Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

submit.py not working #34

Open
UnitedMarsupials opened this issue Dec 15, 2022 · 1 comment
Open

submit.py not working #34

UnitedMarsupials opened this issue Dec 15, 2022 · 1 comment

Comments

@UnitedMarsupials
Copy link

UnitedMarsupials commented Dec 15, 2022
edited
Loading

Trying to run the submit.py from the freshly-cloned examples, I keep getting the same error: Index 'foo' does not exist. This is repeated for all indexes I tried -- which I do know exist, because I use them routinely both to submit events using Java API, as well as for searches, dashboards, and alerts.

Using tcpdump I was able to intercept the HTTP-traffic... When I invoke the sample program as:

python3 submit.py --sourcetype=cmdline foo 'Hello, world!'

the client sends:

GET /services/data/indexes/foo HTTP/1.1
Accept-Encoding: identity
Content-Length: 0
Host: kachka
User-Agent: splunk-sdk-python/1.7.2
Accept: */*
Connection: Close
Authorization: Splunk my-submission-only-token

to which the server invariably replies:

HTTP/1.1 404 Not Found
Date: Thu, 15 Dec 2022 19:07:08 GMT
Content-Length: 196
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

Our Splunk servers run:

Splunk Enterprise
Version:
    8.2.6.1
Build:
    5f0da8f6e22c

I tried both UPPER and lower case for each index -- to no avail... Submission of new events from Java -- to the same index and with the same token -- works just fine. A request like:

POST /services/collector/event/1.0 HTTP/1.1
Authorization: Splunk my-submission-only-token
Content-Length: 288
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.9.0

{ ... "index":"foo", ...}

gets the expected status 200:

HTTP/1.1 200 OK
Date: Thu, 15 Dec 2022 19:17:33 GMT
Server: Splunkd
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 27
Vary: Authorization
X-Frame-Options: SAMEORIGIN
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive

{"text":"Success","code":0}

We also have Python code already, that uses the requests-module directly to submit events to Splunk (using POST). It works Ok, but we thought, it would be more prudent to switch to Splunk's own client-implementation... Unfortunately, we cannot get even the pre-canned example (like submit.py) to work...

What am I doing wrong? Is my token no good for any GET-requests, perhaps? The .env file is:

host=....
port=...
scheme=http
version=8.2
token=Splunk my-submission-only-token
@UnitedMarsupials UnitedMarsupials mentioned this issue Dec 16, 2022
Closed
@ashah-splunk
Copy link
Contributor

@UnitedMarsupials sorry for the delay in response. We are looking into the issue and will share an update soon.
Thanks for sharing the detailed information to reproduce the issue.

@UnitedMarsupials UnitedMarsupials mentioned this issue Feb 2, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@UnitedMarsupials @ashah-splunk