Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What happens if I call splunk from a scripted input

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2022 04:54 AM

I'm wondering what would happen if I ran "splunk btool whatever" from a script that's running as scrpited input. Theoretically - it should be run with whatever user the splunkd.exe is running with so the question is if it will have all the necessary rights and will run unattended properly or will it stop and ask for credentials?

The case in question is mostly about windows and spawning a subprocess from a powershell script but a general answer including unix is also welcome 🙂

Labels (1)
Labels
0 Karma
Reply

schose
Builder
‎05-24-2022 05:28 AM

Hi,

not sure if i get you correctly - you want to talk to splunkd using a scripted input without having credentials?generally "splunk btool whatever" would be a bad example, as this does not need splunkd to be running. 

<input>
  <server_host>art-macbook.local</server_host>
  <server_uri>https://127.0.0.1:8089</server_uri>
  <session_key>YmGDj6BtVw^dAb1UzmBjg8MwOegMXHeNtF17THnAoR0Ot2HXQ7BXZ9mPI^hNkdFN^yyTYvrPxjf0WThDmW9sahRomNrj^t^KYG8V30hE9gaPh2gVV7H0LnY</session_key>
  <checkpoint_dir>/Users/andreas/splunk/var/lib/splunk/modinputs/buba</checkpoint_dir>
  <configuration>
    <stanza name="buba://single" app="buba-backend">
      <param name="configfile">buba.conf</param>
      <param name="disabled">0</param>
      <param name="env">singlerestore</param>
      <param name="host">$decideOnStartup</param>
      <param name="index">default</param>
      <param name="interval">80000</param>
    </stanza>
  </configuration>
</input>

 

you should avoid scripted input, as they are deprecated. when you install a modular input instead your script is started and hand over a xml payload and you will find a session_key there. You can use this sessionkey to talk to splunkd.

 

regards,

Andreas

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2022 05:45 AM

Yes, I know all of that 🙂

1) I don't want to call splunkd. I explicitly want to do "splunk btool" to check the configuration.

2) Modular inputs need whole splunk installation (indexer or HF) due to python dependency. I want something that can be run on UF.

BTW, scripted inputs are supposed to be deprecated but the TA_windows inputs are scripted inputs. 🙂

0 Karma
Reply

schose
Builder
‎05-24-2022 06:15 AM

Hi,

so if it's really only splunk btool you can run splunk btool using a scripted input. This will run the command as the splunk user. you can capture the output.. no problem. done this before.

regards. 

Andreas

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...