Splunk Dev

Scripted Input - Python SDK - passAuth Not Working

David
Splunk Employee
Splunk Employee

I've got a great script that runs just fine with hardcoded credentials, but I'm having trouble making it work as a scripted input. The script uses the Python SDK to make several calls to Splunk.

I'm initializing the session key via:

import splunklib.results as results
import splunklib.client as client
import time
import sys

sessionKey = sys.stdin.readline().strip()

if len(sessionKey) == 0:
   sys.stderr.write("Did not receive a session key from splunkd. " +
                    "Please enable passAuth in inputs.conf for this " +
                    "script\n")
   exit(2)

sys.stdout.write("Got Session Key: " + sessionKey + "\n");
sys.stdout.flush()

Which does successfully print the sessionKey. I'm then initializing the Splunk service via:

# Create a Service instance and log in
service = client.connect(
    host="ec2-54-148-178-247.us-west-2.compute.amazonaws.com",
    port=8089,
    token=sessionKey)

Which does not die, but as soon as I try to use that object:

job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)

I get a crash:

12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" Traceback (most recent call last):
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh"   File "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.py", line 46, in <module>
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh"     job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" AttributeError: 'NoneType' object has no attribute 'jobs'

Has anyone done this successfully?

1 Solution

mschon314
Explorer

This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:

service = client.Service(token=sessionKey, host=host, port=port)

View solution in original post

mschon314
Explorer

This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:

service = client.Service(token=sessionKey, host=host, port=port)

David
Splunk Employee
Splunk Employee

Hmm. I'm not able to even parse the sessionKey out. I'm glad to hear you've got it working! What does your code look like?

Mine is:

import splunklib.results as results
import splunklib.client as client
import splunk.entity, splunk.Intersplunk
settings = dict()
records = splunk.Intersplunk.readResults(settings = settings, has_header = True)
sessionKey = settings['sessionKey']

And then I get an error saying that it can't find sessionKey.

My inputs configuration is:

[script://$SPLUNK_HOME/etc/apps/app/bin/script.py]
disabled = false
interval = 60
sourcetype = xyz
passAuth = true

I've also tried it with passAuth = admin to no avail, based on the inputs.conf doc.

0 Karma

David
Splunk Employee
Splunk Employee

Found the problem -- I assumed that Intersplunk would parse out the sessionKey for me, when in reality it was the only thing passed. For anyone else stumbling across, here's the right config:

import splunklib.results as results
import splunklib.client as client
import sys

sessionKey = ""

for line in sys.stdin:
  sessionKey = line

service = client.Service(token=sessionKey, host="127.0.0.1", port=8089, user="admin")
kwargs_normalsearch = {"exec_mode": "normal", "app": "splunk_search_usage"}

searchquery_normal = ' [... mysearch ...] '
job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
[.....]

You also do need to use passAuth = admin in inputs.conf

Thanks for your help!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...