I've got a great script that runs just fine with hardcoded credentials, but I'm having trouble making it work as a scripted input. The script uses the Python SDK to make several calls to Splunk.
I'm initializing the session key via:
import splunklib.results as results
import splunklib.client as client
import time
import sys
sessionKey = sys.stdin.readline().strip()
if len(sessionKey) == 0:
sys.stderr.write("Did not receive a session key from splunkd. " +
"Please enable passAuth in inputs.conf for this " +
"script\n")
exit(2)
sys.stdout.write("Got Session Key: " + sessionKey + "\n");
sys.stdout.flush()
Which does successfully print the sessionKey. I'm then initializing the Splunk service via:
# Create a Service instance and log in
service = client.connect(
host="ec2-54-148-178-247.us-west-2.compute.amazonaws.com",
port=8089,
token=sessionKey)
Which does not die, but as soon as I try to use that object:
job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
I get a crash:
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" Traceback (most recent call last):
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" File "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.py", line 46, in <module>
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" AttributeError: 'NoneType' object has no attribute 'jobs'
Has anyone done this successfully?
This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:
service = client.Service(token=sessionKey, host=host, port=port)
This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:
service = client.Service(token=sessionKey, host=host, port=port)
Hmm. I'm not able to even parse the sessionKey out. I'm glad to hear you've got it working! What does your code look like?
Mine is:
import splunklib.results as results
import splunklib.client as client
import splunk.entity, splunk.Intersplunk
settings = dict()
records = splunk.Intersplunk.readResults(settings = settings, has_header = True)
sessionKey = settings['sessionKey']
And then I get an error saying that it can't find sessionKey.
My inputs configuration is:
[script://$SPLUNK_HOME/etc/apps/app/bin/script.py]
disabled = false
interval = 60
sourcetype = xyz
passAuth = true
I've also tried it with passAuth = admin
to no avail, based on the inputs.conf doc.
Found the problem -- I assumed that Intersplunk would parse out the sessionKey for me, when in reality it was the only thing passed. For anyone else stumbling across, here's the right config:
import splunklib.results as results
import splunklib.client as client
import sys
sessionKey = ""
for line in sys.stdin:
sessionKey = line
service = client.Service(token=sessionKey, host="127.0.0.1", port=8089, user="admin")
kwargs_normalsearch = {"exec_mode": "normal", "app": "splunk_search_usage"}
searchquery_normal = ' [... mysearch ...] '
job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
[.....]
You also do need to use passAuth = admin
in inputs.conf
Thanks for your help!