Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Scripted Input - Python SDK - passAuth Not Working

David
Splunk Employee
Splunk Employee
‎12-09-2014 02:59 PM

I've got a great script that runs just fine with hardcoded credentials, but I'm having trouble making it work as a scripted input. The script uses the Python SDK to make several calls to Splunk.

I'm initializing the session key via:

import splunklib.results as results
import splunklib.client as client
import time
import sys

sessionKey = sys.stdin.readline().strip()

if len(sessionKey) == 0:
   sys.stderr.write("Did not receive a session key from splunkd. " +
                    "Please enable passAuth in inputs.conf for this " +
                    "script\n")
   exit(2)

sys.stdout.write("Got Session Key: " + sessionKey + "\n");
sys.stdout.flush()

Which does successfully print the sessionKey. I'm then initializing the Splunk service via:

# Create a Service instance and log in
service = client.connect(
    host="ec2-54-148-178-247.us-west-2.compute.amazonaws.com",
    port=8089,
    token=sessionKey)

Which does not die, but as soon as I try to use that object:

job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)

I get a crash:

12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" Traceback (most recent call last):
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh"   File "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.py", line 46, in <module>
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh"     job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" AttributeError: 'NoneType' object has no attribute 'jobs'

Has anyone done this successfully?

Reply
1 Solution
Solved! Jump to solution
Solution

mschon314
Explorer
‎12-22-2014 04:26 PM

This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:

service = client.Service(token=sessionKey, host=host, port=port)

View solution in original post

Reply
Solved! Jump to solution
Solution

mschon314
Explorer
‎12-22-2014 04:26 PM

This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:

service = client.Service(token=sessionKey, host=host, port=port)
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎01-18-2015 10:13 AM

Hmm. I'm not able to even parse the sessionKey out. I'm glad to hear you've got it working! What does your code look like?

Mine is:

import splunklib.results as results
import splunklib.client as client
import splunk.entity, splunk.Intersplunk
settings = dict()
records = splunk.Intersplunk.readResults(settings = settings, has_header = True)
sessionKey = settings['sessionKey']

And then I get an error saying that it can't find sessionKey.

My inputs configuration is:

[script://$SPLUNK_HOME/etc/apps/app/bin/script.py]
disabled = false
interval = 60
sourcetype = xyz
passAuth = true

I've also tried it with passAuth = admin to no avail, based on the inputs.conf doc.

0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎01-18-2015 01:04 PM

Found the problem -- I assumed that Intersplunk would parse out the sessionKey for me, when in reality it was the only thing passed. For anyone else stumbling across, here's the right config:

import splunklib.results as results
import splunklib.client as client
import sys

sessionKey = ""

for line in sys.stdin:
  sessionKey = line

service = client.Service(token=sessionKey, host="127.0.0.1", port=8089, user="admin")
kwargs_normalsearch = {"exec_mode": "normal", "app": "splunk_search_usage"}

searchquery_normal = ' [... mysearch ...] '
job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
[.....]

You also do need to use passAuth = admin in inputs.conf

Thanks for your help!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...