Splunk Dev

Is there a way to get anonymous access to Splunk's kvstore from a Python script?

New Member

I am trying to implement pretty “unusual” App for Splunk.
By unusual, I mean that I see no standard/handy way of doing this.

Splunk Enterprise customer has a has a server farm running a software. The customer runs deploy to update code on these servers. During deploy, some abnormal behaviour may be observed across servers (i.e response times may be longer).
Also, sometimes some hardware shows its flaws affecting performance metrics of servers.

In short, the app uses predict (and Holt Winters) on servers performance metrics in an enhanced way.
The idea is to allow a user to save times of deploys or unhealthy hosts + time when particular server was not ok via web app (using kvstore) to then exclude events falling into this range from input of the predict command to then be able to efficiently detect outliers.
Also, exclusion works for future events preventing triggered alerts from bothering in time of scheduled deploy (again time is set through kvstore in the same way).

The obstacle is that I need to provide user credentials to the app, to allow the python stream filterer to use values in kvstore that is pretty inconvenient/insecure.
Is there a way to get anonymous read access to kvstore?

Or maybe there is a better way of doing described above (not using Python script to filter events by time ranges+hosts set in kvstore)

0 Karma

New Member

Answering my own question:

as command runs it receives AUTH header if enabled in commands.conf

enableheader = true 
passauth = true

header has the following form

"authString": "<auth><userId>admin</userId><username>admin</username>
<authToken>Sb...wC</authToken></auth>\n' chunked 1.0,494,0",
    "finished": true

You can use this token to go to KVStore

service = client.connect(token=token, owner='nobody', app='YourAppName') 
for row in self.service.kvstore['collection_name'].data.query(): 
    do job
0 Karma

New Member

Hi @cloun ,
Thanks, for the answer. How do you get the header in the first place? Did you use a lower level lib (httplib, or binding) ?

0 Karma

Splunk Employee
Splunk Employee

Quick answer: No. The KVstore is tied to Splunkd, which requires authentication in order to provide read and write access.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...