Splunk Dev

Scripted Input - Python SDK - passAuth Not Working

David
Splunk Employee
Splunk Employee

I've got a great script that runs just fine with hardcoded credentials, but I'm having trouble making it work as a scripted input. The script uses the Python SDK to make several calls to Splunk.

I'm initializing the session key via:

import splunklib.results as results
import splunklib.client as client
import time
import sys

sessionKey = sys.stdin.readline().strip()

if len(sessionKey) == 0:
   sys.stderr.write("Did not receive a session key from splunkd. " +
                    "Please enable passAuth in inputs.conf for this " +
                    "script\n")
   exit(2)

sys.stdout.write("Got Session Key: " + sessionKey + "\n");
sys.stdout.flush()

Which does successfully print the sessionKey. I'm then initializing the Splunk service via:

# Create a Service instance and log in
service = client.connect(
    host="ec2-54-148-178-247.us-west-2.compute.amazonaws.com",
    port=8089,
    token=sessionKey)

Which does not die, but as soon as I try to use that object:

job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)

I get a crash:

12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" Traceback (most recent call last):
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh"   File "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.py", line 46, in <module>
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh"     job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" AttributeError: 'NoneType' object has no attribute 'jobs'

Has anyone done this successfully?

1 Solution

mschon314
Explorer

This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:

service = client.Service(token=sessionKey, host=host, port=port)

View solution in original post

mschon314
Explorer

This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:

service = client.Service(token=sessionKey, host=host, port=port)

David
Splunk Employee
Splunk Employee

Hmm. I'm not able to even parse the sessionKey out. I'm glad to hear you've got it working! What does your code look like?

Mine is:

import splunklib.results as results
import splunklib.client as client
import splunk.entity, splunk.Intersplunk
settings = dict()
records = splunk.Intersplunk.readResults(settings = settings, has_header = True)
sessionKey = settings['sessionKey']

And then I get an error saying that it can't find sessionKey.

My inputs configuration is:

[script://$SPLUNK_HOME/etc/apps/app/bin/script.py]
disabled = false
interval = 60
sourcetype = xyz
passAuth = true

I've also tried it with passAuth = admin to no avail, based on the inputs.conf doc.

0 Karma

David
Splunk Employee
Splunk Employee

Found the problem -- I assumed that Intersplunk would parse out the sessionKey for me, when in reality it was the only thing passed. For anyone else stumbling across, here's the right config:

import splunklib.results as results
import splunklib.client as client
import sys

sessionKey = ""

for line in sys.stdin:
  sessionKey = line

service = client.Service(token=sessionKey, host="127.0.0.1", port=8089, user="admin")
kwargs_normalsearch = {"exec_mode": "normal", "app": "splunk_search_usage"}

searchquery_normal = ' [... mysearch ...] '
job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
[.....]

You also do need to use passAuth = admin in inputs.conf

Thanks for your help!

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...