Hello, I am experimenting with the REST api and pulling events with a script, It seems like authentication and search is pulling the correct events from the /results endpoint but i see an error on _raw events Error in events: '_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data ' 'collection. Error: Password prompt encountered. ' 'Aborting.', #!/usr/local/bin/python3
# import time # need for sleep
from xml.dom import minidom
import time
import json, pprint
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
base_url = 'https://127.0.0.1:8089'
username = 'admin'
password = 'changeme'
search_query = "search=search index=main earliest=-4y"
r = requests.get(base_url+"/servicesNS/admin/search/auth/login",
data={'username':username,'password':password}, verify=False)
session_key = minidom.parseString(r.text).getElementsByTagName('sessionKey')[0].firstChild.nodeValue
print ("Session Key:", session_key)
r = requests.post(base_url + '/services/search/jobs/', data=search_query,
headers = { 'Authorization': ('Splunk %s' %session_key)},
verify = False)
sid = minidom.parseString(r.text).getElementsByTagName('sid')[0].firstChild.nodeValue
print ("Search ID", sid)
done = False
while not done:
r = requests.get(base_url + '/services/search/jobs/' + sid,
headers = { 'Authorization': ('Splunk %s' %session_key)},
verify = False)
response = minidom.parseString(r.text)
for node in response.getElementsByTagName("s:key"):
if node.hasAttribute("name") and node.getAttribute("name") == "dispatchState":
dispatchState = node.firstChild.nodeValue
print ("Search Status: ", dispatchState)
if dispatchState == "DONE":
done = True
else:
time.sleep(1)
r = requests.get(base_url + '/services/search/jobs/' + sid + '/results/',
headers = { 'Authorization': ('Splunk %s' %session_key)},
data={'output_mode': 'json'},
verify = False)
pprint.pprint(json.loads(r.text)) Events returned, here is one entry sample, all events i am searching seem to get returned but not sure what's causing the _raw event error. {'_bkt': 'main~18~95A72A43-AF2F-49CF-B85A-B0788E1AA28A',
'_cd': '18:455',
'_indextime': '1632029978',
'_raw': 'Server: DC-C02SD43JG8WP, Error: Unable to run data '
'collection. Error: Password prompt encountered. '
'Aborting.',
'_serial': '38',
'_si': ['DC-C02SD43JG8WP', 'main'],
'_sourcetype': 'ossec_agent_control',
'_time': '2021-09-18T23:39:38.000-06:00',
'host': 'DC-C02SD43JG8WP',
'index': 'main',
'linecount': '1',
'source': 'ossec_agent_control',
'sourcetype': 'ossec_agent_control',
'splunk_server': 'DC-C02SD43JG8WP'},
... View more