Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Scripted Input - Python SDK - passAuth Not Working

David
Splunk Employee
Splunk Employee
‎12-09-2014 02:59 PM

I've got a great script that runs just fine with hardcoded credentials, but I'm having trouble making it work as a scripted input. The script uses the Python SDK to make several calls to Splunk.

I'm initializing the session key via:

import splunklib.results as results
import splunklib.client as client
import time
import sys

sessionKey = sys.stdin.readline().strip()

if len(sessionKey) == 0:
   sys.stderr.write("Did not receive a session key from splunkd. " +
                    "Please enable passAuth in inputs.conf for this " +
                    "script\n")
   exit(2)

sys.stdout.write("Got Session Key: " + sessionKey + "\n");
sys.stdout.flush()

Which does successfully print the sessionKey. I'm then initializing the Splunk service via:

# Create a Service instance and log in
service = client.connect(
    host="ec2-54-148-178-247.us-west-2.compute.amazonaws.com",
    port=8089,
    token=sessionKey)

Which does not die, but as soon as I try to use that object:

job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)

I get a crash:

12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" Traceback (most recent call last):
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh"   File "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.py", line 46, in <module>
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh"     job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" AttributeError: 'NoneType' object has no attribute 'jobs'

Has anyone done this successfully?

Reply
1 Solution
Solved! Jump to solution
Solution

mschon314
Explorer
‎12-22-2014 04:26 PM

This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:

service = client.Service(token=sessionKey, host=host, port=port)

View solution in original post

Reply
Solved! Jump to solution
Solution

mschon314
Explorer
‎12-22-2014 04:26 PM

This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:

service = client.Service(token=sessionKey, host=host, port=port)
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎01-18-2015 10:13 AM

Hmm. I'm not able to even parse the sessionKey out. I'm glad to hear you've got it working! What does your code look like?

Mine is:

import splunklib.results as results
import splunklib.client as client
import splunk.entity, splunk.Intersplunk
settings = dict()
records = splunk.Intersplunk.readResults(settings = settings, has_header = True)
sessionKey = settings['sessionKey']

And then I get an error saying that it can't find sessionKey.

My inputs configuration is:

[script://$SPLUNK_HOME/etc/apps/app/bin/script.py]
disabled = false
interval = 60
sourcetype = xyz
passAuth = true

I've also tried it with passAuth = admin to no avail, based on the inputs.conf doc.

0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎01-18-2015 01:04 PM

Found the problem -- I assumed that Intersplunk would parse out the sessionKey for me, when in reality it was the only thing passed. For anyone else stumbling across, here's the right config:

import splunklib.results as results
import splunklib.client as client
import sys

sessionKey = ""

for line in sys.stdin:
  sessionKey = line

service = client.Service(token=sessionKey, host="127.0.0.1", port=8089, user="admin")
kwargs_normalsearch = {"exec_mode": "normal", "app": "splunk_search_usage"}

searchquery_normal = ' [... mysearch ...] '
job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
[.....]

You also do need to use passAuth = admin in inputs.conf

Thanks for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...