Developing for Splunk Enterprise

Can a custom search command launch a splunk search?

Super Champion

Is it possible for a custom search script to launch another splunk search?

I've been looking over the docs and sources for the splunk.Intersplunk module and I'm getting conflicting info. For example, getOrganizedResults() claims that settings will always be an empty dict, but I do get settings back. It also explicitly notes that the auth token is not handled, but the settings value of "sessionKey" is available. (Even when passauth is set to false, interestingly enough.) Then again, I see in crawl.py an example where the sessionKey is being used to make calls back to splunkd using the python SDK, so it seems like this must be working at some level.

However, if I attempt to acutually launch a search using the sessionKey, owner, and namespace that is passed in via the settings dictionary to a new search, then it tells me that I get the following error:

splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated; None

I've done some logging in my search command to confirm that the search command is working and that I'm getting a different sessionKey each time, but the given sessionKey seems to be unusable to launch another search.

If I hard code a call to splunk.auth.getSessionKey (logging on with the same user) then I can make the search work, but that's not really a solution.

Is this a bug, a feature? Any ideas?


Things I've tried:

  1. Using a normal (event fetching) search which is fed into my custom search script. If I try to run a saved search, a norm data fetching search, or a non-data command (like "metadata types=hosts") I keep getting the same AuthenticationFailed error shown above.
  2. Using a event-generating admin command ("| metadata type=hosts") to feed into my custom search command does allow me to launch a search or saved search successfully.
1 Solution

Splunk Employee
Splunk Employee

This appears to be a bug when running a search as a separate process. It appears that we create a session key for that process but not the main splunkd process. Could you try your custom search command with a search like "| metadata hosts | mysearchcommand" and see if it works?

View solution in original post

Splunk Employee
Splunk Employee

This appears to be a bug when running a search as a separate process. It appears that we create a session key for that process but not the main splunkd process. Could you try your custom search command with a search like "| metadata hosts | mysearchcommand" and see if it works?

View solution in original post

Super Champion

I can confirm that the 4.1.4 release fixed this issue for me. It is now possible to execute a saved search from a search command!

0 Karma

Splunk Employee
Splunk Employee

This is tracked by SPL-31148.

0 Karma

Super Champion

Thanks Stephen. Guess I'll have to hard-code the login info in the script (or in a password file) for the time being... I'll be looking forward to 4.1.4. BTW, is there a SPL number for this issue?

0 Karma

Splunk Employee
Splunk Employee

Unfortunately there's no good workaround until we fix this. It is scheduled to arrive in 4.1.4.

0 Karma

Super Champion

I tried running my search command from a saved search that was set with dispatch.spawn_process = false, but I still get the auth errors. Any ideas on a workaround?

0 Karma

Super Champion

Stephen, you are correct. I can successfully launch a search from my custom search script if the first search command is metadata.

0 Karma