Building for the Splunk Platform

Is there a way to get anonymous access to Splunk's kvstore from a Python script?

cloun
New Member

I am trying to implement pretty “unusual” App for Splunk.
By unusual, I mean that I see no standard/handy way of doing this.

Splunk Enterprise customer has a has a server farm running a software. The customer runs deploy to update code on these servers. During deploy, some abnormal behaviour may be observed across servers (i.e response times may be longer).
Also, sometimes some hardware shows its flaws affecting performance metrics of servers.

In short, the app uses predict (and Holt Winters) on servers performance metrics in an enhanced way.
The idea is to allow a user to save times of deploys or unhealthy hosts + time when particular server was not ok via web app (using kvstore) to then exclude events falling into this range from input of the predict command to then be able to efficiently detect outliers.
Also, exclusion works for future events preventing triggered alerts from bothering in time of scheduled deploy (again time is set through kvstore in the same way).

The obstacle is that I need to provide user credentials to the app, to allow the python stream filterer to use values in kvstore that is pretty inconvenient/insecure.
Is there a way to get anonymous read access to kvstore?

Or maybe there is a better way of doing described above (not using Python script to filter events by time ranges+hosts set in kvstore)

0 Karma

cloun
New Member

Answering my own question:

as command runs it receives AUTH header if enabled in commands.conf

enableheader = true 
passauth = true

header has the following form

{
"authString": "<auth><userId>admin</userId><username>admin</username>
<authToken>Sb...wC</authToken></auth>\n' chunked 1.0,494,0",
    "finished": true
}

You can use this token to go to KVStore

service = client.connect(token=token, owner='nobody', app='YourAppName') 
for row in self.service.kvstore['collection_name'].data.query(): 
    do job
0 Karma

samithamp
New Member

Hi @cloun ,
Thanks, for the answer. How do you get the header in the first place? Did you use a lower level lib (httplib, or binding) ?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Quick answer: No. The KVstore is tied to Splunkd, which requires authentication in order to provide read and write access.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...