For security purposes we wish to do a search from an untrusted host (could be compromised)
and therefore cannot allow the remote indexers to be search peers as if the searchhead in question is compromised, they could do searches with deletes.
I don't see any way to control what a searchhead does on an indexer? I saw something about a search peer account
possibly being introduced in a release to restrict privileges?
Can we do a custom search command that does a remote search via SSH that generates events and returns results so it looks like a "local" search?
What would the output format be on the remote side?
Any help is much appreciated!
The SSH part is tested and works.
I have the below but cannot code so it shows, I need help.
I am not sure about the remote output format, must it be parsed, processed etc.?
Can this even be done?
I get "External search command 'helloworld' returned error code 1."
And running the below hangs until interrupted:
[splunk@anomaly splunk]$ ./bin/splunk cmd python etc/apps/search/bin/helloworld.py
^CERROR "Error : Traceback: Traceback (most recent call last): File ""etc/apps/search/bin/helloworld.py"", line 14, in <module> results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults() File ""/opt/splunk/lib/python2.7/site-packages/splunk/Intersplunk.py"", line 310, in getOrganizedResults results = readResults(input_str, settings) File ""/opt/splunk/lib/python2.7/site-packages/splunk/Intersplunk.py"", line 263, in readResults first = False KeyboardInterrupt "
[helloworld] filename = helloworld.py generating = true streaming = true supports_rawargs = true
import re,sys,time,subprocess, splunk.Intersplunk def hello(results, settings): results =  result = subprocess.check_output("ssh -i /home/splunk/.ssh/id_rsa 10.0.0.242 '/opt/splunkindexer/bin/splunk search 'index=test' -earliest_time -300d@d -latest_time @d -output rawdata -auth admin:changeyou -uri https://127.0.0.1:8089'", shell=True) results.append(result) return results results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults() results = hello(results, settings) splunk.Intersplunk.outputResults(results)
I just stumbled across your question, and I happen to be developing a very similar Modular Input. Basically, it uses Pexpect to SSH into a device, and executes a list of commands that you configure. The output of each command is a multiline event.
If you are interested in beta testing this App, email me at firstname.lastname@example.org.
Not following why you need to SSH in instead of just issuing a search using directly using the REST API available on the splunkd port (8089) - firewall issues or...?