ksconf rest-publish doesn't seem to work with splunk cloud?

[bayeslearner]

The problem

I ran below: ksconf rest-publish A_hits_cloud_custom-main/local/props.conf --user XXX --pass "YYY" --app my_test_app --url https://ZZZ.splunkcloud.com:8089 --sharing global

It seems to succeed without errors, but I'm not seeing anything in splunk cloud, even after restarting it. What's wrong? --- A_hits_cloud_custom-main/local/props.conf 2023-02-09 23:29:10.201273 +++ configs/conf-b'props'/test:test 1969-12-31 19:00:00 -[test:test] +[test:test] +EXTRACT-extract_ip = (?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) +SHOULD_LINEMERGE = false +TIME_FORMAT = %b $d %H:%M:%S +TIME_PREFIX = ^ +TZ = UTC

Environment

• Ksconf version: (Grab the first 2 text lines of output after running ksconf --version) ksconf (0.10.0b6)
• OS & version used: mac
• Python version: 3.10
• Installed via: (pip, git, Splunk app, or so on) pip

[bayeslearner]

I tried it again on a local search head. It created a file with wrong name!!!

ssss:/app/splunk/etc/apps/my_test_app/local> ls app.conf b%27props%27.conf ssss:/app/splunk/etc/apps/my_test_app/local> more b%27props%27.conf [test:test] EXTRACT-extract_ip = (?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) SHOULD_LINEMERGE = false TIME_FORMAT = %b $d %H:%M:%S TIME_PREFIX = ^ TZ = UTC

[bayeslearner]

Can you please explain why the following code is needed? I commented it out and it seems fine now.

 if isinstance(conf_type, str):
            conf_type = conf_type.encode("utf-8")

[lowell80]

I'm looking back over the code and don't have a conclusive answer. My best guess is that this was some implementation details of the Splunk SDK (splunklib) library which is used under the covers that no longer applies. There was a lot of this kind of thing during the era of supporting Python 2.7 and Python 3 simultaneously. I'm guessing this depends on which version of splunk-sdk you have installed but obviously we want to support the newest versions. Anyways, that's my best educated guess.

So without these lines the rest-publish command works both with an on-prem server and Splunk Cloud?

Thanks for tracking this down, and the details report. Could you send this in as a pull request? (I'd love to give you official "credit" for the fix and increase the number of contributors to the repo. In the past I would have just applied this myself, but then it looks like I'm the only one who contributes, which isn't accurate.). If you have time, that would be great.

I'll likely be rolling a new release in the new few days.