Solved: Connecting to local Splunk instance from an app?

guldendraak · ‎07-31-2018

When using the Splunk Python SDK, connecting to a Splunk instance is very easy as is described here: http://dev.splunk.com/view/python-sdk/SP-CAAAEE4

This typically uses the Splunk server address, port username and password. Is there a better way to establish a connection to the local Splunk instance from an app? The doc mentions cookies but I am unsure how to use them.

coccyx · ‎08-03-2018

Yes, on a single instance of Splunk, this is easy. In a distributed install, not so much. There is, as far as I am aware, no way to get an authentication token that will authorize you to a whole Splunk cluster, so you must authenticate individually to each node. On the instance you're running your modular input on however, this is supported.

If you look at the XML passed back to your modular input, there is a session token present. I'm not all that familiar with the python SDK, but it looks like maybe it's the get_scheme() method on splunklib.modularinput.Script. See:
http://docs.splunk.com/Documentation/Splunk/7.1.2/AdvancedDev/ModInputsScripts#Define_a_scheme_for_i...
http://docs.splunk.com/Documentation/PythonSDK

The token you receive from the modular input is passed to connect as the token parameter.
http://dev.splunk.com/view/python-sdk/SP-CAAAEE4

View solution in original post

coccyx · ‎08-03-2018

Yes, on a single instance of Splunk, this is easy. In a distributed install, not so much. There is, as far as I am aware, no way to get an authentication token that will authorize you to a whole Splunk cluster, so you must authenticate individually to each node. On the instance you're running your modular input on however, this is supported.

If you look at the XML passed back to your modular input, there is a session token present. I'm not all that familiar with the python SDK, but it looks like maybe it's the get_scheme() method on splunklib.modularinput.Script. See:
http://docs.splunk.com/Documentation/Splunk/7.1.2/AdvancedDev/ModInputsScripts#Define_a_scheme_for_i...
http://docs.splunk.com/Documentation/PythonSDK

The token you receive from the modular input is passed to connect as the token parameter.
http://dev.splunk.com/view/python-sdk/SP-CAAAEE4

guldendraak · ‎03-21-2019

That proved to be the right hint. When sub-classing splunklib.modularinput.script as is described here, one can simply use self.service for example: job = self.service.jobs.create(search) where search is an actual Splunk search.

FritzWittwer_ol · ‎08-03-2018

Do you want to connect a Splunk App which back to the Splunk Instance, or do you have a 'standalone' app which should connect to Splunk?
Splunk knows a sessionid which has a limited lifespan and can be used to authenticate a connections.

guldendraak · ‎08-03-2018

The App is a custom developed app that defines a modular input (json from an API call). It would be nice - at least during development - to give the app the possibility to check on data that was already stored in splunk earlier by that same app. Currently, this is done using username and password but a more elegant way such as using a token, maybe specific to that case would be nice.

Connecting to local Splunk instance from an app?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Connecting to local Splunk instance from an app?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem