How to connect to Splunk API via Python, receiving javascript error

Question

I am trying to connect to Splunk via API using python. I can connect, and get a 200 status code but when I read the content, it doesn't read the content of the page. View below:

Here is my code:

import json
import requests
import re

baseurl = 'https://my_splunk_url:8888'
username = 'my_username'
password = 'my_password'

headers={"Content-Type": "application/json"}

s = requests.Session()
s.proxies = {"http": "my_proxy"}

r = s.get(baseurl, auth=(username, password), verify=False, headers=None, data=None)

print(r.status_code)
print(r.text)

I am new to Splunk and python so any ideas or suggestions as to why this is happening would help.

Answer 1

You need to authenticate first to get a token, then you'll be able to hit the rest of REST endpoints. The auth endpoint it at /servicesNS/admin/search/auth/login, which will give you the session_key, which you then provide to subsequent requests.

Here is some code that uses requests to authenticate to a Splunk instance, then start a search. It then checks to see if the search is complete, if not, wait a second and then check again. Keep checking and sleeping until the search is done, then print out the results.

import time # need for sleep
from xml.dom import minidom

import json, pprint

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


base_url = 'https://localhost:8089'
username = 'admin'
password = 'changeme'

search_query = "search=search index=*"

r = requests.get(base_url+"/servicesNS/admin/search/auth/login",
    data={'username':username,'password':password}, verify=False)

session_key = minidom.parseString(r.text).getElementsByTagName('sessionKey')[0].firstChild.nodeValue
print ("Session Key:", session_key)

r = requests.post(base_url + '/services/search/jobs/', data=search_query,
    headers = { 'Authorization': ('Splunk %s' %session_key)},
    verify = False)

sid = minidom.parseString(r.text).getElementsByTagName('sid')[0].firstChild.nodeValue
print ("Search ID", sid)

done = False
while not done:
    r = requests.get(base_url + '/services/search/jobs/' + sid,
        headers = { 'Authorization': ('Splunk %s' %session_key)},
        verify = False)
    response = minidom.parseString(r.text)
    for node in response.getElementsByTagName("s:key"):
        if node.hasAttribute("name") and node.getAttribute("name") == "dispatchState":
            dispatchState = node.firstChild.nodeValue
            print ("Search Status: ", dispatchState)
            if dispatchState == "DONE":
                done = True
            else:
                time.sleep(1)

r = requests.get(base_url + '/services/search/jobs/' + sid + '/results/',
    headers = { 'Authorization': ('Splunk %s' %session_key)},
    data={'output_mode': 'json'},
    verify = False)

pprint.pprint(json.loads(r.text))

Many of the request calls thare used include the flag, verify = False to avoid issues with the default self-signed SSL certs, but you can drop that if you have legit certificates.

Published a while ago at https://gist.github.com/sduff/aca550a8df636fdc07326225de380a91

Answer 2

Nice piece of coding. One of the wonderful aspects of Python is the ability to use other people's well written packages. In this case, why not use Splunk's Python packages to do all of that work, with a lot less coding around it.

pip install splunklib.

Then add the following to your import block

import splunklib.client as client

import splunklib.results as results

pypi.org has documentation on some of the usage, Splunk has an excellent set of how-to documents. Remember, be lazy, use someone else's work to make your work look better.