Splunk Dev

Can a custom search command launch a splunk search?

Lowell
Super Champion

Is it possible for a custom search script to launch another splunk search?

I've been looking over the docs and sources for the splunk.Intersplunk module and I'm getting conflicting info. For example, getOrganizedResults() claims that settings will always be an empty dict, but I do get settings back. It also explicitly notes that the auth token is not handled, but the settings value of "sessionKey" is available. (Even when passauth is set to false, interestingly enough.) Then again, I see in crawl.py an example where the sessionKey is being used to make calls back to splunkd using the python SDK, so it seems like this must be working at some level.

However, if I attempt to acutually launch a search using the sessionKey, owner, and namespace that is passed in via the settings dictionary to a new search, then it tells me that I get the following error:

splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated; None

I've done some logging in my search command to confirm that the search command is working and that I'm getting a different sessionKey each time, but the given sessionKey seems to be unusable to launch another search.

If I hard code a call to splunk.auth.getSessionKey (logging on with the same user) then I can make the search work, but that's not really a solution.

Is this a bug, a feature? Any ideas?


Things I've tried:

  1. Using a normal (event fetching) search which is fed into my custom search script. If I try to run a saved search, a norm data fetching search, or a non-data command (like "metadata types=hosts") I keep getting the same AuthenticationFailed error shown above.
  2. Using a event-generating admin command ("| metadata type=hosts") to feed into my custom search command does allow me to launch a search or saved search successfully.
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

This appears to be a bug when running a search as a separate process. It appears that we create a session key for that process but not the main splunkd process. Could you try your custom search command with a search like "| metadata hosts | mysearchcommand" and see if it works?

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

This appears to be a bug when running a search as a separate process. It appears that we create a session key for that process but not the main splunkd process. Could you try your custom search command with a search like "| metadata hosts | mysearchcommand" and see if it works?

Lowell
Super Champion

I can confirm that the 4.1.4 release fixed this issue for me. It is now possible to execute a saved search from a search command!

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

This is tracked by SPL-31148.

0 Karma

Lowell
Super Champion

Thanks Stephen. Guess I'll have to hard-code the login info in the script (or in a password file) for the time being... I'll be looking forward to 4.1.4. BTW, is there a SPL number for this issue?

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

Unfortunately there's no good workaround until we fix this. It is scheduled to arrive in 4.1.4.

0 Karma

Lowell
Super Champion

I tried running my search command from a saved search that was set with dispatch.spawn_process = false, but I still get the auth errors. Any ideas on a workaround?

0 Karma

Lowell
Super Champion

Stephen, you are correct. I can successfully launch a search from my custom search script if the first search command is metadata.

0 Karma
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...