Is it possible for a custom search script to launch another splunk search?
I've been looking over the docs and sources for the splunk.Intersplunk
module and I'm getting conflicting info. For example, getOrganizedResults()
claims that settings will always be an empty dict, but I do get settings back. It also explicitly notes that the auth token
is not handled, but the settings value of "sessionKey"
is available. (Even when passauth
is set to false, interestingly enough.) Then again, I see in crawl.py
an example where the sessionKey
is being used to make calls back to splunkd using the python SDK, so it seems like this must be working at some level.
However, if I attempt to acutually launch a search using the sessionKey
, owner
, and namespace
that is passed in via the settings
dictionary to a new search, then it tells me that I get the following error:
splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated; None
I've done some logging in my search command to confirm that the search command is working and that I'm getting a different sessionKey
each time, but the given sessionKey
seems to be unusable to launch another search.
If I hard code a call to splunk.auth.getSessionKey
(logging on with the same user) then I can make the search work, but that's not really a solution.
Is this a bug, a feature? Any ideas?
Things I've tried:
This appears to be a bug when running a search as a separate process. It appears that we create a session key for that process but not the main splunkd process. Could you try your custom search command with a search like "| metadata hosts | mysearchcommand" and see if it works?
This appears to be a bug when running a search as a separate process. It appears that we create a session key for that process but not the main splunkd process. Could you try your custom search command with a search like "| metadata hosts | mysearchcommand" and see if it works?
I can confirm that the 4.1.4 release fixed this issue for me. It is now possible to execute a saved search from a search command!
This is tracked by SPL-31148.
Thanks Stephen. Guess I'll have to hard-code the login info in the script (or in a password file) for the time being... I'll be looking forward to 4.1.4. BTW, is there a SPL number for this issue?
Unfortunately there's no good workaround until we fix this. It is scheduled to arrive in 4.1.4.
I tried running my search command from a saved search that was set with dispatch.spawn_process = false
, but I still get the auth errors. Any ideas on a workaround?
Stephen, you are correct. I can successfully launch a search from my custom search script if the first search command is metadata
.