Splunk Dev

Rest api error on get _raw events

sonicZ
Contributor

Hello,

I am experimenting with the REST api and pulling events with a script, It seems like authentication and search is pulling the correct events from the /results endpoint but i see an error on _raw events 

Error in events:

'_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data '
'collection. Error: Password prompt encountered. '
'Aborting.',

 

 

#!/usr/local/bin/python3
# import time # need for sleep
from xml.dom import minidom

import time
import json, pprint

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


base_url = 'https://127.0.0.1:8089'
username = 'admin'
password = 'changeme'

search_query = "search=search index=main earliest=-4y"

r = requests.get(base_url+"/servicesNS/admin/search/auth/login",
    data={'username':username,'password':password}, verify=False)

session_key = minidom.parseString(r.text).getElementsByTagName('sessionKey')[0].firstChild.nodeValue
print ("Session Key:", session_key)

r = requests.post(base_url + '/services/search/jobs/', data=search_query,
    headers = { 'Authorization': ('Splunk %s' %session_key)},
    verify = False)

sid = minidom.parseString(r.text).getElementsByTagName('sid')[0].firstChild.nodeValue
print ("Search ID", sid)

done = False
while not done:
    r = requests.get(base_url + '/services/search/jobs/' + sid,
        headers = { 'Authorization': ('Splunk %s' %session_key)},
        verify = False)
    response = minidom.parseString(r.text)
    for node in response.getElementsByTagName("s:key"):
        if node.hasAttribute("name") and node.getAttribute("name") == "dispatchState":
            dispatchState = node.firstChild.nodeValue
            print ("Search Status: ", dispatchState)
            if dispatchState == "DONE":
                done = True
            else:
                time.sleep(1)

r = requests.get(base_url + '/services/search/jobs/' + sid + '/results/',
    headers = { 'Authorization': ('Splunk %s' %session_key)},
    data={'output_mode': 'json'},
    verify = False)

pprint.pprint(json.loads(r.text))

 

 

 

Events returned, here is one entry sample, all events i am searching seem to get returned but not sure what's causing the _raw event error.

 

 

{'_bkt': 'main~18~95A72A43-AF2F-49CF-B85A-B0788E1AA28A',
              '_cd': '18:455',
              '_indextime': '1632029978',
              '_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data '
                      'collection. Error: Password prompt encountered. '
                      'Aborting.',
              '_serial': '38',
              '_si': ['DC-C02SD43JG8WP', 'main'],
              '_sourcetype': 'ossec_agent_control',
              '_time': '2021-09-18T23:39:38.000-06:00',
              'host': 'DC-C02SD43JG8WP',
              'index': 'main',
              'linecount': '1',
              'source': 'ossec_agent_control',
              'sourcetype': 'ossec_agent_control',
              'splunk_server': 'DC-C02SD43JG8WP'},

 

 

 

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

But what's the problem? It seems you're getting your events. It's not a splunk error, it's an error being the contents of an event (in this case - coming from ossec). Or am I missing something?

0 Karma

sonicZ
Contributor

your right PickleRick, i  indexed in a bunch of other data as well.

should have paid attention to my actual event test data, assumed the error was something from the api script run, woops! just not familiar with the actual output yet.

 

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Get Agentic with Splunk Lantern: Connect to Cisco Cloud Control, Transform ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

July Community Events: Master ITSI 5.0 & Automate Splunk

Struggling with alert fatigue or feeling like you're spending more time on infrastructure maintenance than ...

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...