Getting Data In

Splunk session key usage


HI Team,

I am having a hard time getting a response from splunk enterprise server.
Here is my use case- I have a rest url for splunk- which requires a custom PrivateAuth using an authorization header. Since this endpoint sits behind a firewall or is on internal company's network, team exposed a diff open gateway url -
The prob is that using just Private Auth headers is not enough as we need some user id/pwd authentication too.

So, I first make the call to to get a session key.
Then pass the session key in the header for this call- but I end up getting 401 Unauthorized. The prob is that my request is not reaching our gateways when I try these calls from Postman.
Help get unblocked please.

I saw the java code sample/python ones too, which you have. I see everywhere they say pass session key in header but that is not working.
In this post for the java sdk example,
My question is exactly the same. I see Service.login() and then setting of token in Service.setToken(String token)method. Nowhere is the sessionToken used from login call. How does this work?

Here are my requests-
curl -X POST \ \
-H 'Authorization: Intuit_IAM_Authentication intuit_appid= * ,intuit_app_secret=*' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Postman-Token: 92b955bd-2d36-4147-a316-da48beee5c93' \
-H 'cache-control: no-cache'


Then second call-
url -X POST \ \
-H 'Authorization: Splunk PGy1TOEhKIjC2Znp9J33R8oxthtTXKrzQeU_qlrOBhfFcHQkby9tYnuNBXcnR8AtMLLsJJc6gRto6L_tE7iXt^SoFO3r6TPebed45y^RHdBqTgh0buTIH671UC986JIF6r7' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Postman-Token: d7ef70d7-4f1e-4c47-8eac-25a2098d1b6c' \
-H 'cache-control: no-cache' \
-d 'output_mode=json&earliest_time=-1m&latest_time=now&search=search%20index%3D*acc*%20statusCode!%3D200%20intuit_tid%3D41204da5-1fed-65ac-b99e-0ca800d83da5%20%7C%20head%201%20%7C%20fields%20*&undefined='

The second calls fails everytime.

I do see intuit_tid →4119197e-6a6f-8183-b983-3a85eca9f063
WWW-Authenticate →Bearer realm="Intuit" returned in response but if I try searching my gateway logs, I can't find anything, so there is defi something blocking my calls even before it hits my splunk gateway url-

Tags (2)


Any help here team?

0 Karma

Esteemed Legend

This is a case for @Damien Dallimore

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!