Solved: How to get session key in a search script (| scrip...

avilandau · ‎07-27-2016

I'm storing a few credentials in Splunk keystore using setup.xml endpoint="storage/passwords". I have no problem extracting the credential in my scripted input since the session-key is sent to its stdin. However, that is not the case to search script (I think also referred custom script). My script doesn't actually perform a Splunk search like other activities related to my Splunk App, but I need the extract the password using the session key. I tested it to see what I get in stdin to experiment and I do in fact get few lines as follows, but I don't see how to get the session_key from these:

splunkVersion:6.4.1
allowStream:1
keywords:%22%22
search:%7C%20script%20search_script%20%22PARAM-1%22%20PARAM-2
sid:admin__admin_VEVTVF9BVVRI__search1_1469631525.79
realtime:0
preview:0
truncated:0

jkat54 · ‎07-27-2016

first you create /apps/appName/default/commands.conf:

[myCommandName]
filename = myCommandName.py
passauth = true

"passauth = true" is what sends the auth details through from SPL to your python command.

Then you create python script in /apps/appName/bin/myCommandName.py:

import splunk.Intersplunk 
import splunk.mining.dcutils as dcu

logger = dcu.getLogger()

#results = previous data in the search pipe
#settings = splunk 'header'
results,dummy,settings = splunk.Intersplunk.getOrganizedResults()
sessionKey = settings.get("sessionKey")

#Below would log sessionKey to python.log, not the best idea, here for example
logger.info(sessionKey) 

# Below logs 1st result's _raw field to python.log, just an example of how to parse results from intersplunk.getOrganizedResutls
logger.info(results()[0]["_raw"]) 

#Below sample function iterates over each row of results and adds your user's sessionKey as field onto each row of the results
def addSessionKey(results,settings):
 for result in results:
  result["sessionKey"] = settings.get("sessionKey")
 return results

#Below is how you return your potentially modified search results & settingsback to splunk search pipeline
splunk.Intersplunk.outputResults(addSessionKey(results,settings))

#example REST post using sessionKey
 headers = {'Authorization':''}
 headers['Authorization'] = 'Splunk ' + settings.get("sessionKey")  
 data = {'name':'restart_link','value':'Splunk must be restarted for changes to take effect.  [[/manager/search/control| Click here to restart from the Manager.]]','severity':'warn'}
 r = requests.post("https://localhost:8089/services/messages/new", headers=headers, data=data, verify=False)
 logger.info(r.status_code)

Then you restart and execute the command. ... | myCommandName | table sessionKey

If it exits non-zero, look in the job log
If it completes but doesnt give you proper results check index=_internal source=*python*

There are other things in "settings" you may wish to explore. authString is used for manipulated splunk via CLI for example
user can be found in "results", etc... good to send both settings and results to log and see what you have there.

View solution in original post

supersleepwalke · ‎04-15-2019

The accepted answer is now out-of-date. With the new version 2 of the protocol, use of Intersplunk is deprecated:

(as of Splunk 6.4.0):https://docs.splunk.com/Documentation/Splunk/6.4.0/Search/Aboutcustomsearchcommands

(as of today) https://docs.splunk.com/Documentation/Splunk/7.2.5/Search/Aboutcustomsearchcommands

here is an example that works for me to use the session key to perform a search within a custom command without actually retreiving it myself and adding it as a header:

class CustomCommand(StreamingCommand):
    def stream(self, records):
                mysearch="search index=_internal"
                kwargs_create = {'earliest_time':'2019-04-01T12:00:00','latest_time':'2019-04-01:01:00'}
                job = self.service.jobs.create(mysearch,**kwargs_create)

dispatch(IpToUserCommand, sys.argv, sys.stdin, sys.stdout, __name__)

Of course, add in all the appropriate error handling.

self.service returns a splunklib.client.Service object (https://docs.splunk.com/DocumentationStatic/PythonSDK/1.6.5/searchcommands.html#splunklib.searchcomm...), which already has an authentication token attached. The guidance in @jkat54 post about needing passauth = true in commands.conf still applies

jkat54 · ‎07-27-2016

first you create /apps/appName/default/commands.conf:

[myCommandName]
filename = myCommandName.py
passauth = true

"passauth = true" is what sends the auth details through from SPL to your python command.

Then you create python script in /apps/appName/bin/myCommandName.py:

import splunk.Intersplunk 
import splunk.mining.dcutils as dcu

logger = dcu.getLogger()

#results = previous data in the search pipe
#settings = splunk 'header'
results,dummy,settings = splunk.Intersplunk.getOrganizedResults()
sessionKey = settings.get("sessionKey")

#Below would log sessionKey to python.log, not the best idea, here for example
logger.info(sessionKey) 

# Below logs 1st result's _raw field to python.log, just an example of how to parse results from intersplunk.getOrganizedResutls
logger.info(results()[0]["_raw"]) 

#Below sample function iterates over each row of results and adds your user's sessionKey as field onto each row of the results
def addSessionKey(results,settings):
 for result in results:
  result["sessionKey"] = settings.get("sessionKey")
 return results

#Below is how you return your potentially modified search results & settingsback to splunk search pipeline
splunk.Intersplunk.outputResults(addSessionKey(results,settings))

#example REST post using sessionKey
 headers = {'Authorization':''}
 headers['Authorization'] = 'Splunk ' + settings.get("sessionKey")  
 data = {'name':'restart_link','value':'Splunk must be restarted for changes to take effect.  [[/manager/search/control| Click here to restart from the Manager.]]','severity':'warn'}
 r = requests.post("https://localhost:8089/services/messages/new", headers=headers, data=data, verify=False)
 logger.info(r.status_code)

Then you restart and execute the command. ... | myCommandName | table sessionKey

If it exits non-zero, look in the job log
If it completes but doesnt give you proper results check index=_internal source=*python*

There are other things in "settings" you may wish to explore. authString is used for manipulated splunk via CLI for example
user can be found in "results", etc... good to send both settings and results to log and see what you have there.

andrewtrobec · ‎03-19-2020

incredibly helpful, thank you!

supersleepwalke · ‎04-15-2019

I downvoted this post because answer is out of date. it appears that this guidance applies for version 1 of the custom search command protocol, which was deprecated just a couple months before this answer was published.

jkat54 · ‎04-16-2019

Deprecated and EOL are two different things. There’s nothing wrong with this method. It still works.

Downvotes should be reserved for answers that would cause harm or answers that are vulgar/rude, etc.

supersleepwalke · ‎04-16-2019

yeah, I was unsure on downvoting. I guess I interpreted an out-of-date answer to be "harmful" because I was trying to use the latest recommended technology, and this answer led me down the wrong path and caused me to waste time. I considered that harmful. I can see how other people would disagree.

jkat54 · ‎04-16-2019

I still use intersplunk in 7.2... so I don’t believe it causes harm, but in general we don’t go downvoting accepted answers from 2016 due to newness conflicts.

jkat54 · ‎04-16-2019

@supersleepwalker

fabiofox · ‎09-14-2018

thanks god! it's two days that i'm struggling about this. thanks jkat54! I owe you one (or a thousand)

TonyLeeVT · ‎04-07-2017

Make sure if you copy and paste from the commands.conf file example above, you remove the comment:

 passauth = true  #<- the keys to the castle

It should just be:

 passauth = true

Splunk conf files don't always like comments at the end of a line

jkat54 · ‎09-14-2018

I've updated the answer to address this. Thank you for the feedback.

dellytaniasetia · ‎10-24-2016

Hi,
I used the same approach but I received this error

command="remedyincidentcreate", Failed to get conf=remedy, stanza=remedy_account, status=401, reason=Unauthorized, detail=   call not properly authenticated

I have set the passauth = true and insert the following in my script

import sys
import splunk.Intersplunk as si
def main():
 results,dummyresults,settings = si.getOrganizedResults()
 handler = RemedyIncidentCreateManual()
 handler.handle()

Any help is appreciated.

jkat54 · ‎10-25-2016

Then you're trying to pass the Splunk authentication token to remedy? That's not going to work at all. You'll have a different auth token / user & pass for remedy. The auth token here is for Splunk only.

jkat54 · ‎07-27-2016

Instead of using | script... is writing a custom SPL command in python an option?

If so, it's a bit easier you can use something akin to "sessionKey=self.getSessionKey()"

avilandau · ‎07-27-2016

Yes, custom SPL command in python is surely an option. Will I need the Python SDK for that? Can you refer me to some exmaple or link for that?

jkat54 · ‎07-27-2016

I write my own python SPL without use of the SDK. Hold on for a moment and I'll share an example.

How to get session key in a search script (| script ) similar to the way a scripted input can?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies