Skip to content

submit.py not working #34

New issue
New issue
Open
Open
submit.py not working#34
@UnitedMarsupials

Description

@UnitedMarsupials
UnitedMarsupials
opened on Dec 15, 2022

Trying to run the submit.py from the freshly-cloned examples, I keep getting the same error: Index 'foo' does not exist. This is repeated for all indexes I tried -- which I do know exist, because I use them routinely both to submit events using Java API, as well as for searches, dashboards, and alerts.

Using tcpdump I was able to intercept the HTTP-traffic... When I invoke the sample program as:

python3 submit.py --sourcetype=cmdline foo 'Hello, world!'

the client sends:

GET /services/data/indexes/foo HTTP/1.1
Accept-Encoding: identity
Content-Length: 0
Host: kachka
User-Agent: splunk-sdk-python/1.7.2
Accept: */*
Connection: Close
Authorization: Splunk my-submission-only-token

to which the server invariably replies:

HTTP/1.1 404 Not Found
Date: Thu, 15 Dec 2022 19:07:08 GMT
Content-Length: 196
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

Our Splunk servers run:

Splunk Enterprise
Version:
    8.2.6.1
Build:
    5f0da8f6e22c

I tried both UPPER and lower case for each index -- to no avail... Submission of new events from Java -- to the same index and with the same token -- works just fine. A request like:

POST /services/collector/event/1.0 HTTP/1.1
Authorization: Splunk my-submission-only-token
Content-Length: 288
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.9.0

{ ... "index":"foo", ...}

gets the expected status 200:

HTTP/1.1 200 OK
Date: Thu, 15 Dec 2022 19:17:33 GMT
Server: Splunkd
Content-Type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 27
Vary: Authorization
X-Frame-Options: SAMEORIGIN
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive

{"text":"Success","code":0}

We also have Python code already, that uses the requests-module directly to submit events to Splunk (using POST). It works Ok, but we thought, it would be more prudent to switch to Splunk's own client-implementation... Unfortunately, we cannot get even the pre-canned example (like submit.py) to work...

What am I doing wrong? Is my token no good for any GET-requests, perhaps? The .env file is:

host=....
port=...
scheme=http
version=8.2
token=Splunk my-submission-only-token

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions