Splunk Search

How to get session key in a search script (| script ) similar to the way a scripted input can?

avilandau
Path Finder

I'm storing a few credentials in Splunk keystore using setup.xml endpoint="storage/passwords". I have no problem extracting the credential in my scripted input since the session-key is sent to its stdin. However, that is not the case to search script (I think also referred custom script). My script doesn't actually perform a Splunk search like other activities related to my Splunk App, but I need the extract the password using the session key. I tested it to see what I get in stdin to experiment and I do in fact get few lines as follows, but I don't see how to get the session_key from these:

splunkVersion:6.4.1
allowStream:1
keywords:%22%22
search:%7C%20script%20search_script%20%22PARAM-1%22%20PARAM-2
sid:admin__admin_VEVTVF9BVVRI__search1_1469631525.79
realtime:0
preview:0
truncated:0 
1 Solution

jkat54
SplunkTrust
SplunkTrust

first you create /apps/appName/default/commands.conf:

[myCommandName]
filename = myCommandName.py
passauth = true  

"passauth = true" is what sends the auth details through from SPL to your python command.

Then you create python script in /apps/appName/bin/myCommandName.py:

import splunk.Intersplunk 
import splunk.mining.dcutils as dcu

logger = dcu.getLogger()

#results = previous data in the search pipe
#settings = splunk 'header'
results,dummy,settings = splunk.Intersplunk.getOrganizedResults()
sessionKey = settings.get("sessionKey")

#Below would log sessionKey to python.log, not the best idea, here for example
logger.info(sessionKey) 

# Below logs 1st result's _raw field to python.log, just an example of how to parse results from intersplunk.getOrganizedResutls
logger.info(results()[0]["_raw"]) 

#Below sample function iterates over each row of results and adds your user's sessionKey as field onto each row of the results
def addSessionKey(results,settings):
 for result in results:
  result["sessionKey"] = settings.get("sessionKey")
 return results

#Below is how you return your potentially modified search results & settingsback to splunk search pipeline
splunk.Intersplunk.outputResults(addSessionKey(results,settings))

#example REST post using sessionKey
 headers = {'Authorization':''}
 headers['Authorization'] = 'Splunk ' + settings.get("sessionKey")  
 data = {'name':'restart_link','value':'Splunk must be restarted for changes to take effect.  [[/manager/search/control| Click here to restart from the Manager.]]','severity':'warn'}
 r = requests.post("https://localhost:8089/services/messages/new", headers=headers, data=data, verify=False)
 logger.info(r.status_code) 

Then you restart and execute the command. ... | myCommandName | table sessionKey

If it exits non-zero, look in the job log
If it completes but doesnt give you proper results check index=_internal source=*python*

There are other things in "settings" you may wish to explore. authString is used for manipulated splunk via CLI for example
user can be found in "results", etc... good to send both settings and results to log and see what you have there.

View solution in original post

supersleepwalke
Communicator

The accepted answer is now out-of-date. With the new version 2 of the protocol, use of Intersplunk is deprecated:

(as of Splunk 6.4.0):https://docs.splunk.com/Documentation/Splunk/6.4.0/Search/Aboutcustomsearchcommands

(as of today) https://docs.splunk.com/Documentation/Splunk/7.2.5/Search/Aboutcustomsearchcommands

here is an example that works for me to use the session key to perform a search within a custom command without actually retreiving it myself and adding it as a header:

class CustomCommand(StreamingCommand):
    def stream(self, records):
                mysearch="search index=_internal"
                kwargs_create = {'earliest_time':'2019-04-01T12:00:00','latest_time':'2019-04-01:01:00'}
                job = self.service.jobs.create(mysearch,**kwargs_create)

dispatch(IpToUserCommand, sys.argv, sys.stdin, sys.stdout, __name__)

Of course, add in all the appropriate error handling.

self.service returns a splunklib.client.Service object (https://docs.splunk.com/DocumentationStatic/PythonSDK/1.6.5/searchcommands.html#splunklib.searchcomm...), which already has an authentication token attached. The guidance in @jkat54 post about needing passauth = true in commands.conf still applies

jkat54
SplunkTrust
SplunkTrust

first you create /apps/appName/default/commands.conf:

[myCommandName]
filename = myCommandName.py
passauth = true  

"passauth = true" is what sends the auth details through from SPL to your python command.

Then you create python script in /apps/appName/bin/myCommandName.py:

import splunk.Intersplunk 
import splunk.mining.dcutils as dcu

logger = dcu.getLogger()

#results = previous data in the search pipe
#settings = splunk 'header'
results,dummy,settings = splunk.Intersplunk.getOrganizedResults()
sessionKey = settings.get("sessionKey")

#Below would log sessionKey to python.log, not the best idea, here for example
logger.info(sessionKey) 

# Below logs 1st result's _raw field to python.log, just an example of how to parse results from intersplunk.getOrganizedResutls
logger.info(results()[0]["_raw"]) 

#Below sample function iterates over each row of results and adds your user's sessionKey as field onto each row of the results
def addSessionKey(results,settings):
 for result in results:
  result["sessionKey"] = settings.get("sessionKey")
 return results

#Below is how you return your potentially modified search results & settingsback to splunk search pipeline
splunk.Intersplunk.outputResults(addSessionKey(results,settings))

#example REST post using sessionKey
 headers = {'Authorization':''}
 headers['Authorization'] = 'Splunk ' + settings.get("sessionKey")  
 data = {'name':'restart_link','value':'Splunk must be restarted for changes to take effect.  [[/manager/search/control| Click here to restart from the Manager.]]','severity':'warn'}
 r = requests.post("https://localhost:8089/services/messages/new", headers=headers, data=data, verify=False)
 logger.info(r.status_code) 

Then you restart and execute the command. ... | myCommandName | table sessionKey

If it exits non-zero, look in the job log
If it completes but doesnt give you proper results check index=_internal source=*python*

There are other things in "settings" you may wish to explore. authString is used for manipulated splunk via CLI for example
user can be found in "results", etc... good to send both settings and results to log and see what you have there.

andrewtrobec
Motivator

incredibly helpful, thank you!

0 Karma

supersleepwalke
Communicator

I downvoted this post because answer is out of date. it appears that this guidance applies for version 1 of the custom search command protocol, which was deprecated just a couple months before this answer was published.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Deprecated and EOL are two different things. There’s nothing wrong with this method. It still works.

Downvotes should be reserved for answers that would cause harm or answers that are vulgar/rude, etc.

0 Karma

supersleepwalke
Communicator

yeah, I was unsure on downvoting. I guess I interpreted an out-of-date answer to be "harmful" because I was trying to use the latest recommended technology, and this answer led me down the wrong path and caused me to waste time. I considered that harmful. I can see how other people would disagree.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I still use intersplunk in 7.2... so I don’t believe it causes harm, but in general we don’t go downvoting accepted answers from 2016 due to newness conflicts.

0 Karma

jkat54
SplunkTrust
SplunkTrust

@supersleepwalker

0 Karma

fabiofox
Explorer

thanks god! it's two days that i'm struggling about this. thanks jkat54! I owe you one (or a thousand)

TonyLeeVT
Builder

Make sure if you copy and paste from the commands.conf file example above, you remove the comment:

 passauth = true  #<- the keys to the castle

It should just be:

 passauth = true

Splunk conf files don't always like comments at the end of a line

0 Karma

jkat54
SplunkTrust
SplunkTrust

I've updated the answer to address this. Thank you for the feedback.

0 Karma

dellytaniasetia
Explorer

Hi,
I used the same approach but I received this error

command="remedyincidentcreate", Failed to get conf=remedy, stanza=remedy_account, status=401, reason=Unauthorized, detail=   call not properly authenticated  

I have set the passauth = true and insert the following in my script

import sys
import splunk.Intersplunk as si
def main():
 results,dummyresults,settings = si.getOrganizedResults()
 handler = RemedyIncidentCreateManual()
 handler.handle()

Any help is appreciated.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Then you're trying to pass the Splunk authentication token to remedy? That's not going to work at all. You'll have a different auth token / user & pass for remedy. The auth token here is for Splunk only.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Instead of using | script... is writing a custom SPL command in python an option?

If so, it's a bit easier you can use something akin to "sessionKey=self.getSessionKey()"

0 Karma

avilandau
Path Finder

Yes, custom SPL command in python is surely an option. Will I need the Python SDK for that? Can you refer me to some exmaple or link for that?

0 Karma

jkat54
SplunkTrust
SplunkTrust

I write my own python SPL without use of the SDK. Hold on for a moment and I'll share an example.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...