Getting Data In

Splunk session key usage

mishiehow
Explorer

HI Team,

I am having a hard time getting a response from splunk enterprise server.
Here is my use case- I have a rest url for splunk-
https://splunk-cto-prd-search-rest.platform.intuit.net/services/search/jobs/export which requires a custom PrivateAuth using an authorization header. Since this endpoint sits behind a firewall or is on internal company's network, team exposed a diff open gateway url -
https://splunkcto.api.intuit.com/services/search/jobs
The prob is that using just Private Auth headers is not enough as we need some user id/pwd authentication too.

So, I first make the call to https://splunkcto.api.intuit.com/services/auth/login to get a session key.
Then pass the session key in the header for this call- https://splunkcto.api.intuit.com/services/search/jobs but I end up getting 401 Unauthorized. The prob is that my request is not reaching our gateways when I try these calls from Postman.
Help get unblocked please.

I saw the java code sample/python ones too, which you have. I see everywhere they say pass session key in header but that is not working.
In this post for the java sdk example, https://answers.splunk.com/answers/240878/java-sdk-connect-with-sessionkey.html
My question is exactly the same. I see Service.login() and then setting of token in Service.setToken(String token)method. Nowhere is the sessionToken used from login call. How does this work?

Here are my requests-
curl -X POST \
https://splunkcto.api.intuit.com/services/auth/login \
-H 'Authorization: Intuit_IAM_Authentication intuit_appid= * ,intuit_app_secret=*' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Postman-Token: 92b955bd-2d36-4147-a316-da48beee5c93' \
-H 'cache-control: no-cache'

<sessionKey>PGy1TOEhKIjC2Znp9J33R8oxthtTXKrzQeU_qlrOBhfFcHQkby9tYnuNBXcnR8AtMLLsJJc6gRto6L_tE7iXt^SoFO3r6TPebed45y^RHdBqTgh0buTIH671UC986JIF6r7</sessionKey>

Then second call-
url -X POST \
https://splunkcto.api.intuit.com/services/search/jobs \
-H 'Authorization: Splunk PGy1TOEhKIjC2Znp9J33R8oxthtTXKrzQeU_qlrOBhfFcHQkby9tYnuNBXcnR8AtMLLsJJc6gRto6L_tE7iXt^SoFO3r6TPebed45y^RHdBqTgh0buTIH671UC986JIF6r7' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Postman-Token: d7ef70d7-4f1e-4c47-8eac-25a2098d1b6c' \
-H 'cache-control: no-cache' \
-d 'output_mode=json&earliest_time=-1m&latest_time=now&search=search%20index%3D*acc*%20statusCode!%3D200%20intuit_tid%3D41204da5-1fed-65ac-b99e-0ca800d83da5%20%7C%20head%201%20%7C%20fields%20*&undefined='

The second calls fails everytime.

I do see intuit_tid →4119197e-6a6f-8183-b983-3a85eca9f063
WWW-Authenticate →Bearer realm="Intuit" returned in response but if I try searching my gateway logs, I can't find anything, so there is defi something blocking my calls even before it hits my splunk gateway url- https://splunkcto.api.intuit.com.

Tags (2)

mishiehow
Explorer

Any help here team?

0 Karma

woodcock
Esteemed Legend

This is a case for @Damien Dallimore

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...