The accepted answer is now out-of-date. With the new version 2 of the protocol, use of Intersplunk is deprecated:
(as of Splunk 6.4.0):https://docs.splunk.com/Documentation/Splunk/6.4.0/Search/Aboutcustomsearchcommands
(as of today) https://docs.splunk.com/Documentation/Splunk/7.2.5/Search/Aboutcustomsearchcommands
here is an example that works for me to use the session key to perform a search within a custom command without actually retreiving it myself and adding it as a header:
class CustomCommand(StreamingCommand):
def stream(self, records):
mysearch="search index=_internal"
kwargs_create = {'earliest_time':'2019-04-01T12:00:00','latest_time':'2019-04-01:01:00'}
job = self.service.jobs.create(mysearch,**kwargs_create)
dispatch(IpToUserCommand, sys.argv, sys.stdin, sys.stdout, __name__)
Of course, add in all the appropriate error handling.
self.service returns a splunklib.client.Service object (https://docs.splunk.com/DocumentationStatic/PythonSDK/1.6.5/searchcommands.html#splunklib.searchcommands.StreamingCommand.service), which already has an authentication token attached. The guidance in @jkat54 post about needing passauth = true in commands.conf still applies
... View more