Similar to http://answers.splunk.com/answers/232122/find-splunkd-port-from-custom-search-command.html
I have a scripted input that runs a number of API searches. This worked in my lab environment where I had hardcoded port 8089, but failed when I switched to a production instance that had splunkd listening on a different port (error message splunklib.binding.AuthenticationError: Request failed: Session is not logged in.
). It was not immediately clear how to figure out the port dynamically.
I was able to leverage a similar solution to the one linked to above:
import splunklib.results as results
import splunklib.client as client
import sys
from datetime import datetime
sessionKey = ""
for line in sys.stdin:
sessionKey = line
import splunk.entity, splunk.Intersplunk
settings = dict()
records = splunk.Intersplunk.readResults(settings = settings, has_header = True)
entity = splunk.entity.getEntity('/server','settings', namespace='[INSERT APP]', sessionKey=sessionKey, owner='-')
mydict = dict()
mydict = entity
myPort = mydict['mgmtHostPort']
service = client.Service(token=sessionKey, host="127.0.0.1", port=myPort, user="admin")
kwargs_normalsearch = {"exec_mode": "normal", "app": "[INSERT APP]"}
searchquery_normal = '[MySearch]'
job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
while True:
job.refresh()
stats = {"isDone": job["isDone"],
"doneProgress": float(job["doneProgress"])*100}
if stats["isDone"] == "1":
break
time.sleep(2)
for result in results.ResultsReader(job.results()):
[...]
For completeness, my inputs.conf stanza is:
[script://$SPLUNK_HOME/etc/apps/[MyAppName]/bin/CheckDataStats-search.py]
disabled = 0
interval = 600
source = [MySource]
sourcetype = [MySourcetype]
passAuth = admin
I was able to leverage a similar solution to the one linked to above:
import splunklib.results as results
import splunklib.client as client
import sys
from datetime import datetime
sessionKey = ""
for line in sys.stdin:
sessionKey = line
import splunk.entity, splunk.Intersplunk
settings = dict()
records = splunk.Intersplunk.readResults(settings = settings, has_header = True)
entity = splunk.entity.getEntity('/server','settings', namespace='[INSERT APP]', sessionKey=sessionKey, owner='-')
mydict = dict()
mydict = entity
myPort = mydict['mgmtHostPort']
service = client.Service(token=sessionKey, host="127.0.0.1", port=myPort, user="admin")
kwargs_normalsearch = {"exec_mode": "normal", "app": "[INSERT APP]"}
searchquery_normal = '[MySearch]'
job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
while True:
job.refresh()
stats = {"isDone": job["isDone"],
"doneProgress": float(job["doneProgress"])*100}
if stats["isDone"] == "1":
break
time.sleep(2)
for result in results.ResultsReader(job.results()):
[...]
For completeness, my inputs.conf stanza is:
[script://$SPLUNK_HOME/etc/apps/[MyAppName]/bin/CheckDataStats-search.py]
disabled = 0
interval = 600
source = [MySource]
sourcetype = [MySourcetype]
passAuth = admin