Splunk Dev

Is there a way to get anonymous access to Splunk's kvstore from a Python script?

cloun
New Member

I am trying to implement pretty “unusual” App for Splunk.
By unusual, I mean that I see no standard/handy way of doing this.

Splunk Enterprise customer has a has a server farm running a software. The customer runs deploy to update code on these servers. During deploy, some abnormal behaviour may be observed across servers (i.e response times may be longer).
Also, sometimes some hardware shows its flaws affecting performance metrics of servers.

In short, the app uses predict (and Holt Winters) on servers performance metrics in an enhanced way.
The idea is to allow a user to save times of deploys or unhealthy hosts + time when particular server was not ok via web app (using kvstore) to then exclude events falling into this range from input of the predict command to then be able to efficiently detect outliers.
Also, exclusion works for future events preventing triggered alerts from bothering in time of scheduled deploy (again time is set through kvstore in the same way).

The obstacle is that I need to provide user credentials to the app, to allow the python stream filterer to use values in kvstore that is pretty inconvenient/insecure.
Is there a way to get anonymous read access to kvstore?

Or maybe there is a better way of doing described above (not using Python script to filter events by time ranges+hosts set in kvstore)

0 Karma

cloun
New Member

Answering my own question:

as command runs it receives AUTH header if enabled in commands.conf

enableheader = true 
passauth = true

header has the following form

{
"authString": "<auth><userId>admin</userId><username>admin</username>
<authToken>Sb...wC</authToken></auth>\n' chunked 1.0,494,0",
    "finished": true
}

You can use this token to go to KVStore

service = client.connect(token=token, owner='nobody', app='YourAppName') 
for row in self.service.kvstore['collection_name'].data.query(): 
    do job
0 Karma

samithamp
New Member

Hi @cloun ,
Thanks, for the answer. How do you get the header in the first place? Did you use a lower level lib (httplib, or binding) ?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Quick answer: No. The KVstore is tied to Splunkd, which requires authentication in order to provide read and write access.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...