search

splunk / splunk-app-examples

App examples for Splunk Enterprise
Apache License 2.0
114 stars 72 forks source link

submit.py not working #34

Open UnitedMarsupials opened 1 year ago

UnitedMarsupials commented 1 year ago

Trying to run the submit.py from the freshly-cloned examples, I keep getting the same error: Index 'foo' does not exist. This is repeated for all indexes I tried -- which I do know exist, because I use them routinely both to submit events using Java API, as well as for searches, dashboards, and alerts.

Using tcpdump I was able to intercept the HTTP-traffic... When I invoke the sample program as:

python3 submit.py --sourcetype=cmdline foo 'Hello, world!'

the client sends:

GET /services/data/indexes/foo HTTP/1.1
Accept-Encoding: identity
Content-Length: 0
Host: kachka
User-Agent: splunk-sdk-python/1.7.2
Accept: */*
Connection: Close
Authorization: Splunk my-submission-only-token

to which the server invariably replies:

HTTP/1.1 404 Not Found
Date: Thu, 15 Dec 2022 19:07:08 GMT
Content-Length: 196
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

Our Splunk servers run:

Splunk Enterprise
Version:
    8.2.6.1
Build:
    5f0da8f6e22c

I tried both UPPER and lower case for each index -- to no avail... Submission of new events from Java -- to the same index and with the same token -- works just fine. A request like:

POST /services/collector/event/1.0 HTTP/1.1
Authorization: Splunk my-submission-only-token
Content-Length: 288
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.9.0

{ ... "index":"foo", ...}

gets the expected status 200:

HTTP/1.1 200 OK
Date: Thu, 15 Dec 2022 19:17:33 GMT
Server: Splunkd
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 27
Vary: Authorization
X-Frame-Options: SAMEORIGIN
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive

{"text":"Success","code":0}

We also have Python code already, that uses the requests-module directly to submit events to Splunk (using POST). It works Ok, but we thought, it would be more prudent to switch to Splunk's own client-implementation... Unfortunately, we cannot get even the pre-canned example (like submit.py) to work...

What am I doing wrong? Is my token no good for any GET-requests, perhaps? The .env file is:

host=....
port=...
scheme=http
version=8.2
token=Splunk my-submission-only-token
ashah-splunk commented 1 year ago

@UnitedMarsupials sorry for the delay in response. We are looking into the issue and will share an update soon. Thanks for sharing the detailed information to reproduce the issue.