All Apps and Add-ons

ODBC Driver and Splunk 4.3.3 - anybody able to make it work?

capnjosh
Explorer

Does the Splunk ODBC driver work when pointed at a Splunk 4.3.3 server? I'm hoping there is a trick to make it work.

I've gone through the various troubleshooting steps to outlined below to get the ODBC driver to connect to Splunk Enterprise 4.3.3 from Tableau 8.3:

Made sure the port was 8089 and that there were no firewalls preventing access (tested with telnet and actually browsing to it)

Made sure to use https in the connection string

Tested with both the 64-bit and 32-bit ODBC drivers.

configured the ODBC system DSN to point at the correct URL and use valid username/password (admin-level even).

Confirmed the URL and creds used in the SSH can actually log in (browsing to the URL and logging in)

Looked at Splunkd logs and I see the following:
A new Splunk Connection always results in "Invalid username or password". However, on the Splunk machine in audit.log I can see "user=mytestuser, action=login attempt, info=succeeded][n/a]". And I can confirm functionality by intentionally submitting an incorrect password, noting the audit.log showed "user=mytestuser, action=login attempt, info=failed][n/a]".

Tags (2)
0 Karma

capnjosh
Explorer

I've confirmed I can connect as expected to a trial Splunk 6.2.1 instance (and query it) from the same client that is exhibiting problems when connecting to a Splunk 4.3.3 instance (always throwing "invalid username/password" error).

I've made sure the permissions look the same in both instances.

I've seen the browsing path is the same on both instances when browsing on port 8089 with a web browser (the links are all the same and I can see saved searches on the 4.3.3 instance just like I can see them on the 6.2.1 instance).

0 Karma

capnjosh
Explorer

Some progress, and possibly some answers. But I'm not sure if I'm at a dead end yet.

I created a few VMs and installed Splunk 4.3.3, 4.3.4, 4.3.7, 5.0, and 6.2.1. Then I tried out connecting to each one with Tableau 8.3.

Here's the kicker:
When Tableau 8.3 connects to Splunk to list the "tables" (saved searches) it calls this URL:

https://sp437:8089/servicesNS/admin/-/saved/searches?f=eai%3Aacl&search=disabled%3DFalse&sort_dir=as...

In Splunk versions 5.x+ it's happy. In Splunk versions prior to 5.0 it throws an error with this:

In handler 'savedsearch': Argument "output_mode" is not supported by this handler.

The problem is specifically with the "output_mode=json" part. Splunk 5.0+ handles it while earlier versions are not.

I saw some mention in other places that seemed to indicate installing the "xml2json" may fix it. However, just blandly doing so didn't do it for me.

Soo.... the problem is now specifically that I need to get the ?output_mode=json bit to work on Splunk 4.x. Has anyone done that?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Ahem.... Splunk 4.x is out of maintenance/support for almost two years now and the ODBC driver is a tad bit younger than that, so I would suspect your effort may be futile.
May I ask what is preventing you to upgrade your 4.x deployment to something a bit more current?
You'll probably save yourself a lot of headache.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...