Can a custom search command launch a splunk search?

Is it possible for a custom search script to launch another splunk search?

I've been looking over the docs and sources for the splunk.Intersplunk module and I'm getting conflicting info. For example, getOrganizedResults() claims that settings will always be an empty dict, but I do get settings back. It also explicitly notes that the auth token is not handled, but the settings value of "sessionKey" is available. (Even when passauth is set to false, interestingly enough.) Then again, I see in crawl.py an example where the sessionKey is being used to make calls back to splunkd using the python SDK, so it seems like this must be working at some level.

However, if I attempt to acutually launch a search using the sessionKey, owner, and namespace that is passed in via the settings dictionary to a new search, then it tells me that I get the following error:

splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated; None

I've done some logging in my search command to confirm that the search command is working and that I'm getting a different sessionKey each time, but the given sessionKey seems to be unusable to launch another search.

If I hard code a call to splunk.auth.getSessionKey (logging on with the same user) then I can make the search work, but that's not really a solution.

Is this a bug, a feature? Any ideas?

Things I've tried:

Using a normal (event fetching) search which is fed into my custom search script. If I try to run a saved search, a norm data fetching search, or a non-data command (like "metadata types=hosts") I keep getting the same AuthenticationFailed error shown above.
Using a event-generating admin command ("| metadata type=hosts") to feed into my custom search command does allow me to launch a search or saved search successfully.

asked 02 Jun '10, 21:45

Lowell ♦
9.6k●6●37
accept rate: 40%

edited 03 Jun '10, 15:23

One Answer:

oldest newest most voted

This appears to be a bug when running a search as a separate process. It appears that we create a session key for that process but not the main splunkd process. Could you try your custom search command with a search like "| metadata hosts | mysearchcommand" and see if it works?

link

answered 03 Jun '10, 14:35

Stephen Sorkin ♦
8.1k●4●7
accept rate: 52%

Stephen, you are correct. I can successfully launch a search from my custom search script if the first search command is metadata.

(03 Jun '10, 15:25) Lowell ♦

I tried running my search command from a saved search that was set with dispatch.spawn_process = false, but I still get the auth errors. Any ideas on a workaround?

(03 Jun '10, 20:59) Lowell ♦

Unfortunately there's no good workaround until we fix this. It is scheduled to arrive in 4.1.4.

(04 Jun '10, 16:51) Stephen Sorkin ♦

Thanks Stephen. Guess I'll have to hard-code the login info in the script (or in a password file) for the time being... I'll be looking forward to 4.1.4. BTW, is there a SPL number for this issue?

(04 Jun '10, 17:26) Lowell ♦

This is tracked by SPL-31148.

(06 Jun '10, 02:31) Stephen Sorkin ♦

I can confirm that the 4.1.4 release fixed this issue for me. It is now possible to execute a saved search from a search command!

(02 Aug '10, 20:23) Lowell ♦

showing 5 of 6 show 1 more comments ▼

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

python ×87
custom-search-script ×39
auth ×25

Asked: 02 Jun '10, 21:45

Seen: 1,289 times

Last updated: 03 Jun '10, 15:23

Can a custom search command launch a splunk search?

Follow this question

Splunk Resources

Related questions