Long running fill_summary_index and splunk.Authent...

patng_nw · ‎12-23-2018

I tried to do a long-running summary index backfill, filling many days of data, e.g.

$SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/bin/fill_summary_index.py -app search \
-name "summary-price-aarrr-activation" -et "-356d@d" -lt "now" -j 4 -dedup true -auth myauthparam

What happened is that it will run well for a while and then it died in the middle with a 401 error. So to finish this long running backfill I have to monitor the process, and re-run my script many times until it finished backfilling all the days. Wonder why such occasional 401 error and if there is any work around?

Started job 'batch__patrickng__search__RMD54c1ca4489ae38c1f_at_1535130000_10571' for saved search 'summary-price-aarrr-activation', UTC = 1535130000 (Sat Aug 25 01:00:00 2018)
 ... job 'batch__patrickng__search__RMD54c1ca4489ae38c1f_at_1534870800_10563' finished
Started job 'batch__patrickng__search__RMD54c1ca4489ae38c1f_at_1535216400_10572' for saved search 'summary-price-aarrr-activation', UTC = 1535216400 (Sun Aug 26 01:00:00 2018)
 ... job 'batch__patrickng__search__RMD54c1ca4489ae38c1f_at_1534957200_10564' finished
Started job 'batch__patrickng__search__RMD54c1ca4489ae38c1f_at_1535302800_10573' for saved search 'summary-price-aarrr-activation', UTC = 1535302800 (Mon Aug 27 01:00:00 2018)
 ... job 'batch__patrickng__search__RMD54c1ca4489ae38c1f_at_1535043600_10565' finished
Started job 'batch__patrickng__search__RMD54c1ca4489ae38c1f_at_1535389200_10574' for saved search 'summary-price-aarrr-activation', UTC = 1535389200 (Tue Aug 28 01:00:00 2018)
 ... job 'batch__patrickng__search__RMD54c1ca4489ae38c1f_at_1535130000_10571' FAILED: <class 'splunk.AuthenticationFailed'>
 ... job 'batch__patrickng__search__RMD54c1ca4489ae38c1f_at_1535216400_10572' FAILED: <class 'splunk.AuthenticationFailed'>
 ... job 'batch__patrickng__search__RMD54c1ca4489ae38c1f_at_1535302800_10573' FAILED: <class 'splunk.AuthenticationFailed'>
 ... job 'batch__patrickng__search__RMD54c1ca4489ae38c1f_at_1535389200_10574' FAILED: <class 'splunk.AuthenticationFailed'>
Traceback (most recent call last):
  File "/opt/splunk/bin/fill_summary_index.py", line 493, in <module>
    owner=owner, triggerActions=triggerStr, now=st)
  File "/opt/splunk/lib/python2.7/site-packages/splunk/search/__init__.py", line 2182, in __call__
    return getattr(_savedModuleInstance, self.methodName)(*args, **kwargs)
  File "/opt/splunk/lib/python2.7/site-packages/splunk/saved.py", line 54, in dispatchSavedSearch
    serverResponse, serverContent = rest.simpleRequest(uri, postargs=args, sessionKey=sessionKey)
  File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/__init__.py", line 530, in simpleRequest
    raise splunk.AuthenticationFailed
splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated

p_gurav · ‎12-25-2018

Hi patng_nw,
Please try passing -auth parameter in command itself.

patng_nw · ‎12-25-2018

Thanks. But of course I did, otherwise the command will fail immediately. I just didn't put it up there in my question. I just added that back to the question just in case it caused another confusion. 🙂

Long running fill_summary_index and splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?