我想使用Python3和请求库向Splunk发送一个搜索查询,并希望接收搜索作业的SID。首先,我可以用获得session_key
#!/usr/bin/env python3
import requests
from bs4 import BeautifulSoup
username = 'my_username'
password = 'my_password'
base_url = 'https://splunk-search:8089'
r = requests.get(base_url+"/servicesNS/admin/search/auth/login", data={'username':username,'password':password}, verify="/etc/pki/tls/cert.pem")
session_key = BeautifulSoup(r.text, 'lxml').find("sessionkey").text
#verify we get the session key as string
print(f"session key is {session_key} and its type is {type(session_key)}")
这让我确信我已经通过了认证。一旦我有了session_key,我想用发布一份搜索工作
search_query = "search = search earliest=-5m index=_internal"
r = requests.post(base_url+'/services/search/jobs', data=search_query, headers = {'Authorization': 'Splunk %s' % session_key}, verify="/etc/pki/tls/cert.pem")
#view the response, I would hope to see a SID here
print(r.text)
尽管我可以访问我查询的Splunk索引,但我得到了以下响应:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="WARN">call not properly authenticated</msg>
</messages>
</response>
我在这里错过了什么?直觉告诉我是request.post方法出错了,但我看不到错误在哪里
经过更多的谷歌搜索,我发现了这个Splunk文档:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/UseAuthTokens
call not properly authenticated响应意味着缺少身份验证。经过更多的挖掘,我验证了集群中没有启用令牌身份验证,点击https://splunk-search:8089/services/authorization/tokens会得到以下响应:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Splunk token authorization is disabled.</msg>
</messages>
</response>