Security

Issue using Auth Token within a bash script

calvinmcelroy
Path Finder

I am trying to work through an issue and cannot seem to find a answer. I need to create a bash script that uses an auth token to make calls to the Splunk Rest API. The script will be used by a custom app that is located on a searchhead (linux). Token Authentication has been enabled, and I can verify that the Token is enabled and valid.  I can use the Token to make ad-hoc Rest API requests via the terminal local to the searchhead. If I try to use it within the script I am seeing unexpected behavior. 

The token seems to be able to make certain API calls in the script but it cannot retrieve the results of the call. An example would be I can use the token in the script to initiate a search. I will receive back the Sid of that search. If I use the same script to try to retrieve the search results using the Sid, I get back nothing. No error message, but just no output at all. If I manually re-run the same API request using the Token and the same Sid outside of the script on the terminal. It will return my search result as expected. 

I have turned on debug logging for JsonWebTokenHandler and see no issue. This behavior happens if I use the bash interpreter to execute the script (./script.sh) or (/opt/splunk/etc/app/app_name/bin/script.sh). There is no difference if I execute the script with /opt/splunk/bin/splunk cmd <path_to_script>. 

I remember reading that there is something strange about the local interpreter that could be causing this, but I cannot find it again on google. Does anybody know what might be causing this behavior or how I can overcome this issue?

Searchhead is running Splunk version 8.1.2 hosted on Ubuntu. 

Labels (1)
0 Karma

calvinmcelroy
Path Finder

Another Detail - If I replace the token with username:password, the script can retrieve the search results using the sid.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...