Solved: Scripted Input - Python SDK - passAuth Not Working

David · ‎12-09-2014

I've got a great script that runs just fine with hardcoded credentials, but I'm having trouble making it work as a scripted input. The script uses the Python SDK to make several calls to Splunk.

I'm initializing the session key via:

import splunklib.results as results
import splunklib.client as client
import time
import sys

sessionKey = sys.stdin.readline().strip()

if len(sessionKey) == 0:
   sys.stderr.write("Did not receive a session key from splunkd. " +
                    "Please enable passAuth in inputs.conf for this " +
                    "script\n")
   exit(2)

sys.stdout.write("Got Session Key: " + sessionKey + "\n");
sys.stdout.flush()

Which does successfully print the sessionKey. I'm then initializing the Splunk service via:

# Create a Service instance and log in
service = client.connect(
    host="ec2-54-148-178-247.us-west-2.compute.amazonaws.com",
    port=8089,
    token=sessionKey)

Which does not die, but as soon as I try to use that object:

job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)

I get a crash:

12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" Traceback (most recent call last):
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh"   File "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.py", line 46, in <module>
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh"     job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
12-09-2014 22:56:57.162 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_search_usage/bin/CheckDataStats.sh" AttributeError: 'NoneType' object has no attribute 'jobs'

Has anyone done this successfully?

mschon314 · ‎12-22-2014

This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:

service = client.Service(token=sessionKey, host=host, port=port)

View solution in original post

mschon314 · ‎12-22-2014

This may be a bit late, but I was having the same problem, then I re-read the api doc. To use token, you have to use client.Service:

service = client.Service(token=sessionKey, host=host, port=port)

David · ‎01-18-2015

Hmm. I'm not able to even parse the sessionKey out. I'm glad to hear you've got it working! What does your code look like?

Mine is:

import splunklib.results as results
import splunklib.client as client
import splunk.entity, splunk.Intersplunk
settings = dict()
records = splunk.Intersplunk.readResults(settings = settings, has_header = True)
sessionKey = settings['sessionKey']

And then I get an error saying that it can't find sessionKey.

My inputs configuration is:

[script://$SPLUNK_HOME/etc/apps/app/bin/script.py]
disabled = false
interval = 60
sourcetype = xyz
passAuth = true

I've also tried it with passAuth = admin to no avail, based on the inputs.conf doc.

David · ‎01-18-2015

Found the problem -- I assumed that Intersplunk would parse out the sessionKey for me, when in reality it was the only thing passed. For anyone else stumbling across, here's the right config:

import splunklib.results as results
import splunklib.client as client
import sys

sessionKey = ""

for line in sys.stdin:
  sessionKey = line

service = client.Service(token=sessionKey, host="127.0.0.1", port=8089, user="admin")
kwargs_normalsearch = {"exec_mode": "normal", "app": "splunk_search_usage"}

searchquery_normal = ' [... mysearch ...] '
job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
[.....]

You also do need to use passAuth = admin in inputs.conf

Thanks for your help!

Scripted Input - Python SDK - passAuth Not Working

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes