution in original post

Explorer

Splunk Answers seems to have swallowed my URL 'here' reference:
http://dev.splunk.com/view/python-sdk/SP-CAAAEE6#add2index

0 Karma