Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Rest api error on get _raw events

sonicZ
Contributor
‎09-19-2021 07:02 PM

Hello,

I am experimenting with the REST api and pulling events with a script, It seems like authentication and search is pulling the correct events from the /results endpoint but i see an error on _raw events 

Error in events:

'_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data '
'collection. Error: Password prompt encountered. '
'Aborting.',

 

 

#!/usr/local/bin/python3
# import time # need for sleep
from xml.dom import minidom

import time
import json, pprint

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


base_url = 'https://127.0.0.1:8089'
username = 'admin'
password = 'changeme'

search_query = "search=search index=main earliest=-4y"

r = requests.get(base_url+"/servicesNS/admin/search/auth/login",
    data={'username':username,'password':password}, verify=False)

session_key = minidom.parseString(r.text).getElementsByTagName('sessionKey')[0].firstChild.nodeValue
print ("Session Key:", session_key)

r = requests.post(base_url + '/services/search/jobs/', data=search_query,
    headers = { 'Authorization': ('Splunk %s' %session_key)},
    verify = False)

sid = minidom.parseString(r.text).getElementsByTagName('sid')[0].firstChild.nodeValue
print ("Search ID", sid)

done = False
while not done:
    r = requests.get(base_url + '/services/search/jobs/' + sid,
        headers = { 'Authorization': ('Splunk %s' %session_key)},
        verify = False)
    response = minidom.parseString(r.text)
    for node in response.getElementsByTagName("s:key"):
        if node.hasAttribute("name") and node.getAttribute("name") == "dispatchState":
            dispatchState = node.firstChild.nodeValue
            print ("Search Status: ", dispatchState)
            if dispatchState == "DONE":
                done = True
            else:
                time.sleep(1)

r = requests.get(base_url + '/services/search/jobs/' + sid + '/results/',
    headers = { 'Authorization': ('Splunk %s' %session_key)},
    data={'output_mode': 'json'},
    verify = False)

pprint.pprint(json.loads(r.text))

 

 

 

Events returned, here is one entry sample, all events i am searching seem to get returned but not sure what's causing the _raw event error.

 

 

{'_bkt': 'main~18~95A72A43-AF2F-49CF-B85A-B0788E1AA28A',
              '_cd': '18:455',
              '_indextime': '1632029978',
              '_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data '
                      'collection. Error: Password prompt encountered. '
                      'Aborting.',
              '_serial': '38',
              '_si': ['DC-C02SD43JG8WP', 'main'],
              '_sourcetype': 'ossec_agent_control',
              '_time': '2021-09-18T23:39:38.000-06:00',
              'host': 'DC-C02SD43JG8WP',
              'index': 'main',
              'linecount': '1',
              'source': 'ossec_agent_control',
              'sourcetype': 'ossec_agent_control',
              'splunk_server': 'DC-C02SD43JG8WP'},

 

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-19-2021 10:16 PM

But what's the problem? It seems you're getting your events. It's not a splunk error, it's an error being the contents of an event (in this case - coming from ossec). Or am I missing something?

0 Karma
Reply

sonicZ
Contributor
‎09-20-2021 06:23 AM

your right PickleRick, i  indexed in a bunch of other data as well.

should have paid attention to my actual event test data, assumed the error was something from the api script run, woops! just not familiar with the actual output yet.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Guide: Isolated OpenTelemetry Tracing for Multiple WARs in WildFly

Isolating Telemetry Boundaries: How to Trace Multiple WARs as Separate Services in One WildFly JVM   Executive ...

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...