Re: XML errore when using python SDK on SPlunk bal...

maurelio79 · ‎04-29-2020

Hi to all, i get a strange errorr using python SDK when connecting to balanced url instead of single host.

HOST = "splunk.balanced.url"
PORT = 8089
USERNAME = "admin"
PASSWORD = "changeme"
SCHEME = "https"
APP = "my_app"

# Create a Service instance and log in to Splunk

service = client.connect(
          host=HOST,
          port=PORT,
          username=USERNAME,
          password=PASSWORD,
          scheme=SCHEME,
          app=APP
          )

for app in service.apps:
    print app.name

But i got this error:

Traceback (most recent call last):
  File "test_connection.py", line 32, in <module>
    verify=False
  File "/opt/splunk/etc/apps/framework/contrib/splunk-sdk-python/splunklib/client.py", line 288, in connect
    return Service(**kwargs).login()
  File "/opt/splunk/etc/apps/framework/contrib/splunk-sdk-python/splunklib/binding.py", line 753, in login
    session = XML(body).findtext("./sessionKey")
  File "/usr/lib64/python2.6/xml/etree/ElementTree.py", line 964, in XML
    return parser.close()
  File "/usr/lib64/python2.6/xml/etree/ElementTree.py", line 1254, in close
    self._parser.Parse("", 1) # end of data
xml.parsers.expat.ExpatError: no element found: line 1, column 0

If i connect directly to the splunk host search head i got correct result: all app name.
Bhind the balanced url there is only one host at the moment (the same host from which i get correct result).
Someone got a similar problem? Could be a certificate issue? It seems that the XML returned is not correct.

Thanks very much and regards

harsmarvania57 · ‎04-29-2020

When you say balanced URL, do you mean Load-balancer URL ? If yes then have you configured VIP on port 8089 in LB ?

maurelio79 · ‎04-29-2020

Yes LOAD balancer URL and a simple curl with -k it's working.
It seems that the response is an empty body with SDK

harsmarvania57 · ‎04-29-2020

It looks like you are running splunk-sdk-python which ships with splunk itself and while looking at version of that SDK it is very old. I'll suggest you to download latest Splunk Python SDK from https://github.com/splunk/splunk-sdk-python/releases

If it will not work with latest version of Splunk Python SDK then, can you please run below command and check whether you are receiving sessionKey or not.

curl -vk https://your_lb_url:8089/services/auth/login --data-urlencode username=your_username --data-urlencode password='your_password'

maurelio79 · ‎04-29-2020

I tried and i got a session key, so what it means? An old sdk version? But why the problem is present only if i pass via LB URL? It's very strange

harsmarvania57 · ‎04-29-2020

So it worked with new splunk python sdk ?

maurelio79 · ‎04-29-2020

We have python 2.6.6, so i'm not sure i can test the new sdk, it requires python > 2.7

harsmarvania57 · ‎04-29-2020

Maybe it's due to python 2.6 , if you have any other host which is running python 2.7 then I'll suggest to try on that server.

maurelio79 · ‎04-29-2020

For the moment we "solved" the issue modifyng the file binding.py.
Inside function handler we modified the function reqeust from

 def request(url, message, **kwargs):
        scheme, host, port, path = _spliturl(url)
        body = message.get("body", "")
        head = {
            "Content-Length": str(len(body)),
            "Host": host,
            "User-Agent": "splunk-sdk-python/0.1",
            "Accept": "*/*",
        } # defaults
        for key, value in message["headers"]:
            head[key] = value
        method = message.get("method", "GET")

        connection = connect(scheme, host, port)
        try:
            connection.request(method, path, body, head)
            if timeout is not None:
                connection.sock.settimeout(timeout)
            response = connection.getresponse()
        finally:
            connection.close()


        return {
            "status": response.status,
            "reason": response.reason,
            "headers": response.getheaders(),
            "body": ResponseReader(response),
        }

to

 def request(url, message, **kwargs):
        scheme, host, port, path = _spliturl(url)
        body = message.get("body", "")
        head = {
            "Content-Length": str(len(body)),
            "Host": host,
            "User-Agent": "splunk-sdk-python/0.1",
            "Accept": "*/*",
        } # defaults
        for key, value in message["headers"]:
            head[key] = value
        method = message.get("method", "GET")

        connection = connect(scheme, host, port)
        try:
            connection.request(method, path, body, head)
            if timeout is not None:
                connection.sock.settimeout(timeout)
            response = connection.getresponse()
        finally:
        #    connection.close()
            pass

        return {
            "status": response.status,
            "reason": response.reason,
            "headers": response.getheaders(),
            "body": ResponseReader(response),
        }

Basically we removed the connection.close()

maurelio79 · ‎04-29-2020

Still not tried. It worked the curl retreiving the session key. I will try with new SDK and write here the result

XML errore when using python SDK on SPlunk balanced url

python

SDK

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...